Edit tour

Windows Analysis Report
rrequestforquotation.exe

Overview

General Information

Sample name:	rrequestforquotation.exe
Analysis ID:	1560713
MD5:	4a15ed0feb9e90b56e82c2e45a3b3f5e
SHA1:	659661291eb5fd6452d6cabdc24cd9fbc1fb17f7
SHA256:	d5d8c33957e90d1caca4b5207d8da5ab1bc4caa9f702abc0ec006d0518ea9aec
Tags:	exeuser-Porcupine
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM3

Yara detected Snake Keylogger

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

rrequestforquotation.exe (PID: 7284 cmdline: "C:\Users\user\Desktop\rrequestforquotation.exe" MD5: 4A15ED0FEB9E90B56E82C2E45A3B3F5E)

powershell.exe (PID: 7532 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rrequestforquotation.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7580 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7960 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 7624 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oGnCNPiCwiAocn" /XML "C:\Users\user\AppData\Local\Temp\tmpC98D.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

rrequestforquotation.exe (PID: 7792 cmdline: "C:\Users\user\Desktop\rrequestforquotation.exe" MD5: 4A15ED0FEB9E90B56E82C2E45A3B3F5E)

oGnCNPiCwiAocn.exe (PID: 7896 cmdline: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe MD5: 4A15ED0FEB9E90B56E82C2E45A3B3F5E)

schtasks.exe (PID: 8144 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oGnCNPiCwiAocn" /XML "C:\Users\user\AppData\Local\Temp\tmpEF35.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 8152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

oGnCNPiCwiAocn.exe (PID: 2132 cmdline: "C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe" MD5: 4A15ED0FEB9E90B56E82C2E45A3B3F5E)

oGnCNPiCwiAocn.exe (PID: 6112 cmdline: "C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe" MD5: 4A15ED0FEB9E90B56E82C2E45A3B3F5E)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000008.00000002.4142621856.0000000000415000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.4142621856.0000000000415000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000008.00000002.4142621856.0000000000415000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1867:$a1: get_encryptedPassword 0x1b53:$a2: get_encryptedUsername 0x1673:$a3: get_timePasswordChanged 0x176e:$a4: get_passwordField 0x187d:$a5: set_encryptedPassword 0x2edb:$a7: get_logins 0x2e3e:$a10: KeyLoggerEventArgs 0x2aa9:$a11: KeyLoggerEventArgsEventHandler
00000008.00000002.4142621856.0000000000415000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x6929:$x1: $%SMTPDV$ 0x52c4:$x2: $#TheHashHere%& 0x5270:$x3: %FTPDV$ 0x69ff:$x4: $%TelegramDv$ 0x2aa9:$x5: KeyLoggerEventArgs 0x2e3e:$x5: KeyLoggerEventArgs 0x68f5:$m2: Clipboard Logs ID 0x6b4f:$m2: Screenshot Logs ID 0x6c5f:$m2: keystroke Logs ID 0x6f39:$m3: SnakePW 0x6b27:$m4: \SnakeKeylogger\
00000008.00000002.4145794163.0000000002B60000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000F.00000002.4146056209.000000000307F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000008.00000002.4145794163.0000000002991000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000F.00000002.4146056209.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1748719685.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1748719685.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1748719685.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1c3e37:$a1: get_encryptedPassword 0x1e4a57:$a1: get_encryptedPassword 0x205477:$a1: get_encryptedPassword 0x1c4123:$a2: get_encryptedUsername 0x1e4d43:$a2: get_encryptedUsername 0x205763:$a2: get_encryptedUsername 0x1c3c43:$a3: get_timePasswordChanged 0x1e4863:$a3: get_timePasswordChanged 0x205283:$a3: get_timePasswordChanged 0x1c3d3e:$a4: get_passwordField 0x1e495e:$a4: get_passwordField 0x20537e:$a4: get_passwordField 0x1c3e4d:$a5: set_encryptedPassword 0x1e4a6d:$a5: set_encryptedPassword 0x20548d:$a5: set_encryptedPassword 0x1c54ab:$a7: get_logins 0x1e60cb:$a7: get_logins 0x206aeb:$a7: get_logins 0x1c540e:$a10: KeyLoggerEventArgs 0x1e602e:$a10: KeyLoggerEventArgs 0x206a4e:$a10: KeyLoggerEventArgs
00000000.00000002.1748719685.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1c8ef9:$x1: $%SMTPDV$ 0x1e9b19:$x1: $%SMTPDV$ 0x20a539:$x1: $%SMTPDV$ 0x1c7894:$x2: $#TheHashHere%& 0x1e84b4:$x2: $#TheHashHere%& 0x208ed4:$x2: $#TheHashHere%& 0x1c7840:$x3: %FTPDV$ 0x1e8460:$x3: %FTPDV$ 0x208e80:$x3: %FTPDV$ 0x1c8fcf:$x4: $%TelegramDv$ 0x1e9bef:$x4: $%TelegramDv$ 0x20a60f:$x4: $%TelegramDv$ 0x1c5079:$x5: KeyLoggerEventArgs 0x1c540e:$x5: KeyLoggerEventArgs 0x1e5c99:$x5: KeyLoggerEventArgs 0x1e602e:$x5: KeyLoggerEventArgs 0x2066b9:$x5: KeyLoggerEventArgs 0x206a4e:$x5: KeyLoggerEventArgs 0x1c8ec5:$m2: Clipboard Logs ID 0x1c911f:$m2: Screenshot Logs ID 0x1c922f:$m2: keystroke Logs ID
Process Memory Space: rrequestforquotation.exe PID: 7284	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: rrequestforquotation.exe PID: 7284	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: rrequestforquotation.exe PID: 7284	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: rrequestforquotation.exe PID: 7284	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x92418:$a1: get_encryptedPassword 0x926fa:$a2: get_encryptedUsername 0x9222e:$a3: get_timePasswordChanged 0x92329:$a4: get_passwordField 0x9242e:$a5: set_encryptedPassword 0x94712:$a7: get_logins 0x94675:$a10: KeyLoggerEventArgs 0x942e0:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: rrequestforquotation.exe PID: 7284	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x942e0:$x5: KeyLoggerEventArgs 0x94675:$x5: KeyLoggerEventArgs 0x9516c:$x5: KeyLoggerEventArgs 0x954cd:$x5: KeyLoggerEventArgs 0x96ab3:$m2: Clipboard Logs ID 0x96bc7:$m2: Screenshot Logs ID 0x96c1d:$m2: keystroke Logs ID 0x96d52:$m3: SnakePW 0x96bb3:$m4: \SnakeKeylogger\
Process Memory Space: rrequestforquotation.exe PID: 7792	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: rrequestforquotation.exe PID: 7792	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: rrequestforquotation.exe PID: 7792	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x17537:$a1: get_encryptedPassword 0x17819:$a2: get_encryptedUsername 0x1734d:$a3: get_timePasswordChanged 0x17448:$a4: get_passwordField 0x1754d:$a5: set_encryptedPassword 0x19831:$a7: get_logins 0x19794:$a10: KeyLoggerEventArgs 0x193ff:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: rrequestforquotation.exe PID: 7792	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x193ff:$x5: KeyLoggerEventArgs 0x19794:$x5: KeyLoggerEventArgs 0x1a28b:$x5: KeyLoggerEventArgs 0x1a5ec:$x5: KeyLoggerEventArgs 0x1bbd2:$m2: Clipboard Logs ID 0x1bce6:$m2: Screenshot Logs ID 0x1bd3c:$m2: keystroke Logs ID 0x1be71:$m3: SnakePW 0x1bcd2:$m4: \SnakeKeylogger\
Process Memory Space: oGnCNPiCwiAocn.exe PID: 7896	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: oGnCNPiCwiAocn.exe PID: 6112	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: oGnCNPiCwiAocn.exe PID: 6112	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Click to see the 19 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.rrequestforquotation.exe.3e80ff0.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.rrequestforquotation.exe.3e80ff0.3.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.rrequestforquotation.exe.3e80ff0.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12c67:$a1: get_encryptedPassword 0x12f53:$a2: get_encryptedUsername 0x12a73:$a3: get_timePasswordChanged 0x12b6e:$a4: get_passwordField 0x12c7d:$a5: set_encryptedPassword 0x142db:$a7: get_logins 0x1423e:$a10: KeyLoggerEventArgs 0x13ea9:$a11: KeyLoggerEventArgsEventHandler
0.2.rrequestforquotation.exe.3e80ff0.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a6fb:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1992d:$a3: \Google\Chrome\User Data\Default\Login Data 0x19d60:$a4: \Orbitum\User Data\Default\Login Data 0x1ad9f:$a5: \Kometa\User Data\Default\Login Data
0.2.rrequestforquotation.exe.3e80ff0.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13846:$s1: UnHook 0x1384d:$s2: SetHook 0x13855:$s3: CallNextHook 0x13862:$s4: _hook
0.2.rrequestforquotation.exe.3e80ff0.3.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17d29:$x1: $%SMTPDV$ 0x166c4:$x2: $#TheHashHere%& 0x16670:$x3: %FTPDV$ 0x17dff:$x4: $%TelegramDv$ 0x13ea9:$x5: KeyLoggerEventArgs 0x1423e:$x5: KeyLoggerEventArgs 0x17cf5:$m2: Clipboard Logs ID 0x17f4f:$m2: Screenshot Logs ID 0x1805f:$m2: keystroke Logs ID 0x18339:$m3: SnakePW 0x17f27:$m4: \SnakeKeylogger\
0.2.rrequestforquotation.exe.3e603d0.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.rrequestforquotation.exe.3e603d0.2.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.rrequestforquotation.exe.3e603d0.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12c67:$a1: get_encryptedPassword 0x12f53:$a2: get_encryptedUsername 0x12a73:$a3: get_timePasswordChanged 0x12b6e:$a4: get_passwordField 0x12c7d:$a5: set_encryptedPassword 0x142db:$a7: get_logins 0x1423e:$a10: KeyLoggerEventArgs 0x13ea9:$a11: KeyLoggerEventArgsEventHandler
0.2.rrequestforquotation.exe.3e603d0.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a6fb:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1992d:$a3: \Google\Chrome\User Data\Default\Login Data 0x19d60:$a4: \Orbitum\User Data\Default\Login Data 0x1ad9f:$a5: \Kometa\User Data\Default\Login Data
0.2.rrequestforquotation.exe.3e603d0.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13846:$s1: UnHook 0x1384d:$s2: SetHook 0x13855:$s3: CallNextHook 0x13862:$s4: _hook
0.2.rrequestforquotation.exe.3e603d0.2.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17d29:$x1: $%SMTPDV$ 0x166c4:$x2: $#TheHashHere%& 0x16670:$x3: %FTPDV$ 0x17dff:$x4: $%TelegramDv$ 0x13ea9:$x5: KeyLoggerEventArgs 0x1423e:$x5: KeyLoggerEventArgs 0x17cf5:$m2: Clipboard Logs ID 0x17f4f:$m2: Screenshot Logs ID 0x1805f:$m2: keystroke Logs ID 0x18339:$m3: SnakePW 0x17f27:$m4: \SnakeKeylogger\
0.2.rrequestforquotation.exe.3e80ff0.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.rrequestforquotation.exe.3e80ff0.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.rrequestforquotation.exe.3e80ff0.3.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.rrequestforquotation.exe.3e80ff0.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14a67:$a1: get_encryptedPassword 0x35487:$a1: get_encryptedPassword 0x14d53:$a2: get_encryptedUsername 0x35773:$a2: get_encryptedUsername 0x14873:$a3: get_timePasswordChanged 0x35293:$a3: get_timePasswordChanged 0x1496e:$a4: get_passwordField 0x3538e:$a4: get_passwordField 0x14a7d:$a5: set_encryptedPassword 0x3549d:$a5: set_encryptedPassword 0x160db:$a7: get_logins 0x36afb:$a7: get_logins 0x1603e:$a10: KeyLoggerEventArgs 0x36a5e:$a10: KeyLoggerEventArgs 0x15ca9:$a11: KeyLoggerEventArgsEventHandler 0x366c9:$a11: KeyLoggerEventArgsEventHandler
0.2.rrequestforquotation.exe.3e80ff0.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c4fb:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3cf1b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b72d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3c14d:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bb60:$a4: \Orbitum\User Data\Default\Login Data 0x3c580:$a4: \Orbitum\User Data\Default\Login Data 0x1cb9f:$a5: \Kometa\User Data\Default\Login Data 0x3d5bf:$a5: \Kometa\User Data\Default\Login Data
0.2.rrequestforquotation.exe.3e80ff0.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15646:$s1: UnHook 0x36066:$s1: UnHook 0x1564d:$s2: SetHook 0x3606d:$s2: SetHook 0x15655:$s3: CallNextHook 0x36075:$s3: CallNextHook 0x15662:$s4: _hook 0x36082:$s4: _hook
0.2.rrequestforquotation.exe.3e80ff0.3.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19b29:$x1: $%SMTPDV$ 0x3a549:$x1: $%SMTPDV$ 0x184c4:$x2: $#TheHashHere%& 0x38ee4:$x2: $#TheHashHere%& 0x18470:$x3: %FTPDV$ 0x38e90:$x3: %FTPDV$ 0x19bff:$x4: $%TelegramDv$ 0x3a61f:$x4: $%TelegramDv$ 0x15ca9:$x5: KeyLoggerEventArgs 0x1603e:$x5: KeyLoggerEventArgs 0x366c9:$x5: KeyLoggerEventArgs 0x36a5e:$x5: KeyLoggerEventArgs 0x19af5:$m2: Clipboard Logs ID 0x19d4f:$m2: Screenshot Logs ID 0x19e5f:$m2: keystroke Logs ID 0x3a515:$m2: Clipboard Logs ID 0x3a76f:$m2: Screenshot Logs ID 0x3a87f:$m2: keystroke Logs ID 0x1a139:$m3: SnakePW 0x3ab59:$m3: SnakePW 0x19d27:$m4: \SnakeKeylogger\
0.2.rrequestforquotation.exe.3e603d0.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.rrequestforquotation.exe.3e603d0.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.rrequestforquotation.exe.3e603d0.2.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.rrequestforquotation.exe.3e603d0.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14a67:$a1: get_encryptedPassword 0x35687:$a1: get_encryptedPassword 0x560a7:$a1: get_encryptedPassword 0x14d53:$a2: get_encryptedUsername 0x35973:$a2: get_encryptedUsername 0x56393:$a2: get_encryptedUsername 0x14873:$a3: get_timePasswordChanged 0x35493:$a3: get_timePasswordChanged 0x55eb3:$a3: get_timePasswordChanged 0x1496e:$a4: get_passwordField 0x3558e:$a4: get_passwordField 0x55fae:$a4: get_passwordField 0x14a7d:$a5: set_encryptedPassword 0x3569d:$a5: set_encryptedPassword 0x560bd:$a5: set_encryptedPassword 0x160db:$a7: get_logins 0x36cfb:$a7: get_logins 0x5771b:$a7: get_logins 0x1603e:$a10: KeyLoggerEventArgs 0x36c5e:$a10: KeyLoggerEventArgs 0x5767e:$a10: KeyLoggerEventArgs
0.2.rrequestforquotation.exe.3e603d0.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c4fb:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3d11b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x5db3b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b72d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3c34d:$a3: \Google\Chrome\User Data\Default\Login Data 0x5cd6d:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bb60:$a4: \Orbitum\User Data\Default\Login Data 0x3c780:$a4: \Orbitum\User Data\Default\Login Data 0x5d1a0:$a4: \Orbitum\User Data\Default\Login Data 0x1cb9f:$a5: \Kometa\User Data\Default\Login Data 0x3d7bf:$a5: \Kometa\User Data\Default\Login Data 0x5e1df:$a5: \Kometa\User Data\Default\Login Data
0.2.rrequestforquotation.exe.3e603d0.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15646:$s1: UnHook 0x36266:$s1: UnHook 0x56c86:$s1: UnHook 0x1564d:$s2: SetHook 0x3626d:$s2: SetHook 0x56c8d:$s2: SetHook 0x15655:$s3: CallNextHook 0x36275:$s3: CallNextHook 0x56c95:$s3: CallNextHook 0x15662:$s4: _hook 0x36282:$s4: _hook 0x56ca2:$s4: _hook
0.2.rrequestforquotation.exe.3e603d0.2.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19b29:$x1: $%SMTPDV$ 0x3a749:$x1: $%SMTPDV$ 0x5b169:$x1: $%SMTPDV$ 0x184c4:$x2: $#TheHashHere%& 0x390e4:$x2: $#TheHashHere%& 0x59b04:$x2: $#TheHashHere%& 0x18470:$x3: %FTPDV$ 0x39090:$x3: %FTPDV$ 0x59ab0:$x3: %FTPDV$ 0x19bff:$x4: $%TelegramDv$ 0x3a81f:$x4: $%TelegramDv$ 0x5b23f:$x4: $%TelegramDv$ 0x15ca9:$x5: KeyLoggerEventArgs 0x1603e:$x5: KeyLoggerEventArgs 0x368c9:$x5: KeyLoggerEventArgs 0x36c5e:$x5: KeyLoggerEventArgs 0x572e9:$x5: KeyLoggerEventArgs 0x5767e:$x5: KeyLoggerEventArgs 0x19af5:$m2: Clipboard Logs ID 0x19d4f:$m2: Screenshot Logs ID 0x19e5f:$m2: keystroke Logs ID
Click to see the 21 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rrequestforquotation.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rrequestforquotation.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\rrequestforquotation.exe", ParentImage: C:\Users\user\Desktop\rrequestforquotation.exe, ParentProcessId: 7284, ParentProcessName: rrequestforquotation.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rrequestforquotation.exe", ProcessId: 7532, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oGnCNPiCwiAocn" /XML "C:\Users\user\AppData\Local\Temp\tmpEF35.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oGnCNPiCwiAocn" /XML "C:\Users\user\AppData\Local\Temp\tmpEF35.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe, ParentImage: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe, ParentProcessId: 7896, ParentProcessName: oGnCNPiCwiAocn.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oGnCNPiCwiAocn" /XML "C:\Users\user\AppData\Local\Temp\tmpEF35.tmp", ProcessId: 8144, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oGnCNPiCwiAocn" /XML "C:\Users\user\AppData\Local\Temp\tmpC98D.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oGnCNPiCwiAocn" /XML "C:\Users\user\AppData\Local\Temp\tmpC98D.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\rrequestforquotation.exe", ParentImage: C:\Users\user\Desktop\rrequestforquotation.exe, ParentProcessId: 7284, ParentProcessName: rrequestforquotation.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oGnCNPiCwiAocn" /XML "C:\Users\user\AppData\Local\Temp\tmpC98D.tmp", ProcessId: 7624, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rrequestforquotation.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rrequestforquotation.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\rrequestforquotation.exe", ParentImage: C:\Users\user\Desktop\rrequestforquotation.exe, ParentProcessId: 7284, ParentProcessName: rrequestforquotation.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rrequestforquotation.exe", ProcessId: 7532, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oGnCNPiCwiAocn" /XML "C:\Users\user\AppData\Local\Temp\tmpC98D.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oGnCNPiCwiAocn" /XML "C:\Users\user\AppData\Local\Temp\tmpC98D.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\rrequestforquotation.exe", ParentImage: C:\Users\user\Desktop\rrequestforquotation.exe, ParentProcessId: 7284, ParentProcessName: rrequestforquotation.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oGnCNPiCwiAocn" /XML "C:\Users\user\AppData\Local\Temp\tmpC98D.tmp", ProcessId: 7624, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-22T08:32:11.267133+0100	2803305	3	Unknown Traffic	192.168.2.4	49737	172.67.177.134	443	TCP
2024-11-22T08:32:14.885958+0100	2803305	3	Unknown Traffic	192.168.2.4	49739	172.67.177.134	443	TCP
2024-11-22T08:32:18.012891+0100	2803305	3	Unknown Traffic	192.168.2.4	49745	172.67.177.134	443	TCP
2024-11-22T08:32:20.669145+0100	2803305	3	Unknown Traffic	192.168.2.4	49749	172.67.177.134	443	TCP
2024-11-22T08:32:27.701109+0100	2803305	3	Unknown Traffic	192.168.2.4	49760	172.67.177.134	443	TCP
2024-11-22T08:32:30.402900+0100	2803305	3	Unknown Traffic	192.168.2.4	49763	172.67.177.134	443	TCP
2024-11-22T08:32:30.811460+0100	2803305	3	Unknown Traffic	192.168.2.4	49764	172.67.177.134	443	TCP
2024-11-22T08:32:33.504792+0100	2803305	3	Unknown Traffic	192.168.2.4	49766	172.67.177.134	443	TCP
2024-11-22T08:32:39.957714+0100	2803305	3	Unknown Traffic	192.168.2.4	49770	172.67.177.134	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-22T08:32:07.241640+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49735	193.122.6.168	80	TCP
2024-11-22T08:32:09.601017+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49735	193.122.6.168	80	TCP
2024-11-22T08:32:13.210408+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49738	193.122.6.168	80	TCP
2024-11-22T08:32:15.866686+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49741	193.122.6.168	80	TCP
2024-11-22T08:32:16.298602+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49742	193.122.6.168	80	TCP
2024-11-22T08:32:18.991673+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49741	193.122.6.168	80	TCP
2024-11-22T08:32:22.132707+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49752	193.122.6.168	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: rrequestforquotation.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe

Avira: detection malicious, Label: HEUR/AGEN.1309540

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe

Virustotal: Detection: 43%

Perma Link

Multi AV Scanner detection for submitted file

Source: rrequestforquotation.exe

Virustotal: Detection: 43%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: rrequestforquotation.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: rrequestforquotation.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.4:49736 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.4:49744 version: TLS 1.0

Source: rrequestforquotation.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 4x nop then jmp 012A483Fh	0_2_012A4668
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 4x nop then jmp 0778AB84h	0_2_0778A756
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 4x nop then jmp 00F9F1F6h	8_2_00F9F017
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 4x nop then jmp 00F9FB80h	8_2_00F9F017
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	8_2_00F9E528
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	8_2_00F9EB5B
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	8_2_00F9ED3C
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 4x nop then jmp 06758945h	8_2_06758608
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 4x nop then jmp 067558C1h	8_2_06755618
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 4x nop then jmp 06756171h	8_2_06755EC8
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 4x nop then jmp 06756A21h	8_2_06756778
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 4x nop then jmp 06757751h	8_2_067574A8
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 4x nop then jmp 06750741h	8_2_06750498
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 4x nop then jmp 06758001h	8_2_06757D58
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 4x nop then jmp 06750FF1h	8_2_06750D48
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 4x nop then jmp 06755D19h	8_2_06755A70
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 4x nop then jmp 067565C9h	8_2_06756320
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 4x nop then jmp 06756E79h	8_2_06756BD0
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	8_2_067533B8
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	8_2_067533A8
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 4x nop then jmp 067572FAh	8_2_06757050
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 4x nop then jmp 067502E9h	8_2_06750040
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 4x nop then jmp 06750B99h	8_2_067508F0
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 4x nop then jmp 06757BA9h	8_2_06757900
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 4x nop then jmp 06758459h	8_2_067581B0
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 4x nop then jmp 06755441h	8_2_06755198
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 4x nop then jmp 0258483Fh	9_2_02584668
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 4x nop then jmp 06F09DC4h	9_2_06F09996
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 4x nop then jmp 0144F1F6h	15_2_0144F007
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 4x nop then jmp 0144FB80h	15_2_0144F007
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	15_2_0144E528
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 4x nop then jmp 059F8945h	15_2_059F8608
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 4x nop then jmp 059F5441h	15_2_059F5198
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 4x nop then jmp 059F8459h	15_2_059F81B0
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 4x nop then jmp 059F7BA9h	15_2_059F7900
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 4x nop then jmp 059F8001h	15_2_059F7D58
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 4x nop then jmp 059F0FF1h	15_2_059F0D48
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 4x nop then jmp 059F0741h	15_2_059F0498
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 4x nop then jmp 059F7751h	15_2_059F74A8
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 4x nop then jmp 059F0B99h	15_2_059F08F0
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 4x nop then jmp 059F72FAh	15_2_059F7050
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 4x nop then jmp 059F02E9h	15_2_059F0040
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	15_2_059F33B8
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	15_2_059F33A8
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 4x nop then jmp 059F6E79h	15_2_059F6BD0
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 4x nop then jmp 059F65C9h	15_2_059F6320
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 4x nop then jmp 059F6A21h	15_2_059F6778
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	15_2_059F36CE
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 4x nop then jmp 059F6171h	15_2_059F5EC8
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 4x nop then jmp 059F58C1h	15_2_059F5618
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 4x nop then jmp 059F5D19h	15_2_059F5A70

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.rrequestforquotation.exe.3e80ff0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rrequestforquotation.exe.3e603d0.2.raw.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org

Source: Joe Sandbox View	IP Address: 193.122.6.168 193.122.6.168
Source: Joe Sandbox View	IP Address: 172.67.177.134 172.67.177.134

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49741 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49742 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49738 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49735 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49752 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49766 -> 172.67.177.134:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49763 -> 172.67.177.134:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49737 -> 172.67.177.134:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49749 -> 172.67.177.134:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49745 -> 172.67.177.134:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49760 -> 172.67.177.134:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49770 -> 172.67.177.134:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49764 -> 172.67.177.134:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49739 -> 172.67.177.134:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.4:49736 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.4:49744 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002B52000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002A5C000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002B44000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002B09000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002AEE000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002B16000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.000000000300D000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000002F7A000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000003028000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000003071000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.000000000301A000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000003063000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000003035000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002B52000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002A3F000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002B24000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002A5C000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002A9A000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002B44000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002B09000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002AEE000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002B16000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.000000000300D000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000002F7A000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000003043000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000002F6B000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000003028000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000003071000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.000000000301A000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000003063000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000003035000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002991000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: rrequestforquotation.exe, 00000000.00000002.1748719685.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4142621856.0000000000415000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002B52000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002B44000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002B09000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002AEE000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002B16000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002A74000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.000000000300D000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000003028000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000003071000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.000000000301A000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000003063000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000002F92000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000003035000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: rrequestforquotation.exe, 00000000.00000002.1746469982.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002991000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 00000009.00000002.1838856282.00000000026E1000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: rrequestforquotation.exe, 00000000.00000002.1756452809.0000000006F72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: rrequestforquotation.exe, 00000000.00000002.1756452809.0000000006F72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: rrequestforquotation.exe, 00000000.00000002.1756452809.0000000006F72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: rrequestforquotation.exe, 00000000.00000002.1756452809.0000000006F72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: rrequestforquotation.exe, 00000000.00000002.1756452809.0000000006F72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: rrequestforquotation.exe, 00000000.00000002.1756452809.0000000006F72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: rrequestforquotation.exe, 00000000.00000002.1756452809.0000000006F72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: rrequestforquotation.exe, 00000000.00000002.1756452809.0000000006F72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: rrequestforquotation.exe, 00000000.00000002.1756452809.0000000006F72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: rrequestforquotation.exe, 00000000.00000002.1756452809.0000000006F72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: rrequestforquotation.exe, 00000000.00000002.1756452809.0000000006F72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: rrequestforquotation.exe, 00000000.00000002.1756452809.0000000006F72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: rrequestforquotation.exe, 00000000.00000002.1756452809.0000000006F72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: rrequestforquotation.exe, 00000000.00000002.1756452809.0000000006F72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: rrequestforquotation.exe, 00000000.00000002.1756452809.0000000006F72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: rrequestforquotation.exe, 00000000.00000002.1756452809.0000000006F72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: rrequestforquotation.exe, 00000000.00000002.1756452809.0000000006F72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: rrequestforquotation.exe, 00000000.00000002.1756452809.0000000006F72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: rrequestforquotation.exe, 00000000.00000002.1756452809.0000000006F72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: rrequestforquotation.exe, 00000000.00000002.1756404377.0000000005EA0000.00000004.00000020.00020000.00000000.sdmp, rrequestforquotation.exe, 00000000.00000002.1756452809.0000000006F72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: rrequestforquotation.exe, 00000000.00000002.1756452809.0000000006F72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: rrequestforquotation.exe, 00000000.00000002.1756452809.0000000006F72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: rrequestforquotation.exe, 00000000.00000002.1756452809.0000000006F72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: rrequestforquotation.exe, 00000000.00000002.1756452809.0000000006F72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: rrequestforquotation.exe, 00000000.00000002.1756452809.0000000006F72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: rrequestforquotation.exe, oGnCNPiCwiAocn.exe.0.dr	String found in binary or memory: https://github.com/ppx17/Onkyo-Remote-Control
Source: rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002B52000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002A5C000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002A9A000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002B44000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002B09000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002AEE000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002B16000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.000000000300D000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000002F7A000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000003028000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000003071000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.000000000301A000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000003063000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000003035000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: rrequestforquotation.exe, 00000000.00000002.1748719685.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002A5C000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4142621856.0000000000415000.00000040.00000400.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000002F7A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000003035000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.75
Source: rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002B52000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002A9A000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002B44000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002B09000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002AEE000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002B16000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.000000000300D000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000003028000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000003071000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.000000000301A000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000003063000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000003035000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.75$

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.rrequestforquotation.exe.3e80ff0.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.rrequestforquotation.exe.3e80ff0.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.rrequestforquotation.exe.3e80ff0.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.rrequestforquotation.exe.3e80ff0.3.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.rrequestforquotation.exe.3e603d0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.rrequestforquotation.exe.3e603d0.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.rrequestforquotation.exe.3e603d0.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.rrequestforquotation.exe.3e603d0.2.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.rrequestforquotation.exe.3e80ff0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.rrequestforquotation.exe.3e80ff0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.rrequestforquotation.exe.3e80ff0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.rrequestforquotation.exe.3e80ff0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.rrequestforquotation.exe.3e603d0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.rrequestforquotation.exe.3e603d0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.rrequestforquotation.exe.3e603d0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.rrequestforquotation.exe.3e603d0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000008.00000002.4142621856.0000000000415000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000008.00000002.4142621856.0000000000415000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.1748719685.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1748719685.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: rrequestforquotation.exe PID: 7284, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: rrequestforquotation.exe PID: 7284, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: rrequestforquotation.exe PID: 7792, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: rrequestforquotation.exe PID: 7792, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: rrequestforquotation.exe

Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 0_2_012ADF94	0_2_012ADF94
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 0_2_0778BD78	0_2_0778BD78
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 0_2_07785670	0_2_07785670
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 0_2_07785238	0_2_07785238
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 0_2_07785228	0_2_07785228
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 0_2_07784E00	0_2_07784E00
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 0_2_07786E88	0_2_07786E88
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 0_2_077849C8	0_2_077849C8
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 0_2_077849A7	0_2_077849A7
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 0_2_07A04FC8	0_2_07A04FC8
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 0_2_07A08500	0_2_07A08500
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 0_2_07A054D8	0_2_07A054D8
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 0_2_07A02106	0_2_07A02106
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 0_2_07A02C38	0_2_07A02C38
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 0_2_07A0E288	0_2_07A0E288
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 0_2_07A0E279	0_2_07A0E279
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 8_2_00F9F017	8_2_00F9F017
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 8_2_00F9C190	8_2_00F9C190
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 8_2_00F96108	8_2_00F96108
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 8_2_00F9B4FB	8_2_00F9B4FB
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 8_2_00F9C477	8_2_00F9C477
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 8_2_00F9C75F	8_2_00F9C75F
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 8_2_00F96730	8_2_00F96730
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 8_2_00F94AD9	8_2_00F94AD9
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 8_2_00F9CA31	8_2_00F9CA31
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 8_2_00F9BBD7	8_2_00F9BBD7
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 8_2_00F9BEB0	8_2_00F9BEB0
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 8_2_00F9357F	8_2_00F9357F
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 8_2_00F9E528	8_2_00F9E528
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 8_2_00F9E523	8_2_00F9E523
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 8_2_0675D670	8_2_0675D670
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 8_2_06758608	8_2_06758608
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 8_2_0675B6E8	8_2_0675B6E8
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 8_2_0675A408	8_2_0675A408
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 8_2_0675BD38	8_2_0675BD38
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 8_2_0675AA58	8_2_0675AA58
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 8_2_06758B58	8_2_06758B58
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 8_2_0675C388	8_2_0675C388
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 8_2_0675D028	8_2_0675D028
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 8_2_0675B0A0	8_2_0675B0A0
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 8_2_0675C9D8	8_2_0675C9D8
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 8_2_067511A0	8_2_067511A0
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 8_2_0675D663	8_2_0675D663
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 8_2_06755618	8_2_06755618
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 8_2_0675560A	8_2_0675560A
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 8_2_0675B6D9	8_2_0675B6D9
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 8_2_06755EC8	8_2_06755EC8
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 8_2_06755EB8	8_2_06755EB8
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 8_2_06756778	8_2_06756778
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 8_2_06753730	8_2_06753730
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 8_2_06754430	8_2_06754430
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 8_2_067574A8	8_2_067574A8
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 8_2_06757497	8_2_06757497
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 8_2_06750498	8_2_06750498
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 8_2_06750488	8_2_06750488
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 8_2_06757D58	8_2_06757D58
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 8_2_06750D48	8_2_06750D48
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 8_2_06757D48	8_2_06757D48
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 8_2_06750D39	8_2_06750D39
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 8_2_0675BD28	8_2_0675BD28
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 8_2_067585FC	8_2_067585FC
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 8_2_06755A70	8_2_06755A70
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 8_2_06755A60	8_2_06755A60
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 8_2_0675AA48	8_2_0675AA48
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 8_2_0675C378	8_2_0675C378
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 8_2_06756320	8_2_06756320
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 8_2_06756312	8_2_06756312
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 8_2_0675A3F8	8_2_0675A3F8
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 8_2_06756BD0	8_2_06756BD0
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 8_2_06756BC1	8_2_06756BC1
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 8_2_067533B8	8_2_067533B8
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 8_2_067533A8	8_2_067533A8
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 8_2_06757050	8_2_06757050
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 8_2_06750040	8_2_06750040
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 8_2_06757040	8_2_06757040
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 8_2_06752818	8_2_06752818
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 8_2_0675D018	8_2_0675D018
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 8_2_06750007	8_2_06750007
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 8_2_06752807	8_2_06752807
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 8_2_067508F0	8_2_067508F0
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 8_2_067578F0	8_2_067578F0
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 8_2_067508E0	8_2_067508E0
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 8_2_0675B090	8_2_0675B090
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 8_2_06757900	8_2_06757900
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 8_2_0675C9C8	8_2_0675C9C8
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 8_2_067581B0	8_2_067581B0
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 8_2_067581A0	8_2_067581A0
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 8_2_06751191	8_2_06751191
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 8_2_06755198	8_2_06755198
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 8_2_0675518A	8_2_0675518A
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 9_2_0258DF94	9_2_0258DF94
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 9_2_06F0B0A9	9_2_06F0B0A9
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 9_2_06F06E88	9_2_06F06E88
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 9_2_06F05670	9_2_06F05670
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 9_2_06F04E00	9_2_06F04E00
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 9_2_06F05238	9_2_06F05238
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 9_2_06F05228	9_2_06F05228
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 9_2_06F049C8	9_2_06F049C8
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 9_2_06F049A7	9_2_06F049A7
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 15_2_01446108	15_2_01446108
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 15_2_0144C190	15_2_0144C190
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 15_2_0144F007	15_2_0144F007
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 15_2_0144B328	15_2_0144B328
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 15_2_0144C470	15_2_0144C470
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 15_2_0144C752	15_2_0144C752
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 15_2_01449858	15_2_01449858
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 15_2_01446880	15_2_01446880
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 15_2_0144BBD2	15_2_0144BBD2
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 15_2_0144CA32	15_2_0144CA32
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 15_2_01444AD9	15_2_01444AD9
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 15_2_0144BEB0	15_2_0144BEB0
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 15_2_01443572	15_2_01443572
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 15_2_0144E517	15_2_0144E517
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 15_2_0144E528	15_2_0144E528
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 15_2_0144B4F2	15_2_0144B4F2
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 15_2_059FC9D8	15_2_059FC9D8
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 15_2_059FBD38	15_2_059FBD38
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 15_2_059FB0A0	15_2_059FB0A0
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 15_2_059FA408	15_2_059FA408
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 15_2_059FD028	15_2_059FD028
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 15_2_059FC388	15_2_059FC388
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 15_2_059F8B58	15_2_059F8B58
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 15_2_059FB6E8	15_2_059FB6E8
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 15_2_059F8608	15_2_059F8608
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 15_2_059FAA58	15_2_059FAA58
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 15_2_059FD670	15_2_059FD670
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 15_2_059F5198	15_2_059F5198
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 15_2_059F1191	15_2_059F1191
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 15_2_059F518A	15_2_059F518A
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 15_2_059F81B0	15_2_059F81B0
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 15_2_059F11A0	15_2_059F11A0
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 15_2_059F81A0	15_2_059F81A0
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 15_2_059FC9C8	15_2_059FC9C8
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 15_2_059F85FC	15_2_059F85FC
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 15_2_059F7900	15_2_059F7900
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 15_2_059F0D39	15_2_059F0D39
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 15_2_059FBD28	15_2_059FBD28
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 15_2_059F7D58	15_2_059F7D58
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 15_2_059F0D48	15_2_059F0D48
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 15_2_059F7D48	15_2_059F7D48
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 15_2_059F0498	15_2_059F0498
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 15_2_059F7497	15_2_059F7497
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 15_2_059FB08F	15_2_059FB08F
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 15_2_059F0488	15_2_059F0488
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 15_2_059F74A8	15_2_059F74A8
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 15_2_059F08F0	15_2_059F08F0
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 15_2_059F78F0	15_2_059F78F0
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 15_2_059F08E0	15_2_059F08E0
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 15_2_059F2818	15_2_059F2818
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 15_2_059FD018	15_2_059FD018
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 15_2_059F2807	15_2_059F2807
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 15_2_059F0006	15_2_059F0006
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 15_2_059F4430	15_2_059F4430
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 15_2_059F7050	15_2_059F7050
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 15_2_059F0040	15_2_059F0040
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 15_2_059F7040	15_2_059F7040
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 15_2_059F33B8	15_2_059F33B8
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 15_2_059F33A8	15_2_059F33A8
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 15_2_059F6BD0	15_2_059F6BD0
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 15_2_059F6BC1	15_2_059F6BC1
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 15_2_059FA3F8	15_2_059FA3F8
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 15_2_059F6310	15_2_059F6310
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 15_2_059F3730	15_2_059F3730
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 15_2_059F6320	15_2_059F6320
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 15_2_059F6778	15_2_059F6778
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 15_2_059FC378	15_2_059FC378
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 15_2_059F676A	15_2_059F676A
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 15_2_059F5EB8	15_2_059F5EB8
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 15_2_059FB6D9	15_2_059FB6D9
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 15_2_059F5EC8	15_2_059F5EC8
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 15_2_059F5618	15_2_059F5618
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 15_2_059F5609	15_2_059F5609
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 15_2_059FAA48	15_2_059FAA48
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 15_2_059F5A70	15_2_059F5A70
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 15_2_059FD662	15_2_059FD662
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 15_2_059F5A60	15_2_059F5A60

Source: rrequestforquotation.exe, 00000000.00000002.1753494185.0000000005590000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs rrequestforquotation.exe
Source: rrequestforquotation.exe, 00000000.00000002.1746469982.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs rrequestforquotation.exe
Source: rrequestforquotation.exe, 00000000.00000002.1746469982.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs rrequestforquotation.exe
Source: rrequestforquotation.exe, 00000000.00000002.1744711417.0000000000E6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs rrequestforquotation.exe
Source: rrequestforquotation.exe, 00000000.00000000.1664980863.00000000008F6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamerwui.exeB vs rrequestforquotation.exe
Source: rrequestforquotation.exe, 00000000.00000002.1754030257.0000000005CA6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameschtasks.exe.muij% vs rrequestforquotation.exe
Source: rrequestforquotation.exe, 00000000.00000002.1748719685.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs rrequestforquotation.exe
Source: rrequestforquotation.exe, 00000000.00000002.1748719685.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs rrequestforquotation.exe
Source: rrequestforquotation.exe, 00000000.00000002.1759798565.00000000076E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs rrequestforquotation.exe
Source: rrequestforquotation.exe, 00000008.00000002.4142621856.0000000000415000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs rrequestforquotation.exe
Source: rrequestforquotation.exe, 00000008.00000002.4142900425.0000000000B37000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs rrequestforquotation.exe
Source: rrequestforquotation.exe	Binary or memory string: OriginalFilenamerwui.exeB vs rrequestforquotation.exe

Source: rrequestforquotation.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.rrequestforquotation.exe.3e80ff0.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.rrequestforquotation.exe.3e80ff0.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.rrequestforquotation.exe.3e80ff0.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.rrequestforquotation.exe.3e80ff0.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.rrequestforquotation.exe.3e603d0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.rrequestforquotation.exe.3e603d0.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.rrequestforquotation.exe.3e603d0.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.rrequestforquotation.exe.3e603d0.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.rrequestforquotation.exe.3e80ff0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.rrequestforquotation.exe.3e80ff0.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.rrequestforquotation.exe.3e80ff0.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.rrequestforquotation.exe.3e80ff0.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.rrequestforquotation.exe.3e603d0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.rrequestforquotation.exe.3e603d0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.rrequestforquotation.exe.3e603d0.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.rrequestforquotation.exe.3e603d0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000008.00000002.4142621856.0000000000415000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000008.00000002.4142621856.0000000000415000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.1748719685.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1748719685.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: rrequestforquotation.exe PID: 7284, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: rrequestforquotation.exe PID: 7284, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: rrequestforquotation.exe PID: 7792, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: rrequestforquotation.exe PID: 7792, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: rrequestforquotation.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: oGnCNPiCwiAocn.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.rrequestforquotation.exe.3e603d0.2.raw.unpack, C--K.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rrequestforquotation.exe.3e603d0.2.raw.unpack, C--K.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rrequestforquotation.exe.3e603d0.2.raw.unpack, --A.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rrequestforquotation.exe.3e603d0.2.raw.unpack, --A.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rrequestforquotation.exe.3e80ff0.3.raw.unpack, C--K.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rrequestforquotation.exe.3e80ff0.3.raw.unpack, C--K.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rrequestforquotation.exe.3e80ff0.3.raw.unpack, --A.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rrequestforquotation.exe.3e80ff0.3.raw.unpack, --A.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.rrequestforquotation.exe.76e0000.5.raw.unpack, juqVWnykJF34oGXK3k.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.rrequestforquotation.exe.3ec4bd0.1.raw.unpack, juqVWnykJF34oGXK3k.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.rrequestforquotation.exe.3ec4bd0.1.raw.unpack, DpwDuYlfrcsRiIHau0.cs	Security API names: _0020.SetAccessControl
Source: 0.2.rrequestforquotation.exe.3ec4bd0.1.raw.unpack, DpwDuYlfrcsRiIHau0.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.rrequestforquotation.exe.3ec4bd0.1.raw.unpack, DpwDuYlfrcsRiIHau0.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.rrequestforquotation.exe.76e0000.5.raw.unpack, DpwDuYlfrcsRiIHau0.cs	Security API names: _0020.SetAccessControl
Source: 0.2.rrequestforquotation.exe.76e0000.5.raw.unpack, DpwDuYlfrcsRiIHau0.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.rrequestforquotation.exe.76e0000.5.raw.unpack, DpwDuYlfrcsRiIHau0.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@21/15@2/2

Source: C:\Users\user\Desktop\rrequestforquotation.exe

File created: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8152:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7540:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7600:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7668:120:WilError_03

Source: C:\Users\user\Desktop\rrequestforquotation.exe

File created: C:\Users\user\AppData\Local\Temp\tmpC98D.tmp

Jump to behavior

Source: rrequestforquotation.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: rrequestforquotation.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\rrequestforquotation.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\rrequestforquotation.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002BF0000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002BD2000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.00000000030FF000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.000000000310E000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: rrequestforquotation.exe

Virustotal: Detection: 43%

Source: rrequestforquotation.exe

String found in binary or memory: 0 All OKS1 Not all required parameters are given-2 Invalid IP-Address

Source: C:\Users\user\Desktop\rrequestforquotation.exe

File read: C:\Users\user\Desktop\rrequestforquotation.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\rrequestforquotation.exe "C:\Users\user\Desktop\rrequestforquotation.exe"
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rrequestforquotation.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oGnCNPiCwiAocn" /XML "C:\Users\user\AppData\Local\Temp\tmpC98D.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process created: C:\Users\user\Desktop\rrequestforquotation.exe "C:\Users\user\Desktop\rrequestforquotation.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oGnCNPiCwiAocn" /XML "C:\Users\user\AppData\Local\Temp\tmpEF35.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process created: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe "C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe"
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process created: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe "C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe"
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rrequestforquotation.exe"	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe"	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oGnCNPiCwiAocn" /XML "C:\Users\user\AppData\Local\Temp\tmpC98D.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process created: C:\Users\user\Desktop\rrequestforquotation.exe "C:\Users\user\Desktop\rrequestforquotation.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oGnCNPiCwiAocn" /XML "C:\Users\user\AppData\Local\Temp\tmpEF35.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process created: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe "C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process created: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe "C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe"	Jump to behavior

Source: C:\Users\user\Desktop\rrequestforquotation.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Section loaded: dpapi.dll

Source: C:\Users\user\Desktop\rrequestforquotation.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\rrequestforquotation.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\rrequestforquotation.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: rrequestforquotation.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: rrequestforquotation.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.rrequestforquotation.exe.76e0000.5.raw.unpack, DpwDuYlfrcsRiIHau0.cs	.Net Code: eoFUgZjjTi System.Reflection.Assembly.Load(byte[])
Source: 0.2.rrequestforquotation.exe.3ec4bd0.1.raw.unpack, DpwDuYlfrcsRiIHau0.cs	.Net Code: eoFUgZjjTi System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 0_2_077804EC push eax; ret	0_2_077804ED
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 0_2_07788240 pushfd ; retf	0_2_07788241
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 0_2_07A036D7 push ebx; iretd	0_2_07A036DA
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 0_2_07A03AD9 push ebx; retf	0_2_07A03ADA
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Code function: 0_2_07A0A9A8 push 000569C3h; ret	0_2_07A0AB89
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 9_2_0258EEE0 push eax; iretd	9_2_0258EEE1
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 9_2_0258EF28 pushad ; iretd	9_2_0258EF29
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 9_2_06F0A720 push 0000005Dh; ret	9_2_06F0A71A
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 9_2_06F004EC push eax; ret	9_2_06F004ED
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 9_2_06F08578 push eax; iretd	9_2_06F08579
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Code function: 15_2_014494D5 push 8BF88B71h; retf	15_2_014494DA

Source: rrequestforquotation.exe	Static PE information: section name: .text entropy: 7.816513553096816
Source: oGnCNPiCwiAocn.exe.0.dr	Static PE information: section name: .text entropy: 7.816513553096816

Source: 0.2.rrequestforquotation.exe.76e0000.5.raw.unpack, GYku1roNwo5rBaMuWt.cs	High entropy of concatenated method names: 'HiG962KvRq', 'kFy9wLUSb1', 'EDU9yd5CFb', 'iJm9o42faP', 'cuH9QflC5l', 'Mjv9Dorc9t', 'Hh1954I0bQ', 'Qlr9JQRrAB', 'tFQ9KwY4oN', 'SRG9Y5MlGZ'
Source: 0.2.rrequestforquotation.exe.76e0000.5.raw.unpack, QSpSsQL0khNy7Qj79R.cs	High entropy of concatenated method names: 'fGpSEVu8VO', 'BApSeINopN', 'geF9rynHLj', 'LXb9NniBh4', 'ndw9C7ogd1', 'zdd9MSJVHX', 'eGe94X0Ibg', 'ugb9aYHmwA', 'IrG9hnKmx2', 'MTc9j9HxIw'
Source: 0.2.rrequestforquotation.exe.76e0000.5.raw.unpack, YX4IEbBrg4SD6qmE5u.cs	High entropy of concatenated method names: 'kLQn7YE2Ih', 'IENnI2hudE', 'wx5nS4eYan', 'diYnpDTce2', 'bDbnlvDab2', 'XUKSGYD1VA', 'tSvS3PD1mn', 'VoQSvBgGEN', 'GvGSbbJVfP', 'Wc3SAgsiPA'
Source: 0.2.rrequestforquotation.exe.76e0000.5.raw.unpack, OeiyTIhDn8YGOTrZlh.cs	High entropy of concatenated method names: 'Rt8pTE1bs4', 'BuNptERmrk', 'GR0pgdreGS', 'ysOp6jVg5Y', 'vjqpEbTXEF', 'XJ8pw2CErB', 'Ve8peKrDaw', 'fJvpyNLTij', 'sMZpoQUwup', 'rUcpLr7sjM'
Source: 0.2.rrequestforquotation.exe.76e0000.5.raw.unpack, LlYKnD1V9gkRGyC1p5.cs	High entropy of concatenated method names: 'TNnglcwR1', 'BhY6BQVck', 'qsDw3S0jo', 'qiseECCU1', 'TJ1oyPrde', 'dmlLCLmql', 'UFDMhLnHhYSyqc9Jmp', 'VUvVu3HjTFL4VLkIWS', 'yBNJLq0sp', 'BdxYQsowe'
Source: 0.2.rrequestforquotation.exe.76e0000.5.raw.unpack, noJVUCPHmWUAi424VOb.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'tghY8vgNSB', 'YsUYmV5vi7', 'tuhYxc8wlr', 'e0cYuGyiUf', 'dkgYFfT0xt', 'ahcYW3K6yF', 'roSY2nQPKR'
Source: 0.2.rrequestforquotation.exe.76e0000.5.raw.unpack, q9AcqOUYlHAMkDLhYw.cs	High entropy of concatenated method names: 'y4nPpuqVWn', 'HJFPl34oGX', 'HNwPZo5rBa', 'KuWP0txSpS', 'oj7PQ9RiX4', 'gEbPDrg4SD', 'YbNQtStToN8IAuJDjO', 'JqMjheW3pYqdDXrDll', 'yJOPPbZcxj', 'KF1PsBvZYl'
Source: 0.2.rrequestforquotation.exe.76e0000.5.raw.unpack, NEKS1qPsAFU1Osfwq1h.cs	High entropy of concatenated method names: 'RwBOiwRy8W', 'WIOOzgQyV9', 'WrIXHf0UMs', 'YusTijSYNavnmmwtyeL', 'pBKsF1SzlGPMrjcbs3c', 'h6GfP9q4Pwnv420IBJH', 'w7uowfqXQaHEI6kwHmX'
Source: 0.2.rrequestforquotation.exe.76e0000.5.raw.unpack, gCTJf33HZ6l9Op9aZO.cs	High entropy of concatenated method names: 'UYl5bc4iCW', 'dOF5iVa5yK', 'eQgJHxERT2', 'JJiJProqJU', 'PBl58JW3oU', 'N6c5mTLgYS', 'N7H5xAQ7yu', 'UHm5uQhYJR', 'kdk5FJeNyG', 'rJj5Wcn43Q'
Source: 0.2.rrequestforquotation.exe.76e0000.5.raw.unpack, e6HY9Yx1ceLU0f0cxR.cs	High entropy of concatenated method names: 'u2BRye9atX', 'AxQRoVPHf8', 'NQPRBLfM1U', 'KZ1RkV1P6d', 'tdWRN9x7RD', 'e5lRC7YW7X', 'SG0R43Lubp', 'CLARaQJEDg', 'qSpRjbsf7r', 'nfKR8ertZi'
Source: 0.2.rrequestforquotation.exe.76e0000.5.raw.unpack, r3Pmvkz50iQUhHHYPJ.cs	High entropy of concatenated method names: 'Q1BYwsWGe0', 'OjOYysuN8d', 'SoSYoecYm3', 'a28YBvb0J6', 'E7wYkqXrJT', 'YBoYNisfPM', 'W6NYCG8cjb', 'PivYfMw6oq', 'AbcYTSUPeZ', 'dUfYtpgB03'
Source: 0.2.rrequestforquotation.exe.76e0000.5.raw.unpack, V9oYJ5PUNJtmrX5Oda7.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'DetXK9dOaE', 'WwWXYAj0uh', 'svFXOYtEcC', 'DYYXXDxbMe', 'WeKXc9pmBf', 'EEHXdZcdO1', 'PLfXfHuD2m'
Source: 0.2.rrequestforquotation.exe.76e0000.5.raw.unpack, DpwDuYlfrcsRiIHau0.cs	High entropy of concatenated method names: 'hNUs71RsHe', 'jtusqNuYvg', 'EEFsIRF7o2', 'Wqgs9MawBC', 'bp4sSpubSQ', 'CgwsnACAth', 'AhaspZlYG8', 'XcuslZUQLx', 'HeasVP7ZsM', 'PRSsZZDAfu'
Source: 0.2.rrequestforquotation.exe.76e0000.5.raw.unpack, eyv5YOuMjDLrlxxby8.cs	High entropy of concatenated method names: 'TBsQjMdnj4', 'hbkQmToKY1', 'S4yQuZJ3K8', 'jvjQFWLgPB', 'iErQkARCih', 'G63Qr4RXJ8', 'bP3QN3qllB', 'zvLQCViqIl', 'uSGQMU9oxq', 'JvkQ4MFfAj'
Source: 0.2.rrequestforquotation.exe.76e0000.5.raw.unpack, OlKBxpAU6MoVNw4Ycq.cs	High entropy of concatenated method names: 'HBpKBBKhsI', 'TTGKkl4bE6', 'HybKrDOk7p', 'Du2KNY2s6n', 'xiCKC1mRhU', 'UYuKMTkwrX', 'KGCK4eUp05', 'uKGKabbvdZ', 'mhiKh8SwmT', 'k1eKjEOOHy'
Source: 0.2.rrequestforquotation.exe.76e0000.5.raw.unpack, I7dWmOvlfxTPrEsXZh.cs	High entropy of concatenated method names: 'tBJKQXEauU', 'ojwK5WrHc1', 'DuuKKlCGjn', 'eQeKOKQGJ1', 'cDjKcRipXe', 'wX7Kf57qxb', 'Dispose', 'PljJqBrkai', 'PV0JIB1sYQ', 'ljcJ9H8pT5'
Source: 0.2.rrequestforquotation.exe.76e0000.5.raw.unpack, FsVG3kPPXPBJ5utfbyr.cs	High entropy of concatenated method names: 'uxqYi5iImu', 'EhjYzKQTej', 'OlhOH6RXdm', 'XZkOP7uNsa', 'bYSO1adajF', 'CA3OsAkPS3', 'mmmOUC1ju5', 'jsSO7cVA0e', 'PbyOqhVGws', 'wJ1OISaS1x'
Source: 0.2.rrequestforquotation.exe.76e0000.5.raw.unpack, bHBohr2Tn3xNRHDyxl.cs	High entropy of concatenated method names: 'uBS5Z82B7J', 'SZP50gFU18', 'ToString', 'I0d5qZHVGQ', 'IJN5IbJOlR', 'UsL59SJyaq', 'IrB5SPKTEy', 'FBN5nG89aw', 'VYA5pdGqn3', 'U7T5l5HmAT'
Source: 0.2.rrequestforquotation.exe.76e0000.5.raw.unpack, rha776WQSPKos2EHbJ.cs	High entropy of concatenated method names: 'ToString', 't2YD8MPnT6', 'jJGDkytpO5', 'bMODroPurI', 'VpcDNEHATn', 'lRnDCHaufL', 'ybeDM0XPh6', 'l35D4Y2dql', 'YiADaRHeSq', 'PSQDhxs5uP'
Source: 0.2.rrequestforquotation.exe.76e0000.5.raw.unpack, juqVWnykJF34oGXK3k.cs	High entropy of concatenated method names: 'psKIuej4bp', 'pM8IFvDN1i', 'NMjIWTkkOR', 'NLII2yO5IT', 'G46IGhy3a4', 'G4xI3EKe6S', 'gVHIvMuKL6', 'KxgIbYuPZ3', 'mbMIASNfhZ', 'jl7IidbwtC'
Source: 0.2.rrequestforquotation.exe.76e0000.5.raw.unpack, F5O3tc92kohVo17ZZC.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'Ptl1A0Y5kl', 'jTj1iJf1kN', 'DaY1znNUr4', 'nNBsHwg1v6', 'U6gsPCGtVs', 'UFFs1LgtEr', 'Rm5ssabF1A', 'TmULl5XAcgryKURRD8H'
Source: 0.2.rrequestforquotation.exe.76e0000.5.raw.unpack, A9wJF2IoxiZX04GLPG.cs	High entropy of concatenated method names: 'Dispose', 'QTPPArEsXZ', 'lha1k5M2JS', 'PMHEXYlvWx', 'NN5Pi8YBfx', 'BbcPzmuOca', 'ProcessDialogKey', 'hS81HlKBxp', 'd6M1PoVNw4', 'scq11rfSvG'
Source: 0.2.rrequestforquotation.exe.3ec4bd0.1.raw.unpack, GYku1roNwo5rBaMuWt.cs	High entropy of concatenated method names: 'HiG962KvRq', 'kFy9wLUSb1', 'EDU9yd5CFb', 'iJm9o42faP', 'cuH9QflC5l', 'Mjv9Dorc9t', 'Hh1954I0bQ', 'Qlr9JQRrAB', 'tFQ9KwY4oN', 'SRG9Y5MlGZ'
Source: 0.2.rrequestforquotation.exe.3ec4bd0.1.raw.unpack, QSpSsQL0khNy7Qj79R.cs	High entropy of concatenated method names: 'fGpSEVu8VO', 'BApSeINopN', 'geF9rynHLj', 'LXb9NniBh4', 'ndw9C7ogd1', 'zdd9MSJVHX', 'eGe94X0Ibg', 'ugb9aYHmwA', 'IrG9hnKmx2', 'MTc9j9HxIw'
Source: 0.2.rrequestforquotation.exe.3ec4bd0.1.raw.unpack, YX4IEbBrg4SD6qmE5u.cs	High entropy of concatenated method names: 'kLQn7YE2Ih', 'IENnI2hudE', 'wx5nS4eYan', 'diYnpDTce2', 'bDbnlvDab2', 'XUKSGYD1VA', 'tSvS3PD1mn', 'VoQSvBgGEN', 'GvGSbbJVfP', 'Wc3SAgsiPA'
Source: 0.2.rrequestforquotation.exe.3ec4bd0.1.raw.unpack, OeiyTIhDn8YGOTrZlh.cs	High entropy of concatenated method names: 'Rt8pTE1bs4', 'BuNptERmrk', 'GR0pgdreGS', 'ysOp6jVg5Y', 'vjqpEbTXEF', 'XJ8pw2CErB', 'Ve8peKrDaw', 'fJvpyNLTij', 'sMZpoQUwup', 'rUcpLr7sjM'
Source: 0.2.rrequestforquotation.exe.3ec4bd0.1.raw.unpack, LlYKnD1V9gkRGyC1p5.cs	High entropy of concatenated method names: 'TNnglcwR1', 'BhY6BQVck', 'qsDw3S0jo', 'qiseECCU1', 'TJ1oyPrde', 'dmlLCLmql', 'UFDMhLnHhYSyqc9Jmp', 'VUvVu3HjTFL4VLkIWS', 'yBNJLq0sp', 'BdxYQsowe'
Source: 0.2.rrequestforquotation.exe.3ec4bd0.1.raw.unpack, noJVUCPHmWUAi424VOb.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'tghY8vgNSB', 'YsUYmV5vi7', 'tuhYxc8wlr', 'e0cYuGyiUf', 'dkgYFfT0xt', 'ahcYW3K6yF', 'roSY2nQPKR'
Source: 0.2.rrequestforquotation.exe.3ec4bd0.1.raw.unpack, q9AcqOUYlHAMkDLhYw.cs	High entropy of concatenated method names: 'y4nPpuqVWn', 'HJFPl34oGX', 'HNwPZo5rBa', 'KuWP0txSpS', 'oj7PQ9RiX4', 'gEbPDrg4SD', 'YbNQtStToN8IAuJDjO', 'JqMjheW3pYqdDXrDll', 'yJOPPbZcxj', 'KF1PsBvZYl'
Source: 0.2.rrequestforquotation.exe.3ec4bd0.1.raw.unpack, NEKS1qPsAFU1Osfwq1h.cs	High entropy of concatenated method names: 'RwBOiwRy8W', 'WIOOzgQyV9', 'WrIXHf0UMs', 'YusTijSYNavnmmwtyeL', 'pBKsF1SzlGPMrjcbs3c', 'h6GfP9q4Pwnv420IBJH', 'w7uowfqXQaHEI6kwHmX'
Source: 0.2.rrequestforquotation.exe.3ec4bd0.1.raw.unpack, gCTJf33HZ6l9Op9aZO.cs	High entropy of concatenated method names: 'UYl5bc4iCW', 'dOF5iVa5yK', 'eQgJHxERT2', 'JJiJProqJU', 'PBl58JW3oU', 'N6c5mTLgYS', 'N7H5xAQ7yu', 'UHm5uQhYJR', 'kdk5FJeNyG', 'rJj5Wcn43Q'
Source: 0.2.rrequestforquotation.exe.3ec4bd0.1.raw.unpack, e6HY9Yx1ceLU0f0cxR.cs	High entropy of concatenated method names: 'u2BRye9atX', 'AxQRoVPHf8', 'NQPRBLfM1U', 'KZ1RkV1P6d', 'tdWRN9x7RD', 'e5lRC7YW7X', 'SG0R43Lubp', 'CLARaQJEDg', 'qSpRjbsf7r', 'nfKR8ertZi'
Source: 0.2.rrequestforquotation.exe.3ec4bd0.1.raw.unpack, r3Pmvkz50iQUhHHYPJ.cs	High entropy of concatenated method names: 'Q1BYwsWGe0', 'OjOYysuN8d', 'SoSYoecYm3', 'a28YBvb0J6', 'E7wYkqXrJT', 'YBoYNisfPM', 'W6NYCG8cjb', 'PivYfMw6oq', 'AbcYTSUPeZ', 'dUfYtpgB03'
Source: 0.2.rrequestforquotation.exe.3ec4bd0.1.raw.unpack, V9oYJ5PUNJtmrX5Oda7.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'DetXK9dOaE', 'WwWXYAj0uh', 'svFXOYtEcC', 'DYYXXDxbMe', 'WeKXc9pmBf', 'EEHXdZcdO1', 'PLfXfHuD2m'
Source: 0.2.rrequestforquotation.exe.3ec4bd0.1.raw.unpack, DpwDuYlfrcsRiIHau0.cs	High entropy of concatenated method names: 'hNUs71RsHe', 'jtusqNuYvg', 'EEFsIRF7o2', 'Wqgs9MawBC', 'bp4sSpubSQ', 'CgwsnACAth', 'AhaspZlYG8', 'XcuslZUQLx', 'HeasVP7ZsM', 'PRSsZZDAfu'
Source: 0.2.rrequestforquotation.exe.3ec4bd0.1.raw.unpack, eyv5YOuMjDLrlxxby8.cs	High entropy of concatenated method names: 'TBsQjMdnj4', 'hbkQmToKY1', 'S4yQuZJ3K8', 'jvjQFWLgPB', 'iErQkARCih', 'G63Qr4RXJ8', 'bP3QN3qllB', 'zvLQCViqIl', 'uSGQMU9oxq', 'JvkQ4MFfAj'
Source: 0.2.rrequestforquotation.exe.3ec4bd0.1.raw.unpack, OlKBxpAU6MoVNw4Ycq.cs	High entropy of concatenated method names: 'HBpKBBKhsI', 'TTGKkl4bE6', 'HybKrDOk7p', 'Du2KNY2s6n', 'xiCKC1mRhU', 'UYuKMTkwrX', 'KGCK4eUp05', 'uKGKabbvdZ', 'mhiKh8SwmT', 'k1eKjEOOHy'
Source: 0.2.rrequestforquotation.exe.3ec4bd0.1.raw.unpack, I7dWmOvlfxTPrEsXZh.cs	High entropy of concatenated method names: 'tBJKQXEauU', 'ojwK5WrHc1', 'DuuKKlCGjn', 'eQeKOKQGJ1', 'cDjKcRipXe', 'wX7Kf57qxb', 'Dispose', 'PljJqBrkai', 'PV0JIB1sYQ', 'ljcJ9H8pT5'
Source: 0.2.rrequestforquotation.exe.3ec4bd0.1.raw.unpack, FsVG3kPPXPBJ5utfbyr.cs	High entropy of concatenated method names: 'uxqYi5iImu', 'EhjYzKQTej', 'OlhOH6RXdm', 'XZkOP7uNsa', 'bYSO1adajF', 'CA3OsAkPS3', 'mmmOUC1ju5', 'jsSO7cVA0e', 'PbyOqhVGws', 'wJ1OISaS1x'
Source: 0.2.rrequestforquotation.exe.3ec4bd0.1.raw.unpack, bHBohr2Tn3xNRHDyxl.cs	High entropy of concatenated method names: 'uBS5Z82B7J', 'SZP50gFU18', 'ToString', 'I0d5qZHVGQ', 'IJN5IbJOlR', 'UsL59SJyaq', 'IrB5SPKTEy', 'FBN5nG89aw', 'VYA5pdGqn3', 'U7T5l5HmAT'
Source: 0.2.rrequestforquotation.exe.3ec4bd0.1.raw.unpack, rha776WQSPKos2EHbJ.cs	High entropy of concatenated method names: 'ToString', 't2YD8MPnT6', 'jJGDkytpO5', 'bMODroPurI', 'VpcDNEHATn', 'lRnDCHaufL', 'ybeDM0XPh6', 'l35D4Y2dql', 'YiADaRHeSq', 'PSQDhxs5uP'
Source: 0.2.rrequestforquotation.exe.3ec4bd0.1.raw.unpack, juqVWnykJF34oGXK3k.cs	High entropy of concatenated method names: 'psKIuej4bp', 'pM8IFvDN1i', 'NMjIWTkkOR', 'NLII2yO5IT', 'G46IGhy3a4', 'G4xI3EKe6S', 'gVHIvMuKL6', 'KxgIbYuPZ3', 'mbMIASNfhZ', 'jl7IidbwtC'
Source: 0.2.rrequestforquotation.exe.3ec4bd0.1.raw.unpack, F5O3tc92kohVo17ZZC.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'Ptl1A0Y5kl', 'jTj1iJf1kN', 'DaY1znNUr4', 'nNBsHwg1v6', 'U6gsPCGtVs', 'UFFs1LgtEr', 'Rm5ssabF1A', 'TmULl5XAcgryKURRD8H'
Source: 0.2.rrequestforquotation.exe.3ec4bd0.1.raw.unpack, A9wJF2IoxiZX04GLPG.cs	High entropy of concatenated method names: 'Dispose', 'QTPPArEsXZ', 'lha1k5M2JS', 'PMHEXYlvWx', 'NN5Pi8YBfx', 'BbcPzmuOca', 'ProcessDialogKey', 'hS81HlKBxp', 'd6M1PoVNw4', 'scq11rfSvG'

Source: C:\Users\user\Desktop\rrequestforquotation.exe

File created: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\rrequestforquotation.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oGnCNPiCwiAocn" /XML "C:\Users\user\AppData\Local\Temp\tmpC98D.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\rrequestforquotation.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: rrequestforquotation.exe PID: 7284, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: oGnCNPiCwiAocn.exe PID: 7896, type: MEMORYSTR

Source: C:\Users\user\Desktop\rrequestforquotation.exe	Memory allocated: 1260000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Memory allocated: 2CB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Memory allocated: 2BB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Memory allocated: 7B10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Memory allocated: 8B10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Memory allocated: 8CC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Memory allocated: 9CC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Memory allocated: F90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Memory allocated: 2990000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Memory allocated: 1010000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Memory allocated: 24E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Memory allocated: 26E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Memory allocated: 24E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Memory allocated: 7050000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Memory allocated: 8050000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Memory allocated: 81F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Memory allocated: 91F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Memory allocated: 1440000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Memory allocated: 2EB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Memory allocated: 4EB0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 598766	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 598655	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 598547	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 598437	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 598218	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 597788	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 597679	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 597446	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 597318	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 597188	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 597078	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 596968	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 596859	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 596750	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 596641	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 596531	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 596421	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 596312	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 596203	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 596086	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 595969	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 595859	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 595750	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 595641	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 595531	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 595422	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 595313	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 595188	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 595063	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 594938	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 594823	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 594701	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 594587	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 594469	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 594359	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 594250	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 594141	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 594029	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 599891
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 599782
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 599657
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 599547
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 599438
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 599313
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 599188
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 599063
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 598938
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 598829
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 598678
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 598419
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 598217
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 598110
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 597999
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 597891
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 597766
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 597656
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 597547
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 597438
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 597313
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 597188
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 597079
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 596954
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 596829
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 596704
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 596579
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 596454
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 596329
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 596204
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 596079
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 595954
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 595829
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 595704
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 595579
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 595454
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 595329
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 595204
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 595078
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 594969
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 594844
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 594735
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 594610
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 594485
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 594360
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 594235
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 594110
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 593985
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 593860

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5497	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6780	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Window / User API: threadDelayed 2537	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Window / User API: threadDelayed 7305	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Window / User API: threadDelayed 6992
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Window / User API: threadDelayed 2829

Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 7304	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7852	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7732	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7908	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7728	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7844	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060	Thread sleep time: -31359464925306218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8064	Thread sleep count: 2537 > 30	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8064	Thread sleep count: 7305 > 30	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060	Thread sleep time: -599219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060	Thread sleep time: -599094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060	Thread sleep time: -598984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060	Thread sleep time: -598875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060	Thread sleep time: -598766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060	Thread sleep time: -598655s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060	Thread sleep time: -598547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060	Thread sleep time: -598437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060	Thread sleep time: -598328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060	Thread sleep time: -598218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060	Thread sleep time: -598109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060	Thread sleep time: -598000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060	Thread sleep time: -597788s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060	Thread sleep time: -597679s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060	Thread sleep time: -597446s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060	Thread sleep time: -597318s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060	Thread sleep time: -597188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060	Thread sleep time: -597078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060	Thread sleep time: -596968s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060	Thread sleep time: -596859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060	Thread sleep time: -596750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060	Thread sleep time: -596641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060	Thread sleep time: -596531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060	Thread sleep time: -596421s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060	Thread sleep time: -596312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060	Thread sleep time: -596203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060	Thread sleep time: -596086s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060	Thread sleep time: -595969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060	Thread sleep time: -595859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060	Thread sleep time: -595750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060	Thread sleep time: -595641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060	Thread sleep time: -595531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060	Thread sleep time: -595422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060	Thread sleep time: -595313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060	Thread sleep time: -595188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060	Thread sleep time: -595063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060	Thread sleep time: -594938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060	Thread sleep time: -594823s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060	Thread sleep time: -594701s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060	Thread sleep time: -594587s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060	Thread sleep time: -594469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060	Thread sleep time: -594359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060	Thread sleep time: -594250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060	Thread sleep time: -594141s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe TID: 8060	Thread sleep time: -594029s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 7924	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740	Thread sleep count: 41 > 30
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740	Thread sleep time: -37815825351104557s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740	Thread sleep time: -599891s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 2316	Thread sleep count: 6992 > 30
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 2316	Thread sleep count: 2829 > 30
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740	Thread sleep time: -599782s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740	Thread sleep time: -599657s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740	Thread sleep time: -599547s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740	Thread sleep time: -599438s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740	Thread sleep time: -599313s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740	Thread sleep time: -599188s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740	Thread sleep time: -599063s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740	Thread sleep time: -598938s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740	Thread sleep time: -598829s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740	Thread sleep time: -598678s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740	Thread sleep time: -598419s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740	Thread sleep time: -598217s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740	Thread sleep time: -598110s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740	Thread sleep time: -597999s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740	Thread sleep time: -597891s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740	Thread sleep time: -597766s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740	Thread sleep time: -597656s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740	Thread sleep time: -597547s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740	Thread sleep time: -597438s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740	Thread sleep time: -597313s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740	Thread sleep time: -597188s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740	Thread sleep time: -597079s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740	Thread sleep time: -596954s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740	Thread sleep time: -596829s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740	Thread sleep time: -596704s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740	Thread sleep time: -596579s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740	Thread sleep time: -596454s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740	Thread sleep time: -596329s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740	Thread sleep time: -596204s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740	Thread sleep time: -596079s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740	Thread sleep time: -595954s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740	Thread sleep time: -595829s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740	Thread sleep time: -595704s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740	Thread sleep time: -595579s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740	Thread sleep time: -595454s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740	Thread sleep time: -595329s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740	Thread sleep time: -595204s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740	Thread sleep time: -595078s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740	Thread sleep time: -594969s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740	Thread sleep time: -594844s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740	Thread sleep time: -594735s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740	Thread sleep time: -594610s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740	Thread sleep time: -594485s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740	Thread sleep time: -594360s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740	Thread sleep time: -594235s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740	Thread sleep time: -594110s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740	Thread sleep time: -593985s >= -30000s
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe TID: 1740	Thread sleep time: -593860s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 598766	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 598655	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 598547	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 598437	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 598218	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 597788	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 597679	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 597446	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 597318	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 597188	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 597078	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 596968	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 596859	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 596750	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 596641	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 596531	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 596421	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 596312	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 596203	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 596086	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 595969	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 595859	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 595750	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 595641	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 595531	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 595422	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 595313	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 595188	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 595063	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 594938	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 594823	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 594701	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 594587	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 594469	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 594359	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 594250	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 594141	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Thread delayed: delay time: 594029	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 599891
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 599782
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 599657
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 599547
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 599438
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 599313
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 599188
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 599063
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 598938
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 598829
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 598678
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 598419
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 598217
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 598110
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 597999
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 597891
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 597766
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 597656
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 597547
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 597438
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 597313
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 597188
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 597079
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 596954
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 596829
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 596704
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 596579
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 596454
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 596329
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 596204
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 596079
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 595954
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 595829
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 595704
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 595579
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 595454
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 595329
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 595204
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 595078
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 594969
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 594844
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 594735
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 594610
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 594485
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 594360
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 594235
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 594110
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 593985
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Thread delayed: delay time: 593860

Source: oGnCNPiCwiAocn.exe, 0000000F.00000002.4143308407.00000000011B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllpHandlers />
Source: rrequestforquotation.exe, 00000008.00000002.4144260321.0000000000EC6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll-

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\rrequestforquotation.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rrequestforquotation.exe"
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe"
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rrequestforquotation.exe"	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe"	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\rrequestforquotation.exe	Memory written: C:\Users\user\Desktop\rrequestforquotation.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Memory written: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rrequestforquotation.exe"	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe"	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oGnCNPiCwiAocn" /XML "C:\Users\user\AppData\Local\Temp\tmpC98D.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Process created: C:\Users\user\Desktop\rrequestforquotation.exe "C:\Users\user\Desktop\rrequestforquotation.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oGnCNPiCwiAocn" /XML "C:\Users\user\AppData\Local\Temp\tmpEF35.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process created: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe "C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Process created: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe "C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe"	Jump to behavior

Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Users\user\Desktop\rrequestforquotation.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Users\user\Desktop\rrequestforquotation.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Queries volume information: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Queries volume information: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\rrequestforquotation.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.rrequestforquotation.exe.3e80ff0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rrequestforquotation.exe.3e603d0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rrequestforquotation.exe.3e80ff0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rrequestforquotation.exe.3e603d0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.4142621856.0000000000415000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4145794163.0000000002B60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4146056209.000000000307F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4145794163.0000000002991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4146056209.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1748719685.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rrequestforquotation.exe PID: 7284, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rrequestforquotation.exe PID: 7792, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: oGnCNPiCwiAocn.exe PID: 6112, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\rrequestforquotation.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Users\user\Desktop\rrequestforquotation.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Yara match	File source: 0.2.rrequestforquotation.exe.3e80ff0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rrequestforquotation.exe.3e603d0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rrequestforquotation.exe.3e80ff0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rrequestforquotation.exe.3e603d0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.4142621856.0000000000415000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1748719685.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rrequestforquotation.exe PID: 7284, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rrequestforquotation.exe PID: 7792, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: oGnCNPiCwiAocn.exe PID: 6112, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.rrequestforquotation.exe.3e80ff0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rrequestforquotation.exe.3e603d0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rrequestforquotation.exe.3e80ff0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rrequestforquotation.exe.3e603d0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.4142621856.0000000000415000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4145794163.0000000002B60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4146056209.000000000307F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4145794163.0000000002991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4146056209.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1748719685.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rrequestforquotation.exe PID: 7284, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rrequestforquotation.exe PID: 7792, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: oGnCNPiCwiAocn.exe PID: 6112, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	111 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	13 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Scheduled Task/Job	3 Obfuscated Files or Information	Security Account Manager	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	11 Security Software Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	31 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	31 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	111 Process Injection	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
rrequestforquotation.exe	43%	Virustotal		Browse
rrequestforquotation.exe	100%	Avira	HEUR/AGEN.1309540
rrequestforquotation.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	100%	Avira	HEUR/AGEN.1309540
C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe	43%	Virustotal		Browse

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	172.67.177.134	true	false	high
checkip.dyndns.com	193.122.6.168	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://reallyfreegeoip.org/xml/8.46.123.75	false		high
http://checkip.dyndns.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://www.apache.org/licenses/LICENSE-2.0	rrequestforquotation.exe, 00000000.00000002.1756452809.0000000006F72000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com	rrequestforquotation.exe, 00000000.00000002.1756452809.0000000006F72000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designersG	rrequestforquotation.exe, 00000000.00000002.1756452809.0000000006F72000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers/?	rrequestforquotation.exe, 00000000.00000002.1756452809.0000000006F72000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.founder.com.cn/cn/bThe	rrequestforquotation.exe, 00000000.00000002.1756452809.0000000006F72000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers?	rrequestforquotation.exe, 00000000.00000002.1756452809.0000000006F72000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.tiro.com	rrequestforquotation.exe, 00000000.00000002.1756452809.0000000006F72000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002B52000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002A3F000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002B24000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002A5C000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002A9A000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002B44000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002B09000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002AEE000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002B16000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.000000000300D000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000002F7A000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000003043000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000002F6B000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000003028000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000003071000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.000000000301A000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000003063000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000003035000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers	rrequestforquotation.exe, 00000000.00000002.1756452809.0000000006F72000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.goodfont.co.kr	rrequestforquotation.exe, 00000000.00000002.1756452809.0000000006F72000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.carterandcone.coml	rrequestforquotation.exe, 00000000.00000002.1756452809.0000000006F72000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.sajatypeworks.com	rrequestforquotation.exe, 00000000.00000002.1756452809.0000000006F72000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.typography.netD	rrequestforquotation.exe, 00000000.00000002.1756452809.0000000006F72000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers/cabarga.htmlN	rrequestforquotation.exe, 00000000.00000002.1756452809.0000000006F72000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.founder.com.cn/cn/cThe	rrequestforquotation.exe, 00000000.00000002.1756452809.0000000006F72000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.galapagosdesign.com/staff/dennis.htm	rrequestforquotation.exe, 00000000.00000002.1756452809.0000000006F72000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.founder.com.cn/cn	rrequestforquotation.exe, 00000000.00000002.1756452809.0000000006F72000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers/frere-user.html	rrequestforquotation.exe, 00000000.00000002.1756452809.0000000006F72000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.75$	rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002B52000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002A9A000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002B44000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002B09000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002AEE000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002B16000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.000000000300D000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000003028000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000003071000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.000000000301A000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000003063000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000003035000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	rrequestforquotation.exe, 00000000.00000002.1748719685.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4142621856.0000000000415000.00000040.00000400.00020000.00000000.sdmp	false	high
http://www.jiyu-kobo.co.jp/	rrequestforquotation.exe, 00000000.00000002.1756452809.0000000006F72000.00000004.00000800.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.org	rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002B52000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002B44000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002B09000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002AEE000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002B16000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002A74000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.000000000300D000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000003028000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000003071000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.000000000301A000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000003063000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000002F92000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000003035000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.galapagosdesign.com/DPlease	rrequestforquotation.exe, 00000000.00000002.1756452809.0000000006F72000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org	rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002B52000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002A5C000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002A9A000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002B44000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002B09000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002AEE000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002B16000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.000000000300D000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000002F7A000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000003028000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000003071000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.000000000301A000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000003063000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000003035000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers8	rrequestforquotation.exe, 00000000.00000002.1756452809.0000000006F72000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fonts.com	rrequestforquotation.exe, 00000000.00000002.1756452809.0000000006F72000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.sandoll.co.kr	rrequestforquotation.exe, 00000000.00000002.1756452809.0000000006F72000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.com	rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002B52000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002A5C000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002B44000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002B09000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002AEE000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002B16000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.000000000300D000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000002F7A000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000003028000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000003071000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.000000000301A000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000003063000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000003035000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.urwpp.deDPlease	rrequestforquotation.exe, 00000000.00000002.1756452809.0000000006F72000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.zhongyicts.com.cn	rrequestforquotation.exe, 00000000.00000002.1756452809.0000000006F72000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	rrequestforquotation.exe, 00000000.00000002.1746469982.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002991000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 00000009.00000002.1838856282.00000000026E1000.00000004.00000800.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.sakkal.com	rrequestforquotation.exe, 00000000.00000002.1756404377.0000000005EA0000.00000004.00000020.00020000.00000000.sdmp, rrequestforquotation.exe, 00000000.00000002.1756452809.0000000006F72000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/ppx17/Onkyo-Remote-Control	rrequestforquotation.exe, oGnCNPiCwiAocn.exe.0.dr	false	high
https://reallyfreegeoip.org/xml/	rrequestforquotation.exe, 00000000.00000002.1748719685.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4145794163.0000000002A5C000.00000004.00000800.00020000.00000000.sdmp, rrequestforquotation.exe, 00000008.00000002.4142621856.0000000000415000.00000040.00000400.00020000.00000000.sdmp, oGnCNPiCwiAocn.exe, 0000000F.00000002.4146056209.0000000002F7A000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
193.122.6.168	checkip.dyndns.com	United States		31898	ORACLE-BMC-31898US	false
172.67.177.134	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1560713
Start date and time:	2024-11-22 08:31:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 4s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	rrequestforquotation.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@21/15@2/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 100% Number of executed functions: 310 Number of non-executed functions: 18
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target oGnCNPiCwiAocn.exe, PID 6112 because it is empty
Execution Graph export aborted for target rrequestforquotation.exe, PID 7792 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:31:56	API Interceptor	8826251x Sleep call for process: rrequestforquotation.exe modified
02:32:03	API Interceptor	36x Sleep call for process: powershell.exe modified
02:32:06	API Interceptor	6109221x Sleep call for process: oGnCNPiCwiAocn.exe modified
07:32:03	Task Scheduler	Run new task: oGnCNPiCwiAocn path: C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
193.122.6.168	Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	New_Order_PO-NG57283H9.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	GST DRC-01A - DIN-20230359XL050081843E_msg.exe	Get hash	malicious	GuLoader	Browse	checkip.dyndns.org/
	BOQ and Full Specification.exe	Get hash	malicious	GuLoader	Browse	checkip.dyndns.org/
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	z30ProofofPaymentAttached.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Fac.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	Factura Honorarios 2024-11-17.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	Ref#150062.vbe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
172.67.177.134	STAFF RECORD_pdf.arj.exe	Get hash	malicious	Unknown	Browse
	Documents.pdf.exe	Get hash	malicious	MassLogger RAT	Browse
	SM-0230- J - TOOL 10 DEGREE FOR DWT MACHINE-MF5i.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	Payment Advice Note.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	Confirmation transfer AGS # 03-10-24.scr.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	Drawing_Products_Materials_and_Samples_IMG.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse
	SecuriteInfo.com.FileRepMalware.11227.27096.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse
	TransactionDetailsAAED768093.scr.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	PI-005.exe	Get hash	malicious	Snake Keylogger	Browse
	DHL Package.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	SOA SEP 2024.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	193.122.130.0
	order requirements CIF-TRC809945210.exe	Get hash	malicious	GuLoader	Browse	132.226.8.169
	Updated Invoice_0755404645-2024_pdf.exe	Get hash	malicious	Unknown	Browse	158.101.44.242
	QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	CONTRACT COPY PRN00720387_pdf.exe	Get hash	malicious	GuLoader	Browse	132.226.247.73
	Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	PO-841122676_g787.exe	Get hash	malicious	GuLoader	Browse	193.122.130.0
	New_Order_PO-NG57283H9.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	Order requirements CIF Greece_pdf.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
	z1MB267382625AE.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
reallyfreegeoip.org	SOA SEP 2024.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	104.21.67.152
	order requirements CIF-TRC809945210.exe	Get hash	malicious	GuLoader	Browse	188.114.97.3
	Updated Invoice_0755404645-2024_pdf.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	CONTRACT COPY PRN00720387_pdf.exe	Get hash	malicious	GuLoader	Browse	188.114.97.3
	Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	PO-841122676_g787.exe	Get hash	malicious	GuLoader	Browse	188.114.97.3
	New_Order_PO-NG57283H9.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
	Order requirements CIF Greece_pdf.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	z1MB267382625AE.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORACLE-BMC-31898US	SOA SEP 2024.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	193.122.130.0
	arm5.nn-20241122-0008.elf	Get hash	malicious	Mirai, Okiru	Browse	147.154.211.97
	Updated Invoice_0755404645-2024_pdf.exe	Get hash	malicious	Unknown	Browse	158.101.44.242
	QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	PO-841122676_g787.exe	Get hash	malicious	GuLoader	Browse	193.122.130.0
	New_Order_PO-NG57283H9.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	ORDER 20240986 OA.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	http://interpro.wisc.edu/courses/maintaining-asphalt-pavements/?utm_source=Brochure&utm_medium=postal&utm_campaign=D487&utm_term=SHB&utm_content=Sep	Get hash	malicious	Unknown	Browse	147.154.51.84
	Documents.pdf.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	172.67.155.248
	https://tryskincell.com/offer/skincell_adv/uk-v1n/index.html?uid=c972fd1e-52ac-4150-82c1-1ef8c12bea5e	Get hash	malicious	Unknown	Browse	104.26.15.84
	PO #2411071822.exe	Get hash	malicious	FormBook	Browse	172.67.209.48
	SOA SEP 2024.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	104.21.67.152
	file.exe	Get hash	malicious	LummaC	Browse	172.67.155.248
	file.exe	Get hash	malicious	LummaC	Browse	104.21.66.38
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	104.21.66.38
	file.exe	Get hash	malicious	LummaC	Browse	172.67.155.248
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.172
	https://365214tesauppeortbasd132.z26.web.core.windows.net/#	Get hash	malicious	TechSupportScam	Browse	104.22.44.142

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	SOA SEP 2024.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	172.67.177.134
	order requirements CIF-TRC809945210.exe	Get hash	malicious	GuLoader	Browse	172.67.177.134
	Updated Invoice_0755404645-2024_pdf.exe	Get hash	malicious	Unknown	Browse	172.67.177.134
	QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	CONTRACT COPY PRN00720387_pdf.exe	Get hash	malicious	GuLoader	Browse	172.67.177.134
	Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	PO-841122676_g787.exe	Get hash	malicious	GuLoader	Browse	172.67.177.134
	New_Order_PO-NG57283H9.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	Order requirements CIF Greece_pdf.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	172.67.177.134
	z1MB267382625AE.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134

Process:	C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rrequestforquotation.exe.log

Download File

Process:	C:\Users\user\Desktop\rrequestforquotation.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.3792772635987225
Encrypted:	false
SSDEEP:	48:bWSU4xympjgs4RIoU99tK8NPZHUl7u1iMugeC/ZM0Uyus:bLHxvCsIfA2KRHmOugw1s
MD5:	24BC35D470461ED90FC4BFFF902B8C7E
SHA1:	0FA16F6526E5ECF142B47EF95DC7FF9F6C12734A
SHA-256:	FF60D2E27C696044BADA174E175C85E8CACB9E310EDCAC365AE6864B38709EFF
SHA-512:	584AAF5C4E5CBD704DA722965920F21FF80CC25A7B79E6D552E8BDF7A30416AEC3CC7D314A9A15630A6B8EBDEADBB3CDC7784927E8276788DEE2DFF8556617F4
Malicious:	false
Preview:	@...e.................................&..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4zx4jgfc.ryv.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ewgtqzvh.5xd.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kuzz3bkh.m3f.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_llvbzpdn.aqz.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tha1q2k3.b4x.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wvobn35q.obr.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xeflaksy.riu.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zaohc415.w4a.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmpC98D.tmp

Download File

Process:	C:\Users\user\Desktop\rrequestforquotation.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1580
Entropy (8bit):	5.108874917233348
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNta/xvn:cge1wYrFdOFzOzN33ODOiDdKrsuTov
MD5:	D90A9AAD9343C091E18E1821968785DB
SHA1:	090471B7ACD25ADB470578DAEA49BBF601A71B39
SHA-256:	DC9F448780C366116900F5A25CDC2ED830C927FAC607CEB19FFD0E82519E1F21
SHA-512:	3FE3CCDBBA6DEBA19B7B1943F794F326736F83BA68D5A154477E3E0E2F961FE0C2666064E7911B0EFAF75697A1F4E52D251D2170D0DAFB9C5B0BBD83B5151E2F
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Local\Temp\tmpEF35.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1580
Entropy (8bit):	5.108874917233348
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNta/xvn:cge1wYrFdOFzOzN33ODOiDdKrsuTov
MD5:	D90A9AAD9343C091E18E1821968785DB
SHA1:	090471B7ACD25ADB470578DAEA49BBF601A71B39
SHA-256:	DC9F448780C366116900F5A25CDC2ED830C927FAC607CEB19FFD0E82519E1F21
SHA-512:	3FE3CCDBBA6DEBA19B7B1943F794F326736F83BA68D5A154477E3E0E2F961FE0C2666064E7911B0EFAF75697A1F4E52D251D2170D0DAFB9C5B0BBD83B5151E2F
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe

Download File

Process:	C:\Users\user\Desktop\rrequestforquotation.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	609280
Entropy (8bit):	7.807233971385083
Encrypted:	false
SSDEEP:	12288:VWjK4A9bRiI5VIfzhXLhZnFLsrPmaj015WWn9QNViWeCT+GCqR:AjKRByzhFErOaj0x9uiWeCtCq
MD5:	4A15ED0FEB9E90B56E82C2E45A3B3F5E
SHA1:	659661291EB5FD6452D6CABDC24CD9FBC1FB17F7
SHA-256:	D5D8C33957E90D1CACA4B5207D8DA5AB1BC4CAA9F702ABC0EC006D0518EA9AEC
SHA-512:	F5C0E6FD93018B454DB12EF76B10A6FEECA5D532A7599A6460D00C1870518752FB4EC0BC1052DE34E6D4E18E040658D59037A757232F49731264B81C5FE32FED
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 43%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....@g..............0..&...$.......D... ...`....@.. ....................................@.................................\D..O....`...!........................................................................... ............... ..H............text....$... ...&.................. ..`.rsrc....!...`..."...(..............@..@.reloc...............J..............@..B.................D......H...................)...\|.................................................{...."..}......{...."..}......{...."..}......{...."..}....".(.......r...p}.....r...p}......}.....(.......('......0...........r!..p.(.....+......0.............{....o....o....}....s......{.....o......{.....o......{....s........o .....r#..po!......o"...o#....+a.o$...t(........r1..po%...o....rG..p(&.......,1...r]..po%...o.........o'.....{....o(.....o)...&...o...-....u).......,...o+.............o

C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\rrequestforquotation.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.807233971385083
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	rrequestforquotation.exe
File size:	609'280 bytes
MD5:	4a15ed0feb9e90b56e82c2e45a3b3f5e
SHA1:	659661291eb5fd6452d6cabdc24cd9fbc1fb17f7
SHA256:	d5d8c33957e90d1caca4b5207d8da5ab1bc4caa9f702abc0ec006d0518ea9aec
SHA512:	f5c0e6fd93018b454db12ef76b10a6feeca5d532a7599a6460d00c1870518752fb4ec0bc1052de34e6d4e18e040658d59037a757232f49731264b81c5fe32fed
SSDEEP:	12288:VWjK4A9bRiI5VIfzhXLhZnFLsrPmaj015WWn9QNViWeCT+GCqR:AjKRByzhFErOaj0x9uiWeCtCq
TLSH:	5CD4E06033ED1F61E57E77F2A474211853B7712A0A71EA0E0EDA24DB1723B40DA92F67
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....@g..............0..&...$.......D... ...`....@.. ....................................@................................

File Icon


Icon Hash:	4fd8dadadacad80f

Static PE Info

General

Entrypoint:	0x4944ae
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67401EAD [Fri Nov 22 06:03:25 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9445c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x96000	0x21c4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x9a000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x924b4	0x92600	7726518a87bbf6d28e8ce5939b8eb1d8	False	0.8882615686379163	data	7.816513553096816	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x96000	0x21c4	0x2200	459d53204177eb144d538a8494d5ebf6	False	0.8575367647058824	data	7.432157012320266	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x9a000	0xc	0x200	42962c6502c06f02018301d63eed01f4	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x96100	0x1b63	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9516474112109542
RT_GROUP_ICON	0x97c74	0x14	data	1.05
RT_VERSION	0x97c98	0x32c	data	0.43103448275862066
RT_MANIFEST	0x97fd4	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-22T08:32:07.241640+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49735	193.122.6.168	80	TCP
2024-11-22T08:32:09.601017+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49735	193.122.6.168	80	TCP
2024-11-22T08:32:11.267133+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49737	172.67.177.134	443	TCP
2024-11-22T08:32:13.210408+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49738	193.122.6.168	80	TCP
2024-11-22T08:32:14.885958+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49739	172.67.177.134	443	TCP
2024-11-22T08:32:15.866686+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49741	193.122.6.168	80	TCP
2024-11-22T08:32:16.298602+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49742	193.122.6.168	80	TCP
2024-11-22T08:32:18.012891+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49745	172.67.177.134	443	TCP
2024-11-22T08:32:18.991673+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49741	193.122.6.168	80	TCP
2024-11-22T08:32:20.669145+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49749	172.67.177.134	443	TCP
2024-11-22T08:32:22.132707+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49752	193.122.6.168	80	TCP
2024-11-22T08:32:27.701109+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49760	172.67.177.134	443	TCP
2024-11-22T08:32:30.402900+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49763	172.67.177.134	443	TCP
2024-11-22T08:32:30.811460+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49764	172.67.177.134	443	TCP
2024-11-22T08:32:33.504792+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49766	172.67.177.134	443	TCP
2024-11-22T08:32:39.957714+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49770	172.67.177.134	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 22, 2024 08:32:05.195987940 CET	49735	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:05.315716982 CET	80	49735	193.122.6.168	192.168.2.4
Nov 22, 2024 08:32:05.315839052 CET	49735	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:05.316364050 CET	49735	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:05.436520100 CET	80	49735	193.122.6.168	192.168.2.4
Nov 22, 2024 08:32:06.629363060 CET	80	49735	193.122.6.168	192.168.2.4
Nov 22, 2024 08:32:06.659501076 CET	49735	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:06.779242992 CET	80	49735	193.122.6.168	192.168.2.4
Nov 22, 2024 08:32:07.073679924 CET	80	49735	193.122.6.168	192.168.2.4
Nov 22, 2024 08:32:07.241640091 CET	49735	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:07.263585091 CET	49736	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:07.263670921 CET	443	49736	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:07.263767004 CET	49736	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:07.270663977 CET	49736	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:07.270699978 CET	443	49736	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:08.577635050 CET	443	49736	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:08.577724934 CET	49736	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:08.582849979 CET	49736	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:08.582876921 CET	443	49736	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:08.583163023 CET	443	49736	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:08.653948069 CET	49736	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:08.699359894 CET	443	49736	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:09.040904045 CET	443	49736	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:09.041094065 CET	443	49736	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:09.045087099 CET	49736	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:09.080391884 CET	49736	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:09.115253925 CET	49735	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:09.234911919 CET	80	49735	193.122.6.168	192.168.2.4
Nov 22, 2024 08:32:09.552304983 CET	80	49735	193.122.6.168	192.168.2.4
Nov 22, 2024 08:32:09.554485083 CET	49737	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:09.554601908 CET	443	49737	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:09.554680109 CET	49737	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:09.554961920 CET	49737	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:09.555003881 CET	443	49737	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:09.601016998 CET	49735	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:10.811676979 CET	443	49737	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:10.814819098 CET	49737	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:10.814874887 CET	443	49737	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:11.267148018 CET	443	49737	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:11.267206907 CET	443	49737	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:11.267278910 CET	49737	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:11.268062115 CET	49737	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:11.273401976 CET	49735	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:11.275331974 CET	49738	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:11.394531012 CET	80	49735	193.122.6.168	192.168.2.4
Nov 22, 2024 08:32:11.394597054 CET	49735	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:11.396177053 CET	80	49738	193.122.6.168	192.168.2.4
Nov 22, 2024 08:32:11.396274090 CET	49738	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:11.397593975 CET	49738	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:11.757289886 CET	49738	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:11.975744009 CET	80	49735	193.122.6.168	192.168.2.4
Nov 22, 2024 08:32:11.975826025 CET	49735	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:11.975883961 CET	80	49738	193.122.6.168	192.168.2.4
Nov 22, 2024 08:32:11.975897074 CET	80	49738	193.122.6.168	192.168.2.4
Nov 22, 2024 08:32:12.095474005 CET	80	49735	193.122.6.168	192.168.2.4
Nov 22, 2024 08:32:13.168999910 CET	80	49738	193.122.6.168	192.168.2.4
Nov 22, 2024 08:32:13.170167923 CET	49739	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:13.170231104 CET	443	49739	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:13.170314074 CET	49739	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:13.170583010 CET	49739	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:13.170613050 CET	443	49739	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:13.210407972 CET	49738	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:13.909854889 CET	49741	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:14.029350996 CET	80	49741	193.122.6.168	192.168.2.4
Nov 22, 2024 08:32:14.029442072 CET	49741	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:14.029712915 CET	49741	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:14.149195910 CET	80	49741	193.122.6.168	192.168.2.4
Nov 22, 2024 08:32:14.431535959 CET	443	49739	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:14.443522930 CET	49739	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:14.443588972 CET	443	49739	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:14.886027098 CET	443	49739	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:14.886192083 CET	443	49739	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:14.886382103 CET	49739	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:14.895502090 CET	49739	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:14.910542965 CET	49738	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:14.912122011 CET	49742	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:15.030421972 CET	80	49738	193.122.6.168	192.168.2.4
Nov 22, 2024 08:32:15.031625032 CET	80	49742	193.122.6.168	192.168.2.4
Nov 22, 2024 08:32:15.031686068 CET	49738	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:15.031860113 CET	49742	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:15.031910896 CET	49742	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:15.151350975 CET	80	49742	193.122.6.168	192.168.2.4
Nov 22, 2024 08:32:15.390749931 CET	80	49741	193.122.6.168	192.168.2.4
Nov 22, 2024 08:32:15.395490885 CET	49741	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:15.515218973 CET	80	49741	193.122.6.168	192.168.2.4
Nov 22, 2024 08:32:15.818934917 CET	80	49741	193.122.6.168	192.168.2.4
Nov 22, 2024 08:32:15.865820885 CET	49744	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:15.865905046 CET	443	49744	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:15.866082907 CET	49744	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:15.866686106 CET	49741	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:15.871305943 CET	49744	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:15.871350050 CET	443	49744	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:16.298319101 CET	80	49742	193.122.6.168	192.168.2.4
Nov 22, 2024 08:32:16.298602104 CET	49742	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:16.300014973 CET	49745	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:16.300096989 CET	443	49745	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:16.300177097 CET	49745	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:16.300560951 CET	49745	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:16.300595045 CET	443	49745	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:16.418456078 CET	80	49742	193.122.6.168	192.168.2.4
Nov 22, 2024 08:32:16.418534994 CET	49742	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:17.188864946 CET	443	49744	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:17.188992977 CET	49744	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:17.268210888 CET	49744	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:17.268258095 CET	443	49744	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:17.269355059 CET	443	49744	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:17.319787025 CET	49744	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:17.557466984 CET	443	49745	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:17.601074934 CET	49745	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:17.601891041 CET	49745	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:17.601913929 CET	443	49745	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:18.012635946 CET	443	49745	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:18.012700081 CET	443	49745	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:18.012784004 CET	49745	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:18.013220072 CET	49745	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:18.025396109 CET	49748	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:18.144893885 CET	80	49748	193.122.6.168	192.168.2.4
Nov 22, 2024 08:32:18.145006895 CET	49748	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:18.145133018 CET	49748	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:18.159770012 CET	49744	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:18.207367897 CET	443	49744	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:18.264880896 CET	80	49748	193.122.6.168	192.168.2.4
Nov 22, 2024 08:32:18.511101007 CET	443	49744	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:18.511270046 CET	443	49744	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:18.511544943 CET	49744	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:18.521349907 CET	49744	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:18.525125027 CET	49741	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:18.644758940 CET	80	49741	193.122.6.168	192.168.2.4
Nov 22, 2024 08:32:18.949379921 CET	80	49741	193.122.6.168	192.168.2.4
Nov 22, 2024 08:32:18.951647043 CET	49749	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:18.951683044 CET	443	49749	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:18.951873064 CET	49749	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:18.952155113 CET	49749	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:18.952171087 CET	443	49749	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:18.991672993 CET	49741	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:19.456990004 CET	80	49748	193.122.6.168	192.168.2.4
Nov 22, 2024 08:32:19.458272934 CET	49750	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:19.458312988 CET	443	49750	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:19.458440065 CET	49750	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:19.458686113 CET	49750	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:19.458702087 CET	443	49750	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:19.507276058 CET	49748	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:20.215662956 CET	443	49749	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:20.257288933 CET	49749	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:20.268969059 CET	49749	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:20.268980026 CET	443	49749	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:20.669200897 CET	443	49749	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:20.669374943 CET	443	49749	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:20.669548988 CET	49749	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:20.676028013 CET	49749	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:20.736846924 CET	49741	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:20.740608931 CET	49752	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:20.768017054 CET	443	49750	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:20.777955055 CET	49750	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:20.777975082 CET	443	49750	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:20.856724977 CET	80	49741	193.122.6.168	192.168.2.4
Nov 22, 2024 08:32:20.856784105 CET	49741	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:20.860178947 CET	80	49752	193.122.6.168	192.168.2.4
Nov 22, 2024 08:32:20.860268116 CET	49752	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:20.860507965 CET	49752	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:20.980034113 CET	80	49752	193.122.6.168	192.168.2.4
Nov 22, 2024 08:32:21.241214037 CET	443	49750	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:21.241395950 CET	443	49750	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:21.241463900 CET	49750	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:21.242054939 CET	49750	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:21.246047020 CET	49748	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:21.247138977 CET	49753	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:21.365926981 CET	80	49748	193.122.6.168	192.168.2.4
Nov 22, 2024 08:32:21.366004944 CET	49748	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:21.366668940 CET	80	49753	193.122.6.168	192.168.2.4
Nov 22, 2024 08:32:21.366755962 CET	49753	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:21.367018938 CET	49753	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:21.486413002 CET	80	49753	193.122.6.168	192.168.2.4
Nov 22, 2024 08:32:22.131773949 CET	80	49752	193.122.6.168	192.168.2.4
Nov 22, 2024 08:32:22.132707119 CET	49752	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:22.133869886 CET	49754	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:22.133930922 CET	443	49754	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:22.134035110 CET	49754	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:22.134341955 CET	49754	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:22.134367943 CET	443	49754	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:22.252532005 CET	80	49752	193.122.6.168	192.168.2.4
Nov 22, 2024 08:32:22.252624035 CET	49752	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:22.725881100 CET	80	49753	193.122.6.168	192.168.2.4
Nov 22, 2024 08:32:22.727452993 CET	49756	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:22.727482080 CET	443	49756	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:22.727567911 CET	49756	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:22.727932930 CET	49756	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:22.727945089 CET	443	49756	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:22.773036003 CET	49753	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:23.396964073 CET	443	49754	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:23.412841082 CET	49754	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:23.412890911 CET	443	49754	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:23.849803925 CET	443	49754	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:23.849978924 CET	443	49754	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:23.850064993 CET	49754	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:23.850316048 CET	49754	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:23.855122089 CET	49757	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:23.975409031 CET	80	49757	193.122.6.168	192.168.2.4
Nov 22, 2024 08:32:23.975810051 CET	49757	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:23.975810051 CET	49757	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:23.985147953 CET	443	49756	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:23.993256092 CET	49756	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:23.993273973 CET	443	49756	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:24.095448017 CET	80	49757	193.122.6.168	192.168.2.4
Nov 22, 2024 08:32:24.445585012 CET	443	49756	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:24.445666075 CET	443	49756	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:24.445719957 CET	49756	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:24.446274996 CET	49756	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:24.450313091 CET	49753	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:24.451658010 CET	49758	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:24.570211887 CET	80	49753	193.122.6.168	192.168.2.4
Nov 22, 2024 08:32:24.570278883 CET	49753	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:24.571074009 CET	80	49758	193.122.6.168	192.168.2.4
Nov 22, 2024 08:32:24.571141958 CET	49758	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:24.571290016 CET	49758	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:24.690792084 CET	80	49758	193.122.6.168	192.168.2.4
Nov 22, 2024 08:32:25.288683891 CET	80	49757	193.122.6.168	192.168.2.4
Nov 22, 2024 08:32:25.290246010 CET	49759	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:25.290330887 CET	443	49759	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:25.290420055 CET	49759	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:25.290719032 CET	49759	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:25.290756941 CET	443	49759	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:25.335417986 CET	49757	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:25.931341887 CET	80	49758	193.122.6.168	192.168.2.4
Nov 22, 2024 08:32:25.932662964 CET	49760	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:25.932770014 CET	443	49760	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:25.932854891 CET	49760	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:25.933139086 CET	49760	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:25.933172941 CET	443	49760	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:25.976052046 CET	49758	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:26.553390980 CET	443	49759	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:26.562480927 CET	49759	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:26.562580109 CET	443	49759	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:27.004933119 CET	443	49759	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:27.005100965 CET	443	49759	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:27.005187035 CET	49759	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:27.005691051 CET	49759	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:27.010381937 CET	49757	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:27.011631966 CET	49761	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:27.130364895 CET	80	49757	193.122.6.168	192.168.2.4
Nov 22, 2024 08:32:27.130450964 CET	49757	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:27.131112099 CET	80	49761	193.122.6.168	192.168.2.4
Nov 22, 2024 08:32:27.131354094 CET	49761	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:27.131511927 CET	49761	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:27.240089893 CET	443	49760	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:27.250904083 CET	80	49761	193.122.6.168	192.168.2.4
Nov 22, 2024 08:32:27.252803087 CET	49760	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:27.252876043 CET	443	49760	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:27.701175928 CET	443	49760	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:27.701337099 CET	443	49760	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:27.701642990 CET	49760	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:27.702009916 CET	49760	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:27.706737995 CET	49758	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:27.708292961 CET	49762	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:27.826700926 CET	80	49758	193.122.6.168	192.168.2.4
Nov 22, 2024 08:32:27.826878071 CET	49758	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:27.827734947 CET	80	49762	193.122.6.168	192.168.2.4
Nov 22, 2024 08:32:27.827833891 CET	49762	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:27.827969074 CET	49762	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:27.947364092 CET	80	49762	193.122.6.168	192.168.2.4
Nov 22, 2024 08:32:28.446923971 CET	80	49761	193.122.6.168	192.168.2.4
Nov 22, 2024 08:32:28.448100090 CET	49763	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:28.448195934 CET	443	49763	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:28.448282957 CET	49763	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:28.448529005 CET	49763	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:28.448574066 CET	443	49763	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:28.491710901 CET	49761	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:29.140007973 CET	80	49762	193.122.6.168	192.168.2.4
Nov 22, 2024 08:32:29.141331911 CET	49764	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:29.141418934 CET	443	49764	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:29.141501904 CET	49764	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:29.141904116 CET	49764	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:29.141941071 CET	443	49764	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:29.194808960 CET	49762	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:29.946182966 CET	443	49763	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:29.955116034 CET	49763	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:29.955205917 CET	443	49763	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:30.364794970 CET	443	49764	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:30.366621971 CET	49764	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:30.366698980 CET	443	49764	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:30.403026104 CET	443	49763	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:30.403199911 CET	443	49763	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:30.403362989 CET	49763	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:30.403542995 CET	49763	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:30.406924009 CET	49761	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:30.408263922 CET	49765	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:30.526674032 CET	80	49761	193.122.6.168	192.168.2.4
Nov 22, 2024 08:32:30.527815104 CET	80	49765	193.122.6.168	192.168.2.4
Nov 22, 2024 08:32:30.527878046 CET	49761	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:30.527894020 CET	49765	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:30.528003931 CET	49765	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:30.648562908 CET	80	49765	193.122.6.168	192.168.2.4
Nov 22, 2024 08:32:30.811554909 CET	443	49764	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:30.811721087 CET	443	49764	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:30.811923981 CET	49764	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:30.812478065 CET	49764	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:31.842056036 CET	80	49765	193.122.6.168	192.168.2.4
Nov 22, 2024 08:32:31.843355894 CET	49766	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:31.843425989 CET	443	49766	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:31.843513966 CET	49766	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:31.843717098 CET	49766	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:31.843744040 CET	443	49766	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:31.882361889 CET	49765	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:33.060446978 CET	443	49766	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:33.062047958 CET	49766	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:33.062110901 CET	443	49766	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:33.504847050 CET	443	49766	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:33.504992008 CET	443	49766	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:33.505192995 CET	49766	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:33.505531073 CET	49766	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:33.509322882 CET	49765	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:33.510706902 CET	49767	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:33.629128933 CET	80	49765	193.122.6.168	192.168.2.4
Nov 22, 2024 08:32:33.630239964 CET	80	49767	193.122.6.168	192.168.2.4
Nov 22, 2024 08:32:33.630440950 CET	49765	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:33.630440950 CET	49767	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:33.630614042 CET	49767	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:33.750025988 CET	80	49767	193.122.6.168	192.168.2.4
Nov 22, 2024 08:32:34.999136925 CET	80	49767	193.122.6.168	192.168.2.4
Nov 22, 2024 08:32:35.025578022 CET	49768	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:35.025650978 CET	443	49768	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:35.025739908 CET	49768	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:35.030631065 CET	49768	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:35.030657053 CET	443	49768	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:35.054189920 CET	49767	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:36.293406963 CET	443	49768	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:36.295675993 CET	49768	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:36.295722961 CET	443	49768	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:36.745549917 CET	443	49768	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:36.745702982 CET	443	49768	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:36.745788097 CET	49768	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:36.746233940 CET	49768	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:36.750235081 CET	49767	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:36.751529932 CET	49769	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:36.870553970 CET	80	49767	193.122.6.168	192.168.2.4
Nov 22, 2024 08:32:36.870629072 CET	49767	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:36.871093035 CET	80	49769	193.122.6.168	192.168.2.4
Nov 22, 2024 08:32:36.871197939 CET	49769	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:36.871356010 CET	49769	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:36.990883112 CET	80	49769	193.122.6.168	192.168.2.4
Nov 22, 2024 08:32:38.239280939 CET	80	49769	193.122.6.168	192.168.2.4
Nov 22, 2024 08:32:38.241045952 CET	49770	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:38.241125107 CET	443	49770	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:38.241275072 CET	49770	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:38.241513968 CET	49770	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:38.241539955 CET	443	49770	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:38.288599968 CET	49769	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:32:39.504492044 CET	443	49770	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:39.506772041 CET	49770	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:39.506815910 CET	443	49770	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:39.957789898 CET	443	49770	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:39.957990885 CET	443	49770	172.67.177.134	192.168.2.4
Nov 22, 2024 08:32:39.958101034 CET	49770	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:32:39.965948105 CET	49770	443	192.168.2.4	172.67.177.134
Nov 22, 2024 08:33:34.149502039 CET	80	49762	193.122.6.168	192.168.2.4
Nov 22, 2024 08:33:34.149590015 CET	49762	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:33:43.244144917 CET	80	49769	193.122.6.168	192.168.2.4
Nov 22, 2024 08:33:43.244227886 CET	49769	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:34:09.148308039 CET	49762	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:34:09.267818928 CET	80	49762	193.122.6.168	192.168.2.4
Nov 22, 2024 08:34:18.243112087 CET	49769	80	192.168.2.4	193.122.6.168
Nov 22, 2024 08:34:18.362617970 CET	80	49769	193.122.6.168	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 22, 2024 08:32:05.048475981 CET	62077	53	192.168.2.4	1.1.1.1
Nov 22, 2024 08:32:05.186908960 CET	53	62077	1.1.1.1	192.168.2.4
Nov 22, 2024 08:32:07.124785900 CET	54030	53	192.168.2.4	1.1.1.1
Nov 22, 2024 08:32:07.262814999 CET	53	54030	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 22, 2024 08:32:05.048475981 CET	192.168.2.4	1.1.1.1	0xe76d	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Nov 22, 2024 08:32:07.124785900 CET	192.168.2.4	1.1.1.1	0x9f36	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 22, 2024 08:32:05.186908960 CET	1.1.1.1	192.168.2.4	0xe76d	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 22, 2024 08:32:05.186908960 CET	1.1.1.1	192.168.2.4	0xe76d	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Nov 22, 2024 08:32:05.186908960 CET	1.1.1.1	192.168.2.4	0xe76d	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Nov 22, 2024 08:32:05.186908960 CET	1.1.1.1	192.168.2.4	0xe76d	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Nov 22, 2024 08:32:05.186908960 CET	1.1.1.1	192.168.2.4	0xe76d	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Nov 22, 2024 08:32:05.186908960 CET	1.1.1.1	192.168.2.4	0xe76d	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Nov 22, 2024 08:32:07.262814999 CET	1.1.1.1	192.168.2.4	0x9f36	No error (0)	reallyfreegeoip.org		172.67.177.134	A (IP address)	IN (0x0001)	false
Nov 22, 2024 08:32:07.262814999 CET	1.1.1.1	192.168.2.4	0x9f36	No error (0)	reallyfreegeoip.org		104.21.67.152	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49735	193.122.6.168	80	7792	C:\Users\user\Desktop\rrequestforquotation.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 08:32:05.316364050 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 22, 2024 08:32:06.629363060 CET	320	IN	HTTP/1.1 200 OK Date: Fri, 22 Nov 2024 07:32:06 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 17c751de690946612ad40f867fc295b9 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>
Nov 22, 2024 08:32:06.659501076 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 22, 2024 08:32:07.073679924 CET	320	IN	HTTP/1.1 200 OK Date: Fri, 22 Nov 2024 07:32:06 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 36478372943ddd04ed7b316f032baea7 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>
Nov 22, 2024 08:32:09.115253925 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 22, 2024 08:32:09.552304983 CET	320	IN	HTTP/1.1 200 OK Date: Fri, 22 Nov 2024 07:32:09 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 24070d953753b37fc6f4cc6ea4d42d91 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49738	193.122.6.168	80	7792	C:\Users\user\Desktop\rrequestforquotation.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 08:32:11.397593975 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 22, 2024 08:32:11.757289886 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 22, 2024 08:32:13.168999910 CET	320	IN	HTTP/1.1 200 OK Date: Fri, 22 Nov 2024 07:32:12 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 027cbfc73e7ae32317cad954ffc47a51 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49741	193.122.6.168	80	6112	C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 08:32:14.029712915 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 22, 2024 08:32:15.390749931 CET	320	IN	HTTP/1.1 200 OK Date: Fri, 22 Nov 2024 07:32:15 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 2e0cdcb213fe23b763bdf402740e6325 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>
Nov 22, 2024 08:32:15.395490885 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 22, 2024 08:32:15.818934917 CET	320	IN	HTTP/1.1 200 OK Date: Fri, 22 Nov 2024 07:32:15 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 0a58f135cd0e2d8fae8eca979a6b861c Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>
Nov 22, 2024 08:32:18.525125027 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 22, 2024 08:32:18.949379921 CET	320	IN	HTTP/1.1 200 OK Date: Fri, 22 Nov 2024 07:32:18 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: fa3a66833b6eb4977303b222635427a0 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49742	193.122.6.168	80	7792	C:\Users\user\Desktop\rrequestforquotation.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 08:32:15.031910896 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 22, 2024 08:32:16.298319101 CET	320	IN	HTTP/1.1 200 OK Date: Fri, 22 Nov 2024 07:32:16 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 1d6e8a499601c3b373b5e20b297e8ae9 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49748	193.122.6.168	80	7792	C:\Users\user\Desktop\rrequestforquotation.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 08:32:18.145133018 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 22, 2024 08:32:19.456990004 CET	320	IN	HTTP/1.1 200 OK Date: Fri, 22 Nov 2024 07:32:19 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: dbd516afc1ef40e355276babf6a87026 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49752	193.122.6.168	80	6112	C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 08:32:20.860507965 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 22, 2024 08:32:22.131773949 CET	320	IN	HTTP/1.1 200 OK Date: Fri, 22 Nov 2024 07:32:21 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 78844515fd4e60fa4aa9c3961476841d Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49753	193.122.6.168	80	7792	C:\Users\user\Desktop\rrequestforquotation.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 08:32:21.367018938 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 22, 2024 08:32:22.725881100 CET	320	IN	HTTP/1.1 200 OK Date: Fri, 22 Nov 2024 07:32:22 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 10d45d9891325ba64199f3ee5f73553c Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49757	193.122.6.168	80	6112	C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 08:32:23.975810051 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 22, 2024 08:32:25.288683891 CET	320	IN	HTTP/1.1 200 OK Date: Fri, 22 Nov 2024 07:32:25 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: aa922f643b4d52ebe091039773b9b27f Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49758	193.122.6.168	80	7792	C:\Users\user\Desktop\rrequestforquotation.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 08:32:24.571290016 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 22, 2024 08:32:25.931341887 CET	320	IN	HTTP/1.1 200 OK Date: Fri, 22 Nov 2024 07:32:25 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 853445901e479a9f70bdb630e9b3e196 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49761	193.122.6.168	80	6112	C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 08:32:27.131511927 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 22, 2024 08:32:28.446923971 CET	320	IN	HTTP/1.1 200 OK Date: Fri, 22 Nov 2024 07:32:28 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 4cdb90eac6a3e05dede1db29be0acc03 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49762	193.122.6.168	80	7792	C:\Users\user\Desktop\rrequestforquotation.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 08:32:27.827969074 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 22, 2024 08:32:29.140007973 CET	320	IN	HTTP/1.1 200 OK Date: Fri, 22 Nov 2024 07:32:28 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 04562b1cd727ae62738f5b85f09c0285 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49765	193.122.6.168	80	6112	C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 08:32:30.528003931 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 22, 2024 08:32:31.842056036 CET	320	IN	HTTP/1.1 200 OK Date: Fri, 22 Nov 2024 07:32:31 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 262031e0907f89a287bb0b50cdf219c3 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49767	193.122.6.168	80	6112	C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 08:32:33.630614042 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 22, 2024 08:32:34.999136925 CET	320	IN	HTTP/1.1 200 OK Date: Fri, 22 Nov 2024 07:32:34 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: d593dea3f26e3ce1c3bf058c60a10dbd Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49769	193.122.6.168	80	6112	C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 08:32:36.871356010 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 22, 2024 08:32:38.239280939 CET	320	IN	HTTP/1.1 200 OK Date: Fri, 22 Nov 2024 07:32:38 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 3e005a3291002d10361343e5177ffc71 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49736	172.67.177.134	443	7792	C:\Users\user\Desktop\rrequestforquotation.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-22 07:32:08 UTC	84	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-22 07:32:09 UTC	855	IN	HTTP/1.1 200 OK Date: Fri, 22 Nov 2024 07:32:08 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 224637 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EGLCa%2Bcc4V9rx5YeAAC%2B9xnyCwvwzaS31TVLeypUaMOsc8zL7%2F4dpaK%2FLNfSeVbD4odEa2UZfgymrFYIAosOsfdS6Mf40Gw6uKnRwUQx9Okgfw0nKuu9XrATp%2BmuB5cgrR3XPaa4"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e67395359255e6e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1588&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=698&delivery_rate=1775075&cwnd=233&unsent_bytes=0&cid=4f17c31525fde948&ts=473&x=0"
2024-11-22 07:32:09 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49737	172.67.177.134	443	7792	C:\Users\user\Desktop\rrequestforquotation.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-22 07:32:10 UTC	60	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-22 07:32:11 UTC	853	IN	HTTP/1.1 200 OK Date: Fri, 22 Nov 2024 07:32:11 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 224640 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yW1962xKr5SbTGED2BeJ%2BhaMw9w7w7jZ582ELyJddTMoxUKZj3yMcU1LcOI9eAyttGTNX3IFs1yqPIGz1hy7qTcN5LJNocNFlebf%2BVxt%2BrjtfFNWloyU3hGMlncLpLJxzgBF%2BHBp"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e67396158fd3354-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1988&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=698&delivery_rate=1399808&cwnd=114&unsent_bytes=0&cid=ae5162ef2b46c70d&ts=459&x=0"
2024-11-22 07:32:11 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49739	172.67.177.134	443	7792	C:\Users\user\Desktop\rrequestforquotation.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-22 07:32:14 UTC	60	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-22 07:32:14 UTC	851	IN	HTTP/1.1 200 OK Date: Fri, 22 Nov 2024 07:32:14 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 224643 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RrZLTkb%2BdXvB96FwxGVQuABL4IpeDszDZmgHcUZtZ6bafP4Y9oqQD9bWM35oU1bLg6SGNKrK0ujhbIPmPtRNaFHOHGrU36ryKVC5ZiN5ZIYhcjnmlacWYkD6jcxTFpqj%2BlDY7P4%2B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e673977ffee8c51-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2114&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=698&delivery_rate=1432777&cwnd=234&unsent_bytes=0&cid=67540f0e3c16773c&ts=460&x=0"
2024-11-22 07:32:14 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49745	172.67.177.134	443	7792	C:\Users\user\Desktop\rrequestforquotation.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-22 07:32:17 UTC	60	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-22 07:32:18 UTC	849	IN	HTTP/1.1 200 OK Date: Fri, 22 Nov 2024 07:32:17 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 224646 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2%2FgOz1PwIMjRzBUkXYbcg2Dnj1cIPAFfQBLiYM8onOPCiWImejpDFAiPeS3Cjg95n4JmK7ofi2y7aMqYpMq19r2mtYsZc0TKZBZSmy%2BT3QCAVzN0o2Ng2l2PToMuanrd1fhH4DEi"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e67398b78cb7c93-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2024&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=698&delivery_rate=1423001&cwnd=206&unsent_bytes=0&cid=d50ca238b8895b2c&ts=460&x=0"
2024-11-22 07:32:18 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49744	172.67.177.134	443	6112	C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-22 07:32:18 UTC	84	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-22 07:32:18 UTC	850	IN	HTTP/1.1 200 OK Date: Fri, 22 Nov 2024 07:32:18 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 224647 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OU37yYpzJ4LaueHs5IhU5WTuYgEq7o1YApZ3PBzG1nwtFSXkQmB73v0FPxfDEuKGRHevWrD1lADdKXPgvgQKW23xHi5HMwkxokcoy0oQVp8BQD31PGDpBGwaFs8neHjF53jfOz%2F%2B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e67398e8da4435b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1604&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=698&delivery_rate=1819314&cwnd=214&unsent_bytes=0&cid=44cac95f0136d718&ts=1333&x=0"
2024-11-22 07:32:18 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49749	172.67.177.134	443	6112	C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-22 07:32:20 UTC	60	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-22 07:32:20 UTC	851	IN	HTTP/1.1 200 OK Date: Fri, 22 Nov 2024 07:32:20 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 224649 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tl%2B%2Bo3GOGla8qTdy104XvqoXbAuPtVsqfGWDNyk%2FUFYnwFBhaFDfoBpALJYANIi9n60kQIuEiHGqFJm6LjJuKMystLwFWX8MJF1vxjTg08OgfPqHs7E67b2Uk5GRKY2aO7fV3ReA"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e67399c1e5042f4-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1617&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=698&delivery_rate=1808049&cwnd=231&unsent_bytes=0&cid=f987b21ab2712daa&ts=464&x=0"
2024-11-22 07:32:20 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49750	172.67.177.134	443	7792	C:\Users\user\Desktop\rrequestforquotation.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-22 07:32:20 UTC	84	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-22 07:32:21 UTC	861	IN	HTTP/1.1 200 OK Date: Fri, 22 Nov 2024 07:32:21 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 224650 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9Y3E7qx8hihAkwdzHsoOGVfr428INslLPcKqnP%2FPzEf5CHwCAoz%2By%2FgkVL9%2Bn7gSTuXmB8hfsi4%2FXSNwMAp0LZvnZYrur5%2FJihA5Sy8YT%2FE55cXVJQ2uvvso4cnxwuL%2F4b502shT"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e67399f98a143c8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1608&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=698&delivery_rate=1809169&cwnd=191&unsent_bytes=0&cid=26a22acf4b38ab3a&ts=477&x=0"
2024-11-22 07:32:21 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49754	172.67.177.134	443	6112	C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-22 07:32:23 UTC	84	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-22 07:32:23 UTC	849	IN	HTTP/1.1 200 OK Date: Fri, 22 Nov 2024 07:32:23 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 224652 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4V1C7RPSoGcPIcbDQsvmD8bNFq1KqMeuoWPvRcmUEqVLqGXOKnBXeFvEOFfSm3CK%2BGMJ44Z5tfbKLZaVTDEq0Wt1DmXotnm3MvoXw9KgDAGITQt%2FusxeNytbFUQR6YsyozUJ7SNu"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e6739b00b0c0fa9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1641&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=698&delivery_rate=1734997&cwnd=252&unsent_bytes=0&cid=5a068d189e261d7f&ts=462&x=0"
2024-11-22 07:32:23 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49756	172.67.177.134	443	7792	C:\Users\user\Desktop\rrequestforquotation.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-22 07:32:23 UTC	84	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-22 07:32:24 UTC	855	IN	HTTP/1.1 200 OK Date: Fri, 22 Nov 2024 07:32:24 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 224653 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Q%2FCV59QebytkKHYCZGVVpEBCxw0fCXwDnSmFbBfShbmQlLmwHwcf3y7vk%2B3QkslemJpwsUc2t%2BucTGBTXv%2FWKch2u3J0yGY6plpKhzas3PUlWBiIfNs2IjcFyASeEqEbZydq%2BHY3"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e6739b3ac3b422d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1649&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=698&delivery_rate=1650650&cwnd=224&unsent_bytes=0&cid=828e50aa4183f9cf&ts=466&x=0"
2024-11-22 07:32:24 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49759	172.67.177.134	443	6112	C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-22 07:32:26 UTC	84	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-22 07:32:27 UTC	857	IN	HTTP/1.1 200 OK Date: Fri, 22 Nov 2024 07:32:26 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 224655 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4qVTx5Js%2B5Zxh2SopK7AmEdmmrcm7W%2Be5HTNwJ7JQ3iNclMM%2FJk6f40qrcpDjrBMS9Z1jbQsg9bWIBZYxcU%2Fea%2FbV3AOZB3O5EZ33NWyk1sc12Mf1zpViat8vTKx4QZ4Yj%2BaGDmU"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e6739c3ac37c475-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1499&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=698&delivery_rate=1947965&cwnd=177&unsent_bytes=0&cid=fd83b640dc8381c3&ts=460&x=0"
2024-11-22 07:32:27 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49760	172.67.177.134	443	7792	C:\Users\user\Desktop\rrequestforquotation.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-22 07:32:27 UTC	60	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-22 07:32:27 UTC	857	IN	HTTP/1.1 200 OK Date: Fri, 22 Nov 2024 07:32:27 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 224656 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1onmO5l0U4mrUrOEfs8XPbl%2FWsOjD2f4HwoLAxOlP4LZD%2F16egWhfP%2F5JPNTXq8YymcuWsEQyPhyNW%2F%2FyiyqzhHes%2F0TVL7TsVm2IFanbHQQC7gIvbQos8nydv430xdfqH2G5OwQ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e6739c80de742ab-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1722&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=698&delivery_rate=1661923&cwnd=199&unsent_bytes=0&cid=9ef8e92aba98fac0&ts=469&x=0"
2024-11-22 07:32:27 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49763	172.67.177.134	443	6112	C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-22 07:32:29 UTC	60	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-22 07:32:30 UTC	851	IN	HTTP/1.1 200 OK Date: Fri, 22 Nov 2024 07:32:30 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 224659 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jVQFNa89yiDefOkePH%2Bn4Oh62qa4NMDn2pY%2BVOG6TWV8GKwOLJzUmHeHvy2pdPU55Spiq1CrIvqeYLvGdcMStjDbdrV0HmBXiVVrQJDzaLKz0jnERqRj9jCe36OCtVhtR3X%2FOKeP"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e6739d8f9e343e0-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1556&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=698&delivery_rate=1802469&cwnd=247&unsent_bytes=0&cid=d896fce90acc4d8f&ts=701&x=0"
2024-11-22 07:32:30 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49764	172.67.177.134	443	7792	C:\Users\user\Desktop\rrequestforquotation.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-22 07:32:30 UTC	60	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-22 07:32:30 UTC	863	IN	HTTP/1.1 200 OK Date: Fri, 22 Nov 2024 07:32:30 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 224659 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=W7wJZf18YIQPJArb2kHmoQPwJO6Ev%2FRAtu9iQlgblwvfPr%2FKh95%2FO9O7BHoMuOxkJKw9O%2BN4Z%2BFiBQY%2BbpQ7u77fzh%2BlHmCUdSZqJd6ZWkhL5a36JvYBlhg%2BdaAc%2BLHfYjP09yil"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e6739db89cd7ce7-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2246&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=698&delivery_rate=1444114&cwnd=193&unsent_bytes=0&cid=db9c23d80c830e30&ts=453&x=0"
2024-11-22 07:32:30 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49766	172.67.177.134	443	6112	C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-22 07:32:33 UTC	60	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-22 07:32:33 UTC	855	IN	HTTP/1.1 200 OK Date: Fri, 22 Nov 2024 07:32:33 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 224662 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tpFuSjB1lnW%2Bq0DJHgB8IoZonwqcIE%2FlZ0sFwpEP9FblSc5sTWthwd38SILPU5kNLbacqGDwfqC%2FVWXb86xDp3rxcw9lQ53aRPaVK%2FYAdg8T7uJfP3aE6y6SB%2F4s2TcpgPU8qIhk"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e6739ec5e044234-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1710&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=698&delivery_rate=1710603&cwnd=171&unsent_bytes=0&cid=66d4accf8bc535a6&ts=450&x=0"
2024-11-22 07:32:33 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49768	172.67.177.134	443	6112	C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-22 07:32:36 UTC	84	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-22 07:32:36 UTC	853	IN	HTTP/1.1 200 OK Date: Fri, 22 Nov 2024 07:32:36 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 224665 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mDHKy4V%2BXPQ2r8hza4HAX%2BZtJ7%2Bwv7WnxCU2MtlMLNBVgjECs0Ikl88mwLxHoOW4YpVct4AnuCXUT7YWsXeFc6Krv%2BXTuVi9BzKy5iIiKIpBeaWEUYObpAeEvgHo98XHr7ACQFR5"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e673a009cf74325-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1794&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=698&delivery_rate=1619523&cwnd=180&unsent_bytes=0&cid=5bcfb35b3c9e3885&ts=461&x=0"
2024-11-22 07:32:36 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49770	172.67.177.134	443	6112	C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-22 07:32:39 UTC	60	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-22 07:32:39 UTC	853	IN	HTTP/1.1 200 OK Date: Fri, 22 Nov 2024 07:32:39 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 224668 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BdCvgqv7jYaVxiuyRVgKb%2FIgBJ0pzt9MyPhiEw7mdE%2FaXf7b2WGH9pxJ7CZMGrjsiGbWfZFCQF7Yg%2F8BLQoRBVcR2sPi2Ue8nlLG2junAcM2jP091Ddg9XlNv5Ar9NM45CWV5hlW"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e673a14ae5e7cae-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1923&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=698&delivery_rate=1494370&cwnd=202&unsent_bytes=0&cid=b297e60cddaa8cd0&ts=462&x=0"
2024-11-22 07:32:39 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Target ID:	0
Start time:	02:31:55
Start date:	22/11/2024
Path:	C:\Users\user\Desktop\rrequestforquotation.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\rrequestforquotation.exe"
Imagebase:	0x860000
File size:	609'280 bytes
MD5 hash:	4A15ED0FEB9E90B56E82C2E45A3B3F5E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1748719685.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.1748719685.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1748719685.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.1748719685.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:32:02
Start date:	22/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rrequestforquotation.exe"
Imagebase:	0x170000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	02:32:02
Start date:	22/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	02:32:02
Start date:	22/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe"
Imagebase:	0x170000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	02:32:02
Start date:	22/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	02:32:02
Start date:	22/11/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oGnCNPiCwiAocn" /XML "C:\Users\user\AppData\Local\Temp\tmpC98D.tmp"
Imagebase:	0xcd0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	02:32:02
Start date:	22/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	02:32:02
Start date:	22/11/2024
Path:	C:\Users\user\Desktop\rrequestforquotation.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\rrequestforquotation.exe"
Imagebase:	0x710000
File size:	609'280 bytes
MD5 hash:	4A15ED0FEB9E90B56E82C2E45A3B3F5E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.4142621856.0000000000415000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000008.00000002.4142621856.0000000000415000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000008.00000002.4142621856.0000000000415000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000008.00000002.4142621856.0000000000415000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000008.00000002.4145794163.0000000002B60000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000008.00000002.4145794163.0000000002991000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	02:32:04
Start date:	22/11/2024
Path:	C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe
Imagebase:	0x310000
File size:	609'280 bytes
MD5 hash:	4A15ED0FEB9E90B56E82C2E45A3B3F5E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 43%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	02:32:05
Start date:	22/11/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	02:32:12
Start date:	22/11/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oGnCNPiCwiAocn" /XML "C:\Users\user\AppData\Local\Temp\tmpEF35.tmp"
Imagebase:	0xcd0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	02:32:12
Start date:	22/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	02:32:12
Start date:	22/11/2024
Path:	C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe"
Imagebase:	0xd0000
File size:	609'280 bytes
MD5 hash:	4A15ED0FEB9E90B56E82C2E45A3B3F5E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	02:32:12
Start date:	22/11/2024
Path:	C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\oGnCNPiCwiAocn.exe"
Imagebase:	0xb40000
File size:	609'280 bytes
MD5 hash:	4A15ED0FEB9E90B56E82C2E45A3B3F5E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000F.00000002.4146056209.000000000307F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000F.00000002.4146056209.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	12.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	1.9%
Total number of Nodes:	207
Total number of Limit Nodes:	15

Executed Functions

Function 07A054D8 Relevance: 8.4, Strings: 6, Instructions: 888COMMON

Download Yara Rule

Strings

(o^q, xrefs: 07A05D48
,bq, xrefs: 07A05DB2
Hbq, xrefs: 07A058CE
(o^q, xrefs: 07A05D3A
,bq, xrefs: 07A05DC0
(o^q, xrefs: 07A05A02

Memory Dump Source

Source File: 00000000.00000002.1760866175.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_rrequestforquotation.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$(o^q$,bq$,bq$Hbq
API String ID: 0-56095411
Opcode ID: 9b82e405f6ed0b74f90ea0bdb7b948947daa8cc4b4402c69d71b614b659dabc0
Instruction ID: 46d5f29f067e479c1de186bd9358e0f0338a302cab89d82fb7084ef6ac4dcc4c
Opcode Fuzzy Hash: 9b82e405f6ed0b74f90ea0bdb7b948947daa8cc4b4402c69d71b614b659dabc0
Instruction Fuzzy Hash: 26725BB1E002199FCB14CF69D894AAEBBF6FF88300F148969E415AB291DB34DD51CF90

Function 07A08500 Relevance: 6.1, Strings: 4, Instructions: 1083COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07A08524
(o^q, xrefs: 07A08BE8
4'^q, xrefs: 07A091E3
4'^q, xrefs: 07A0862B

Memory Dump Source

Source File: 00000000.00000002.1760866175.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_rrequestforquotation.jbxd

Similarity

API ID:
String ID: (o^q$4'^q$4'^q$4'^q
API String ID: 0-183542557
Opcode ID: 4c9c9fc2b0118353ac6d91b4db3ed269047015667c5220c684bebd5f325b40c2
Instruction ID: 0e12c2e0f3015bde8f069dda2ab644e8612fbb2fe6328d48969f20f59162f808
Opcode Fuzzy Hash: 4c9c9fc2b0118353ac6d91b4db3ed269047015667c5220c684bebd5f325b40c2
Instruction Fuzzy Hash: 96A280B4A00206CFCB15CF68D984AAEBBF6FF88300F158959E425DB3A5D734E941CB95

Function 07A04FC8 Relevance: 2.7, Strings: 2, Instructions: 241
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,bq, xrefs: 07A0509E
,bq, xrefs: 07A050A8

Memory Dump Source

Source File: 00000000.00000002.1760866175.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_rrequestforquotation.jbxd

Similarity

API ID:
String ID: ,bq$,bq
API String ID: 0-2699258169
Opcode ID: a0891b9d7575e90c2510b2c2dca182dd016162edc9b3370752f365f547ce72af
Instruction ID: 9f00f6adc336008082faff977c674e172984cae6c82edf0e8a8fdd8ad84ad83d
Opcode Fuzzy Hash: a0891b9d7575e90c2510b2c2dca182dd016162edc9b3370752f365f547ce72af
Instruction Fuzzy Hash: 99917EB4E001069FCB14EFA9E884DA9B7B6BF89300F158969D425DB3A4DB31D861CFD0

Function 07A02106 Relevance: 1.8, Strings: 1, Instructions: 562
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

D, xrefs: 07A0210B

Memory Dump Source

Source File: 00000000.00000002.1760866175.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_rrequestforquotation.jbxd

Similarity

API ID:
String ID: D
API String ID: 0-2746444292
Opcode ID: 5e2e7e2585555ff0b6717efa977c3005aa26a2bff4fd039d8a751d0b5cf8bae6
Instruction ID: 53ec571f2828bce30a0c93d7a5db6ec31384fb9fa5e76efa4ae94c61512d17b7
Opcode Fuzzy Hash: 5e2e7e2585555ff0b6717efa977c3005aa26a2bff4fd039d8a751d0b5cf8bae6
Instruction Fuzzy Hash: 4052C974A002188FCB64DF68D998A9DBBB6FF89300F1045D9D509AB3A5DF34AE81CF50

Function 0778BD78 Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760575069.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7780000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 684b601d355d10279f5ce1952077afeba58d00518841736b61228e4323fa9c9d
Instruction ID: a7daa34083edac03359c9b98c0df1f3596974ec0f53653e37eb244365b6b6699
Opcode Fuzzy Hash: 684b601d355d10279f5ce1952077afeba58d00518841736b61228e4323fa9c9d
Instruction Fuzzy Hash: 95C1BDF07407068FDB6AEB75C850B6EB7F6AF89740F144869D1468B2A0CB35E801CB62

Function 012A4668 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745759181.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12a0000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f75d3e4a143921f1df4d7c4b150bd4890ffede8ff48671fc10c2ebd4baa45c78
Instruction ID: 763b83faba0760f87ac91113604c8a1a05596c13a746a2b6854e4cb2ecc0defd
Opcode Fuzzy Hash: f75d3e4a143921f1df4d7c4b150bd4890ffede8ff48671fc10c2ebd4baa45c78
Instruction Fuzzy Hash: 9E515834D11248CFCB08EFB8E4986ADBBB2FF89301F509529E916A7354EB349946CF10

Function 07A06445 Relevance: 6.6, Strings: 5, Instructions: 327
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(o^q, xrefs: 07A06737
(o^q, xrefs: 07A06727
,bq, xrefs: 07A066C8
(o^q, xrefs: 07A063DA
,bq, xrefs: 07A066B8

Memory Dump Source

Source File: 00000000.00000002.1760866175.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_rrequestforquotation.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$(o^q$,bq$,bq
API String ID: 0-2525668591
Opcode ID: 68c250989ec9378399ddae0df5e5e310aa79f1b4a6f76624ad988d19bed65706
Instruction ID: 614b1510d1e6dc7549ad09058b010d18c6b1e038c447d8774353d57d24b59dec
Opcode Fuzzy Hash: 68c250989ec9378399ddae0df5e5e310aa79f1b4a6f76624ad988d19bed65706
Instruction Fuzzy Hash: 21D16EB4A00209CFCB14CF64E594AADBBF1FF88318F148959E4259B2A1DB31ED51CF91

Function 07A077B8 Relevance: 4.2, Strings: 3, Instructions: 489
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'^q, xrefs: 07A077D1
4'^q, xrefs: 07A077F7
;^q, xrefs: 07A07BEC

Memory Dump Source

Source File: 00000000.00000002.1760866175.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_rrequestforquotation.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$;^q
API String ID: 0-799016360
Opcode ID: 653d451bc8cada506fa249f55a5855a7670b762d68b0b137cd0c12187b707a5c
Instruction ID: dbaf2ac486622bf4e40bd46c530b86215fab9c9f06134207bea4c527ea6168dc
Opcode Fuzzy Hash: 653d451bc8cada506fa249f55a5855a7670b762d68b0b137cd0c12187b707a5c
Instruction Fuzzy Hash: 71F15CB03141028FDF159B39E554B3977A6AFC6744F18486AE122CF3E1EA39EC8287D1

Function 07A09E58 Relevance: 4.1, Strings: 3, Instructions: 370
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(o^q, xrefs: 07A09EB5
(o^q, xrefs: 07A09E91
(o^q, xrefs: 07A0A4A1

Memory Dump Source

Source File: 00000000.00000002.1760866175.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_rrequestforquotation.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$(o^q
API String ID: 0-945150611
Opcode ID: 39b85b6e20370c40f93df58320de13ed2117b71e4ec38a974c46d2e81f296caf
Instruction ID: 458a95b5abb7af6fee3f7575ac2400e82fc7a36cd817f229ad50a7686c8be0b8
Opcode Fuzzy Hash: 39b85b6e20370c40f93df58320de13ed2117b71e4ec38a974c46d2e81f296caf
Instruction Fuzzy Hash: C3F12EB0A0061ADFCB11CFA5D584DAEBBF5BF89300F15C925E925A72A5C731EC91CB90

Function 07786CF8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 51
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE ref: 07786D62

Strings

\, xrefs: 07786CF9

Memory Dump Source

Source File: 00000000.00000002.1760575069.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7780000_rrequestforquotation.jbxd

Similarity

API ID: ResumeThread
String ID: \
API String ID: 947044025-2967466578
Opcode ID: 60b06ed63d8e7d6f70ab07de9442f7d8f1c261297d583770afb3c4831e7df6c2
Instruction ID: 48e547b643852731102e43f5d6455b4937cca0f9ea05f45fd4487f59c7a4c281
Opcode Fuzzy Hash: 60b06ed63d8e7d6f70ab07de9442f7d8f1c261297d583770afb3c4831e7df6c2
Instruction Fuzzy Hash: 721116B19003499FDB20DFAAC4457DEFBF4EF88324F208829D459A7650CB75A544CFA5

Function 07A06BB0 Relevance: 3.2, Strings: 2, Instructions: 696
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 07A076D4
$^q, xrefs: 07A076F7

Memory Dump Source

Source File: 00000000.00000002.1760866175.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_rrequestforquotation.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 1d664d328f86bdc779f4876c464dd036dc5b07c655391c20598d6e520cb8c224
Instruction ID: 7802972f33404c142a3d7d454afcdb7be1d7751253806e34cbdc8fc3a01cd01f
Opcode Fuzzy Hash: 1d664d328f86bdc779f4876c464dd036dc5b07c655391c20598d6e520cb8c224
Instruction Fuzzy Hash: 80524F74A00219CFEB18DBA4C8A0BDEBB76FF94300F1081A9D50A6B3A5DE359D85DF51

Function 07A04A68 Relevance: 2.8, Strings: 2, Instructions: 323
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hbq, xrefs: 07A04B86
Hbq, xrefs: 07A04B53

Memory Dump Source

Source File: 00000000.00000002.1760866175.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_rrequestforquotation.jbxd

Similarity

API ID:
String ID: Hbq$Hbq
API String ID: 0-4258043069
Opcode ID: 6f6764f067130a80b4e0256f80d573a9412a6ae47fff55179a68086bbbd12b53
Instruction ID: b82c2044d38d638680253267600c83018dd6da6bd98c6ca1eed2581ffaa415a1
Opcode Fuzzy Hash: 6f6764f067130a80b4e0256f80d573a9412a6ae47fff55179a68086bbbd12b53
Instruction Fuzzy Hash: 94B19DB03042968FCB159F78E89476A7BEAFBCA304F144969E6668B3D1DF34C851C790

Function 077875FF Relevance: 1.8, APIs: 1, Instructions: 263
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0778783E

Memory Dump Source

Source File: 00000000.00000002.1760575069.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7780000_rrequestforquotation.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 1ed7c98284eacc754ee71e1ad4a8c75817d8d7f788cdb942d2117db4548ea1d1
Instruction ID: 7151b4ba8d43694d69a0b0643185d093518b2b1804a540d281f6a5b69e869532
Opcode Fuzzy Hash: 1ed7c98284eacc754ee71e1ad4a8c75817d8d7f788cdb942d2117db4548ea1d1
Instruction Fuzzy Hash: B1A191B1D0021ADFDB14DFA8C8407EEBBB2FF44354F2485A9D819A7250DB749985CF92

Function 07787608 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0778783E

Memory Dump Source

Source File: 00000000.00000002.1760575069.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7780000_rrequestforquotation.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 26196e1e56042595342185ec7fc47fe21edadf4a564577fa2465264e2ae9f63a
Instruction ID: e14967c67abfc2462faaa634708d92e3bdb0f9784fa2255fb3ba4e514840bd2a
Opcode Fuzzy Hash: 26196e1e56042595342185ec7fc47fe21edadf4a564577fa2465264e2ae9f63a
Instruction Fuzzy Hash: 689190B0D0021ADFDB14DFA8C840BEDBBB2FF44354F2485A9E819A7250DB749985CF92

Function 012AB150 Relevance: 1.7, APIs: 1, Instructions: 195
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 012AB3A6

Memory Dump Source

Source File: 00000000.00000002.1745759181.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12a0000_rrequestforquotation.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 43dbc7ba319cbc3840806f38ef10b1a1b0745e6ed5e7ef11ebcd36bf4189ed61
Instruction ID: b66c822001490f3b63a94a348c3c427900f5569de381178f09dca0b793f90531
Opcode Fuzzy Hash: 43dbc7ba319cbc3840806f38ef10b1a1b0745e6ed5e7ef11ebcd36bf4189ed61
Instruction Fuzzy Hash: 0B714670A10B068FDB24DF69D54479ABBF1FF88300F508A2ED58AD7A50DB75E849CB90

Function 012A5E9D Relevance: 1.6, APIs: 1, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 012A5F59

Memory Dump Source

Source File: 00000000.00000002.1745759181.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12a0000_rrequestforquotation.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: c2e48bb41afa86f2195c374d20096c6a29187307e114f3f096b52c6a89149e3e
Instruction ID: fae5cd0da747352aaaf94829104fa870911621fc85d50277c16c4b60d2e19b76
Opcode Fuzzy Hash: c2e48bb41afa86f2195c374d20096c6a29187307e114f3f096b52c6a89149e3e
Instruction Fuzzy Hash: 6641FFB0C00619CFDB24CFA9C844BCEBBB5BF49304F24806AD508AB255DBB56986CF91

Function 012A4618 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 012A5F59

Memory Dump Source

Source File: 00000000.00000002.1745759181.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12a0000_rrequestforquotation.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: ff234917ac66aa74fa35dec4207443a0aac21303560f09dda4436d46458adcf2
Instruction ID: 50b9e6ee9812e8386b4cbf2e8b821853e8e6d2310392420f4bbc73f2276dd6c7
Opcode Fuzzy Hash: ff234917ac66aa74fa35dec4207443a0aac21303560f09dda4436d46458adcf2
Instruction Fuzzy Hash: 6941F2B0C00719DFDB24CFA9C844B8EBBB9FF49304F60806AD508AB255DBB56985CF90

Function 07A0CFC8 Relevance: 1.6, Strings: 1, Instructions: 331COMMON

Download Yara Rule

Strings

@, xrefs: 07A0D11F

Memory Dump Source

Source File: 00000000.00000002.1760866175.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_rrequestforquotation.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: acf3a2a9ed618f0f5febc9853c6fc3ead1d9c58d716aef65f27de09f4c7e72ed
Instruction ID: b570a6384652555bc8f677610ea209a6fc8f68f62cc51efc7168460089ff609b
Opcode Fuzzy Hash: acf3a2a9ed618f0f5febc9853c6fc3ead1d9c58d716aef65f27de09f4c7e72ed
Instruction Fuzzy Hash: 09F191B5E002198FDB50CFA9D880B9DBBF1FB89314F1495AAD819E7345EB31A981CF50

Function 07787378 Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07787410

Memory Dump Source

Source File: 00000000.00000002.1760575069.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7780000_rrequestforquotation.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 92435a533ba6faa778eeed5db4d4588578d2828e724df84a2b2e83a3864168d0
Instruction ID: 103fba0f6402db14c1d85fe1f994293b28eba9b224528c01def902b495b6fec1
Opcode Fuzzy Hash: 92435a533ba6faa778eeed5db4d4588578d2828e724df84a2b2e83a3864168d0
Instruction Fuzzy Hash: 282157B19003599FCB10DFA9C884BDEBBF1FF48310F208829E959A7250C7789554CFA1

Function 0778737E Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07787410

Memory Dump Source

Source File: 00000000.00000002.1760575069.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7780000_rrequestforquotation.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: da672b069bf88cc720106a69a80e917f3d3f7d06b07532245cca829c944732fc
Instruction ID: d2557d5be4a0d134cbb303c939fe8a0242a68faac5d1f471f1cf881a09c90649
Opcode Fuzzy Hash: da672b069bf88cc720106a69a80e917f3d3f7d06b07532245cca829c944732fc
Instruction Fuzzy Hash: 2C2169B19003599FCB10DFA9C885BDEBFF4FF48310F10882AE959A7250C7789944CBA5

Function 07787380 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07787410

Memory Dump Source

Source File: 00000000.00000002.1760575069.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7780000_rrequestforquotation.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: efef9fd9528690efdf2f47ff2742a5c7344a9f26490b8f8088dfe8c09483aa4c
Instruction ID: 857ec2e9e92a2ef9b1a54a2bbfc6f663c8f93b95faf94886a9b1274ca73806c2
Opcode Fuzzy Hash: efef9fd9528690efdf2f47ff2742a5c7344a9f26490b8f8088dfe8c09483aa4c
Instruction Fuzzy Hash: 352136B19003599FCB10DFA9C885BDEBFF5FF48310F20882AE959A7250C7789954CBA5

Function 07786DA8 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07786E2E

Memory Dump Source

Source File: 00000000.00000002.1760575069.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7780000_rrequestforquotation.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 08fbb1a96df8d91f48a8bb9d4007a00edfed2f4ce6a057a7f55c8b0734ef5827
Instruction ID: bb6bfb0569b6097cf8c4fa7ed4ab477e95b33622c8921664d503c9e536e5513b
Opcode Fuzzy Hash: 08fbb1a96df8d91f48a8bb9d4007a00edfed2f4ce6a057a7f55c8b0734ef5827
Instruction Fuzzy Hash: F32145B19002099FDB10DFAAC4847EEBBF4FB48364F10842AD459A7241CB789985CFA1

Function 07787468 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 077874F0

Memory Dump Source

Source File: 00000000.00000002.1760575069.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7780000_rrequestforquotation.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 2825415d8a399e0fe0fce5672f3a3341dfd4c2b8f356128cb8f3d8bbe8b11b5c
Instruction ID: 8436e8a5dd709a467faa9daa7e9ac912028fba7bd68275d109c1efc6a45021e8
Opcode Fuzzy Hash: 2825415d8a399e0fe0fce5672f3a3341dfd4c2b8f356128cb8f3d8bbe8b11b5c
Instruction Fuzzy Hash: A32119B1D003599FDB10DFA9C844ADEFBF5FF48310F108429E559A7250D778A544CBA5

Function 012ACCC0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,012AD5E6,?,?,?,?,?), ref: 012AD6A7

Memory Dump Source

Source File: 00000000.00000002.1745759181.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12a0000_rrequestforquotation.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 46b097104e17b9cf4374f26c0df7122bf784ea22211a605a3fdf69d219ec2ab9
Instruction ID: e8e4b9ebaef25451dff361cfce656f2e75574bb2109e6844bf34b5a405735071
Opcode Fuzzy Hash: 46b097104e17b9cf4374f26c0df7122bf784ea22211a605a3fdf69d219ec2ab9
Instruction Fuzzy Hash: 2221E3B591020CAFDB10CFAAD584ADEFFF8EB48320F54841AE958A7350D374A940CFA4

Function 07786DB0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07786E2E

Memory Dump Source

Source File: 00000000.00000002.1760575069.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7780000_rrequestforquotation.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: c792ad47634a4b6e9256ae8ae72032a44961c458237d0a471f6cb87739d14d6c
Instruction ID: d890b5a4c9ca0db324a799405e10597e4e40f295f1df52c3beb362eb8de1fd45
Opcode Fuzzy Hash: c792ad47634a4b6e9256ae8ae72032a44961c458237d0a471f6cb87739d14d6c
Instruction Fuzzy Hash: AC2138B19003099FDB10DFAAC4857EEBBF4FF48324F10842AD459A7241CB799985CFA5

Function 07787470 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 077874F0

Memory Dump Source

Source File: 00000000.00000002.1760575069.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7780000_rrequestforquotation.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: c7394ea869b0915601e685bee5313535d463cb077f6a1fe134e6f2ffde9d987c
Instruction ID: 07e11c77c064ff88233077c748cb45cdabb34f7049b745c934f34cd8c250f916
Opcode Fuzzy Hash: c7394ea869b0915601e685bee5313535d463cb077f6a1fe134e6f2ffde9d987c
Instruction Fuzzy Hash: A82128B1D003599FCB10DFAAC840ADEFBF5FF48310F108429E559A7250C7349544CBA4

Function 077872BE Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0778732E

Memory Dump Source

Source File: 00000000.00000002.1760575069.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7780000_rrequestforquotation.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 07e8b34a4402cffbf4e74bd3b7305c2b9cbf35e4ff52d205350734733c65b8e7
Instruction ID: e5b27edcc584b44a18afaa6f452529f081683741876a6860031b87f2e3823991
Opcode Fuzzy Hash: 07e8b34a4402cffbf4e74bd3b7305c2b9cbf35e4ff52d205350734733c65b8e7
Instruction Fuzzy Hash: 121159B19002499FCB10DFA9D845BDEFFF5EB48320F208829E959A7250C7359540CFA1

Function 077872C0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0778732E

Memory Dump Source

Source File: 00000000.00000002.1760575069.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7780000_rrequestforquotation.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 62d0809f0d4f8802405bbcd0a7fa4a59153d9d697e5416fb094dd24411b19b11
Instruction ID: 88242ca9ab6f6c8c8b1675a81bff0ca9d2f88aa76e990e5ee0cbe5dfbc341be0
Opcode Fuzzy Hash: 62d0809f0d4f8802405bbcd0a7fa4a59153d9d697e5416fb094dd24411b19b11
Instruction Fuzzy Hash: 5B1156B18002499FCB10DFAAC844BDEBBF5EB88320F208829E919A7250C735A540CFA1

Function 07786D00 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07786D62

Memory Dump Source

Source File: 00000000.00000002.1760575069.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7780000_rrequestforquotation.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: eda44a35e5187557d808222028e0142f4538e4b692cf694b4150ca6e0de369f5
Instruction ID: e6327bbc591ea3172faef10e1ba46350bca746b6a72d615f1986307109b65e8b
Opcode Fuzzy Hash: eda44a35e5187557d808222028e0142f4538e4b692cf694b4150ca6e0de369f5
Instruction Fuzzy Hash: 6F1128B19003499BDB20DFAAC4457DEFBF4EB88324F208829D459A7250CB75A544CBA5

Function 0778B0B0 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0778B115

Memory Dump Source

Source File: 00000000.00000002.1760575069.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7780000_rrequestforquotation.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 0a7a9fa63e3edd232e66a8d1482de05e0b8c8de83fc0f55cad7588fb8f5e2076
Instruction ID: 6532529d8c3f89d37c7a7fc1cea008a51a3492e22ea27dfa7b9fa80cb3c71762
Opcode Fuzzy Hash: 0a7a9fa63e3edd232e66a8d1482de05e0b8c8de83fc0f55cad7588fb8f5e2076
Instruction Fuzzy Hash: A31110B58007499FDB20DF99C848BDFBBF8EB48320F108859D568A7611C375A984CFA1

Function 07783F80 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0778B115

Memory Dump Source

Source File: 00000000.00000002.1760575069.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7780000_rrequestforquotation.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 83a3f726ed21edfa5933d4e2dc355326ecc4a64d52b2a5ab1a7c3b9994a8d809
Instruction ID: 097ce305a727a47a968475f4cae20090a787fd07e879e7e36deb4efd59616292
Opcode Fuzzy Hash: 83a3f726ed21edfa5933d4e2dc355326ecc4a64d52b2a5ab1a7c3b9994a8d809
Instruction Fuzzy Hash: 0A1103B5800349DFDB50DF9AD885BDEFBF8EB48320F108819E958A7610C375A984CFA1

Function 012AB340 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 012AB3A6

Memory Dump Source

Source File: 00000000.00000002.1745759181.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12a0000_rrequestforquotation.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: e6ba1b9bdab6c362d9d2003eaca79f1ddbb7f2a5990f4aa356c6ad6fb7c0dbd2
Instruction ID: 0b8890313e3d1cdf72ab6178ddd8442d72c7c0c2192c16e01bedec778af54030
Opcode Fuzzy Hash: e6ba1b9bdab6c362d9d2003eaca79f1ddbb7f2a5990f4aa356c6ad6fb7c0dbd2
Instruction Fuzzy Hash: A011E0B5C003498FDB10DF9AD444ADEFBF4EB89324F10842AD959B7210D375A545CFA5

Function 07A0BDB6 Relevance: 1.5, Strings: 1, Instructions: 230COMMON

Download Yara Rule

Strings

LR^q, xrefs: 07A0BE32

Memory Dump Source

Source File: 00000000.00000002.1760866175.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_rrequestforquotation.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: a582c7c4c424b2ab82a6da2e65a82fc8b078d5dfd5fa6555eedcb7d4c8d5a11a
Instruction ID: a90a6525e21652072162a890be98b9de6534c5853e83be7fc00088652d6fc0f8
Opcode Fuzzy Hash: a582c7c4c424b2ab82a6da2e65a82fc8b078d5dfd5fa6555eedcb7d4c8d5a11a
Instruction Fuzzy Hash: DB91D7B4E042099FCB14DFA9D9906EDBBF2EF89310F208569D829E7381DB359942CF50

Function 07A0CA6C Relevance: 1.4, Strings: 1, Instructions: 152COMMON

Download Yara Rule

Strings

Te^q, xrefs: 07A0D861

Memory Dump Source

Source File: 00000000.00000002.1760866175.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_rrequestforquotation.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: bdc81cb79f6e2e1391a67bf51e174d3ed376431bc8b3c48b67fb01b104620198
Instruction ID: 95865f97f089acf70064cb9bf427fb83f8f3f73b211b69ab98ed16d4c7e35a90
Opcode Fuzzy Hash: bdc81cb79f6e2e1391a67bf51e174d3ed376431bc8b3c48b67fb01b104620198
Instruction Fuzzy Hash: CA516275B002068FCB14DBB9D8489AEBBF6FFC5320B148929E465DB391DF309D058B91

Function 07A0C440 Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

8bq, xrefs: 07A0C4E1

Memory Dump Source

Source File: 00000000.00000002.1760866175.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_rrequestforquotation.jbxd

Similarity

API ID:
String ID: 8bq
API String ID: 0-187764589
Opcode ID: 67ad18b55100c6b5e79ffa02600991e877d9d05939c4c82a04881546d458ca46
Instruction ID: 6ddcc2417e2f368a462a523a27eeef14eee14896bfc1734ccdff9280c86a68b8
Opcode Fuzzy Hash: 67ad18b55100c6b5e79ffa02600991e877d9d05939c4c82a04881546d458ca46
Instruction Fuzzy Hash: BD41DAB8E01109DFCB04DFA8E5955EDBBB2FF89310F108529E819E7394DB31A942CB90

Function 07A0C430 Relevance: 1.4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

Strings

8bq, xrefs: 07A0C4E1

Memory Dump Source

Source File: 00000000.00000002.1760866175.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_rrequestforquotation.jbxd

Similarity

API ID:
String ID: 8bq
API String ID: 0-187764589
Opcode ID: 0286208193e27b421167a806858610b6d9713c90b1b21bff4c76fb2b3f24b1d8
Instruction ID: a909e847803c0db7149b974b003f47067ae862f9f6ba00eb533251c177ce7632
Opcode Fuzzy Hash: 0286208193e27b421167a806858610b6d9713c90b1b21bff4c76fb2b3f24b1d8
Instruction Fuzzy Hash: 25410D79E001099FCB04DFA8D8916EDBBB2FF89310F14856AE815E7390DB35A902CF90

Function 07A0D620 Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

Te^q, xrefs: 07A0D68B

Memory Dump Source

Source File: 00000000.00000002.1760866175.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_rrequestforquotation.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: fcba0ff6cd14668d2c21533a14eccd65e3ad79a36dbb1c9d71e4e8af0505cb59
Instruction ID: 9f85f2b98b6eb8d422b97b7fbee75b7460b341fd71d62b0d24a3219d58fb9bf0
Opcode Fuzzy Hash: fcba0ff6cd14668d2c21533a14eccd65e3ad79a36dbb1c9d71e4e8af0505cb59
Instruction Fuzzy Hash: 50115176F1020A8BCB44EBB9A9005EEB6F2ABD5314F50446AC519EB244EF319E05CBD2

Function 07A0D5E8 Relevance: 1.3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

Strings

Te^q, xrefs: 07A0D68B

Memory Dump Source

Source File: 00000000.00000002.1760866175.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_rrequestforquotation.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 350d2f6c05ce3e35e873045b7bb7b9de1a8b13b9d8389007c6c9e35148fb18d1
Instruction ID: f0dc5924ac4cec7eced487d3f3c6faacd55f3204a64c629d795beac5d0ce563b
Opcode Fuzzy Hash: 350d2f6c05ce3e35e873045b7bb7b9de1a8b13b9d8389007c6c9e35148fb18d1
Instruction Fuzzy Hash: 8401D876B1010A8BCB05EBA4E5406EE77A3ABD4314F104956C4199B294DE31DD05C7D3

Function 07A0B360 Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

6, xrefs: 07A0B374

Memory Dump Source

Source File: 00000000.00000002.1760866175.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_rrequestforquotation.jbxd

Similarity

API ID:
String ID: 6
API String ID: 0-498629140
Opcode ID: 93736a36a5f17e885d3d9cb31592d9fd9d0cbb122187f3d62677b58218e09c2a
Instruction ID: e192ed9fe59871ed367c32b68b218a073d0bf3104d5c19b6d7c1ea02ae6049bf
Opcode Fuzzy Hash: 93736a36a5f17e885d3d9cb31592d9fd9d0cbb122187f3d62677b58218e09c2a
Instruction Fuzzy Hash: 46E0CDF0941309DBCB14DFB4EA4915DBBB8D705301F104554D40597A80EB315A44C6D3

Function 07A0C050 Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

7, xrefs: 07A0C064

Memory Dump Source

Source File: 00000000.00000002.1760866175.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_rrequestforquotation.jbxd

Similarity

API ID:
String ID: 7
API String ID: 0-1790921346
Opcode ID: 5c69bd2679e1a6a3585123e43e44b7264cc2148ae30e790ea8e693ce331633f0
Instruction ID: 46e861136da2bf1911d43db7233821abe76196929907615f342decb76a063803
Opcode Fuzzy Hash: 5c69bd2679e1a6a3585123e43e44b7264cc2148ae30e790ea8e693ce331633f0
Instruction Fuzzy Hash: 2EE0C2F0D05209DBCB18EFF4E5456ECBBB8AB02315F004BA4D415932C0DA310B48C6E1

Function 07A0A4E0 Relevance: .4, Instructions: 399COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760866175.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff714ec70cbb778f1b67c2fb29cd645d3be954b2d7e727634a05938621bbd0dd
Instruction ID: a93807a5088b3c17551c74b44930d4cf19d3147a4616e5875eaa546fc8a9dcf7
Opcode Fuzzy Hash: ff714ec70cbb778f1b67c2fb29cd645d3be954b2d7e727634a05938621bbd0dd
Instruction Fuzzy Hash: 00F1EDB6A002158FCB14CF68D5889ADBBF6BF88311F1AC559E415AB3A1DB31EC45CB90

Function 07A0E8B8 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760866175.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b31548c5e0c4d82fe97620edb85855489570aafa0f2bf15a69828ac533fc1657
Instruction ID: cc7bbdba5a7d7abcd0f57aadcf3d11a532f557a36be69ccc9447934ef27a46c3
Opcode Fuzzy Hash: b31548c5e0c4d82fe97620edb85855489570aafa0f2bf15a69828ac533fc1657
Instruction Fuzzy Hash: 0191A5B5E142198FDB14DFA9D880AAEBBB6FF8A300F108865D819E7351D7319946DF40

Function 07A067F8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760866175.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d5ef7932de7b485c142d7e96658477c62123346a2dd0a9e6dd8a44429289893
Instruction ID: 34cba7e5ca47072127e29c726d58e03cc76cdfa55225c43a56f811ac40a400a4
Opcode Fuzzy Hash: 4d5ef7932de7b485c142d7e96658477c62123346a2dd0a9e6dd8a44429289893
Instruction Fuzzy Hash: 9C7117B47002068FCB14DF28D898A697BF5AF89785F1504A9F825CB3A1DB70DC61CB91

Function 07A09C00 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760866175.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aa6aee0fe637ae93f0d05bcf0834b2da234910727642ae80cb05c992088468f
Instruction ID: 8d583a319859a4ce1310d14dea840881967546905bd1c148057070f0f9bbdf26
Opcode Fuzzy Hash: 4aa6aee0fe637ae93f0d05bcf0834b2da234910727642ae80cb05c992088468f
Instruction Fuzzy Hash: 906173B1E007499FDF16CFA5C5446DEBBF2AF8A300F244A19D819AB282D770B945CF80

Function 07A0AD48 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760866175.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c2ad7fd94be267bed42fdc7675a8aca7af5619cb0f564fe4862496b6d1f1892
Instruction ID: 5b1776c8c8de38a132518b89b3fcc7d57cc40a5d9639216988ccfd200d7f4409
Opcode Fuzzy Hash: 0c2ad7fd94be267bed42fdc7675a8aca7af5619cb0f564fe4862496b6d1f1892
Instruction Fuzzy Hash: CF613D74E01219CFCB44EFA8E5949EEBBB2FF49301F108969E856AB364CB355805CF90

Function 07A0AD58 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760866175.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b05bb50dfd1cbd22f1c878ee316460a8c3b9897ab7c0a0d17dfd8607f459b38
Instruction ID: 7f50c586fc7b4e78233daa4542e862ecebd8e6cc0e17bfbe8e41884fb2ddf328
Opcode Fuzzy Hash: 3b05bb50dfd1cbd22f1c878ee316460a8c3b9897ab7c0a0d17dfd8607f459b38
Instruction Fuzzy Hash: BD612A74E01219CFCB44EFA8E5849EEBBB2FF49301F108969E856AB364DB355805CF90

Function 07A09BF1 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760866175.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4ee90497a5d03a605135617dbae361a4bc4fe0a71d416ab1889c02a68c5249f
Instruction ID: 3c305709e70dcc092ba260a59ad46fca8cc1c8d0331f0f60efa329c0348fe148
Opcode Fuzzy Hash: f4ee90497a5d03a605135617dbae361a4bc4fe0a71d416ab1889c02a68c5249f
Instruction Fuzzy Hash: D25170B1E007498FDF15CFA5C1446DEBBF2AF89300F244A19E819AB282D770B945CF40

Function 07A0AFD8 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760866175.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 052c154128b30a897d9e7104857aee424f36251df3def9534ecddf697869e7f6
Instruction ID: b961e2dc91eeb830d33e82bb4969946284a06ab8ebd76ba4e97c3546f1fc6e7a
Opcode Fuzzy Hash: 052c154128b30a897d9e7104857aee424f36251df3def9534ecddf697869e7f6
Instruction Fuzzy Hash: 5241ACB4E1420ADFCB04DFB9E9559AEBBF5BF49341F109825E425E7290EB309941CFA0

Function 07A089D3 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760866175.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c15573191eaf25259d1945a2780127cd0ff0bb64da9cc74e1acd7b0cfcd04ea7
Instruction ID: 057c075c766a87eca8ca244f28cb4b37b4ec52057235c2d4d169212472125e12
Opcode Fuzzy Hash: c15573191eaf25259d1945a2780127cd0ff0bb64da9cc74e1acd7b0cfcd04ea7
Instruction Fuzzy Hash: CF41E9B1A0024ADFCF15CFA8D844A9DBFB2FF8A350F058555E8659B6D1D338D920CB98

Function 07A0E8A8 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760866175.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d788f56a72f24f9fa8653afcaf9ffed676ca1734e0ffebde0a5e48cd80bb5dad
Instruction ID: 9c49b85b5c062547b42249c5071080d6b4c024f5b026e1ebe086b5e1cb739e5d
Opcode Fuzzy Hash: d788f56a72f24f9fa8653afcaf9ffed676ca1734e0ffebde0a5e48cd80bb5dad
Instruction Fuzzy Hash: 4F51A3B5E002198FDB54DFA9D98079DFBF2AF89300F14896AD819E7354EB309986CF40

Function 07A04890 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760866175.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbea5cf6b0aa1ae2251d0c0c784ac2178a5350852f93b74ac57d531d5fff2dff
Instruction ID: 8e88dfe3c63ec64954bc90efb168d9e75c16568f5900f11daae94acb379cc4df
Opcode Fuzzy Hash: fbea5cf6b0aa1ae2251d0c0c784ac2178a5350852f93b74ac57d531d5fff2dff
Instruction Fuzzy Hash: 0741A0713442458FDB059B29E854B6A7BA6EF8A350F1884A9F656CB3E1DB31DC02CB90

Function 07A0AFBD Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760866175.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6bdf2a4c401313339bfddc88c86a377209d3905b14fb832f9545adc6769c53
Instruction ID: 52c67ea03151e849604016a0ccf82fe53c56b576e03443ec6d197121bcc36606
Opcode Fuzzy Hash: bf6bdf2a4c401313339bfddc88c86a377209d3905b14fb832f9545adc6769c53
Instruction Fuzzy Hash: 1D41EAB4E1124A8FCB05CFB9E9555AEBFF5BF89301F108826E415E7290EB30D901CBA0

Function 07A0EBD0 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760866175.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8a5269c6b4257febb406e4f91c11306d74c0d5ef87caf637b90c3b7f78894da
Instruction ID: cfe4928684a0ad33fae91e654ce37cdcd4b0eef2a8467ff8b9c28087afb7c134
Opcode Fuzzy Hash: d8a5269c6b4257febb406e4f91c11306d74c0d5ef87caf637b90c3b7f78894da
Instruction Fuzzy Hash: CD316BB59002099FCB14DFA9D944A9EBFF9FB49310F10882AE519E7260D730A940CFA1

Function 07A041F0 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760866175.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea0fb7bdb1aade881981fe9ff1d035b6d07337e7d2386da7ab9ba370acfe8406
Instruction ID: 7c9e97b8676f425a2bfc0620f13a2a6e0557e04db5d06b682f472ac4628b5493
Opcode Fuzzy Hash: ea0fb7bdb1aade881981fe9ff1d035b6d07337e7d2386da7ab9ba370acfe8406
Instruction Fuzzy Hash: C7316D7570414AAFCB05AFA4E894AAE7BB6FB8D340F504414FA258B294CF38DC61CBD0

Function 07A049C8 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760866175.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b87397a839f330ccf2dbe185afb1fa847f698b232b700ab1ca2c6d44ec12c6e
Instruction ID: 9f94090d8b29e505039e1eeca4b27eaa0839757d5297081655292695252c2bf0
Opcode Fuzzy Hash: 6b87397a839f330ccf2dbe185afb1fa847f698b232b700ab1ca2c6d44ec12c6e
Instruction Fuzzy Hash: 5A3181B26082969FCB11CF54E840BAA7BB6FFCB350F098456F658DB291D634D811C7E4

Function 07A0EBA4 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760866175.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff9dde7eff4f6f2c44ca283abbc09965f9f925ae31821f22c450879a5d09ff96
Instruction ID: 976ad619dc6fc309cc8c4beceb4f0ca6353db535bebe013691a94fd4ffb8fd04
Opcode Fuzzy Hash: ff9dde7eff4f6f2c44ca283abbc09965f9f925ae31821f22c450879a5d09ff96
Instruction Fuzzy Hash: 1321B4B1A08208AFDF08EFB4D955AAD7FF9EB45300F1089AAE805D7291FA31DD05D791

Function 07A06AA0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760866175.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66e9ee020eb837663e8f02e437841e00c999bae368516906856ef8e642b2c67e
Instruction ID: 39599046237898b37008c0ec4b35215aa637a5a113b76954c25235f62cc94ee8
Opcode Fuzzy Hash: 66e9ee020eb837663e8f02e437841e00c999bae368516906856ef8e642b2c67e
Instruction Fuzzy Hash: 4E21D3F13902024BDB142B25E49463E6ADAAFC6B0CF144838E416CB3D4EE29CC5293C5

Function 07A06A90 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760866175.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d699b55e34d35103d4bd36e18035e76b2fe883b0ee5301437ecce90ee846749c
Instruction ID: c7843dba38fe540e6f169f54cd19371860819371a981e8c04e9dcde09ecc82e6
Opcode Fuzzy Hash: d699b55e34d35103d4bd36e18035e76b2fe883b0ee5301437ecce90ee846749c
Instruction Fuzzy Hash: A221C1F13902024BDB156B25A89463D6AEAAFC670CF184839E416CB3E4EF29CC1292C5

Function 07A0A4D0 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760866175.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dd0a6f834434009f48cfea42e4f5e9fd6b85e903fda0d068f653f1f9b60ba01
Instruction ID: eb366f8df4cb23388c24b67d2c8882235dcb637d0453aedda3eb174cdc8f8275
Opcode Fuzzy Hash: 9dd0a6f834434009f48cfea42e4f5e9fd6b85e903fda0d068f653f1f9b60ba01
Instruction Fuzzy Hash: BD3145B1A002098FCB14CF68D884AAEBBF6BF84320B15C559E5259B3A5DB34EC41CBD0

Function 07A041C8 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760866175.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fde3fe515f50fdd85315054b3fbc8f50a6f76b4c0d5a53db775e9bc05ee5439f
Instruction ID: a7771a4bddb1728594e19cae8e49cd4b3daed4c01c296f1979315f62a19b7db7
Opcode Fuzzy Hash: fde3fe515f50fdd85315054b3fbc8f50a6f76b4c0d5a53db775e9bc05ee5439f
Instruction Fuzzy Hash: FD21B1716082869FCB12AF78E8947AA3F75FF8A710F4404A9E955CB295CB38CC50C7D1

Function 010BD4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745446562.00000000010BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10bd000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b8a39ef8b5256f8d135672208b122fdf70bf9ed145c2d66c41583f231d40c5c
Instruction ID: 70efdb469e1d5dd895777548d8951208b639ff81f4b812efdcc6cbcbf124fc99
Opcode Fuzzy Hash: 5b8a39ef8b5256f8d135672208b122fdf70bf9ed145c2d66c41583f231d40c5c
Instruction Fuzzy Hash: 73212571500240DFDB05DF58D9C0B6AFFA5FB8831CF20C5A9E9890B256C33AD456CBA1

Function 07A0CEF0 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760866175.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0217d3a38607ba282c94373beb9db789a1967552b6ac5cc85608ecf48850a36c
Instruction ID: e472d76c73c9302ffe27f910b35780b62c36504d1aa784547a6dfc8ae407bd27
Opcode Fuzzy Hash: 0217d3a38607ba282c94373beb9db789a1967552b6ac5cc85608ecf48850a36c
Instruction Fuzzy Hash: B1315FB5E1121ADFCB40CFA9D5956EEBBF5AB48310F10856AE824F7340E7349A40CFA1

Function 07A04E30 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760866175.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74a4362848a733605ab53f8e06e53d8ea700fa1590d3336cad682b6b09765dce
Instruction ID: 939ea01f1f1de3fd274b5caa53c21874b02d5c22482b611073bb76f581a78666
Opcode Fuzzy Hash: 74a4362848a733605ab53f8e06e53d8ea700fa1590d3336cad682b6b09765dce
Instruction Fuzzy Hash: DD21D134300612CBC7259B69E49466AB7A6FFCE750B144568EA26CF394CF30DC028BC0

Function 07A0CEE0 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760866175.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ed1ac6e4794de84b428d54385ef067249c322c36f976833292b3940db1bb923
Instruction ID: 0e878c451dbed45f4f7f117bfd655a81c3a453ba7fcfd012606bf2f20de7ea33
Opcode Fuzzy Hash: 5ed1ac6e4794de84b428d54385ef067249c322c36f976833292b3940db1bb923
Instruction Fuzzy Hash: 3131B8B1E1124ACFCB00CFB9D5556EEFBF1EB49310F10896AD424E7281E7359A41CBA1

Function 07A09694 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760866175.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7baca70b7063419c0e87664267867d256145ad4eb87937fe0fce73e24f9438f
Instruction ID: d32be660c52734d8ac7ac31ba03b10285f2b7f26fa830a427b63fd8e58db3e88
Opcode Fuzzy Hash: c7baca70b7063419c0e87664267867d256145ad4eb87937fe0fce73e24f9438f
Instruction Fuzzy Hash: DF31E0B1D00218EFDB20DFD9D588B9EBBF4AB49314F20846AE418BB290C7B55885CF95

Function 07A0D8A4 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760866175.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2db6ee5813424e394071eda0b5b43a4dd13b8f77eb62fdfb7b6ba577cd3a564
Instruction ID: 158948736f24aab9dc3ee015e6fd514033ad9094e1aa1969470e4b6e90841397
Opcode Fuzzy Hash: e2db6ee5813424e394071eda0b5b43a4dd13b8f77eb62fdfb7b6ba577cd3a564
Instruction Fuzzy Hash: 9431E2B1D01218EFDB20CF99D588B8EBFF4EB48314F10845AE418BB294C7B55885CF95

Function 07A04E20 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760866175.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6eeef9eb104a2e21849cd961fc7feac2184ca6edbdaf75f1e74024db4c41ff1e
Instruction ID: 7fc61bb146a32c6e0b08bf9031310e2c9840746b61dbf0a27650bbe3a4ee6c62
Opcode Fuzzy Hash: 6eeef9eb104a2e21849cd961fc7feac2184ca6edbdaf75f1e74024db4c41ff1e
Instruction Fuzzy Hash: 8711A371300653CFC7199F29E4A4A6ABBA6FFCA751B184969E916DF390CF20DC0287C0

Function 07A08AB8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760866175.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbba2c558d82bf0d025381b99fe0dd3227af39b66e06b4da7851f518917ebf24
Instruction ID: 07260549b1b16ef3f630306002250b4208248570e50448a55c02ae2cb1f11553
Opcode Fuzzy Hash: cbba2c558d82bf0d025381b99fe0dd3227af39b66e06b4da7851f518917ebf24
Instruction Fuzzy Hash: 6B11E1F16002069FCB10CF5DD885B5EBFA6AF86310F098959D968AB2D1D374E810C7DC

Function 07A0D6F0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760866175.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 966c74a707ef9b8fc07938393af48e6a90717b4e0589176bb97a51381dfe8f1d
Instruction ID: e814a3e7b21a16fa335187f65ef9839059495a2e0d33f389da6701689f1972ee
Opcode Fuzzy Hash: 966c74a707ef9b8fc07938393af48e6a90717b4e0589176bb97a51381dfe8f1d
Instruction Fuzzy Hash: 9511E3B6A003025F8B15DBB899449BFBBFAEFC43607254E2AD424D7390EF30890587A1

Function 010BD4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745446562.00000000010BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10bd000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 11f7b0546ea5ff989d032eee675f853b1ef9f7645a4b9d22a0a681579c5b7ade
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: CE11E172404280CFCB02CF54D5C4B56FFB1FB84318F24C6A9D8490B256C33AD45ACBA1

Function 07A0EBE0 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760866175.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 780e1f09e5a916e8592c8bc8e11542d5da4be7bc01940f67f257653adca9be26
Instruction ID: a01a016e9cc61a5ee767a2389ab603c17fce6b3936bf9fdfccdd8809bba72912
Opcode Fuzzy Hash: 780e1f09e5a916e8592c8bc8e11542d5da4be7bc01940f67f257653adca9be26
Instruction Fuzzy Hash: 282103B59003499FCB20DF9AD884ADEBBF4FB48320F108429E919B7351C375A944CFA1

Function 07A0FBE0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760866175.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2a9e51bbcf95af45c1bd59f31a1b06b0f4f7172694abaa487b8269a5690cdb8
Instruction ID: 1f1b4ac11c19cefa613939d3f44a4390f1dd226e05e6cdc8cd4fe6feea04590a
Opcode Fuzzy Hash: c2a9e51bbcf95af45c1bd59f31a1b06b0f4f7172694abaa487b8269a5690cdb8
Instruction Fuzzy Hash: 940171B1D05206CFCF15CFA4E9861ADBFB5EB4A311F148896D824E7291DA308A41DB80

Function 07A049D8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760866175.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2246636daf33ad1d7e0706610bf9bcc96a1780428b6c554a77932e7c1834f5ee
Instruction ID: 50701b838c0c31b452d3fc0d8bc19ab089fe91f6180df10d476834a1e1b6f5b1
Opcode Fuzzy Hash: 2246636daf33ad1d7e0706610bf9bcc96a1780428b6c554a77932e7c1834f5ee
Instruction Fuzzy Hash: 910126727000556F8B059EA8A820AEF7BABFBCD350F188029F614C7280CE71DC2197D4

Function 07A0BD2A Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760866175.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 951b8c804f1151f4847c65930be9f0259c3818b9ae8338d34bfc4616689f34b9
Instruction ID: 7ed6f033c5220892047721952c4be0062b654cf4e36a5061efa6092746bdec4a
Opcode Fuzzy Hash: 951b8c804f1151f4847c65930be9f0259c3818b9ae8338d34bfc4616689f34b9
Instruction Fuzzy Hash: E501D1B090E3C49FCB16CBB8D905498BFB0DF43314F1889EAD494DB293C6350906CB42

Function 07A0E838 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760866175.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9911273c594c492eb8d99ff9ce2050bc601153eda6d81d4b89dc0af40efaec7
Instruction ID: b8830f3faa0f3962012fa97bee85a7763d0f40b7bf3d6752d0850a1fb0cb216e
Opcode Fuzzy Hash: c9911273c594c492eb8d99ff9ce2050bc601153eda6d81d4b89dc0af40efaec7
Instruction Fuzzy Hash: 2801FBB4D1524ADFCB44DFA8D5452AEBBF4BB48301F108869D815E3340EB308A04DB51

Function 07A0E828 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760866175.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e491a7d6f42c75504c71a5e7953d07181b375c44107470c8b3c9d1cb0ee1d4e6
Instruction ID: e8235dbaea7c248f424a17a3220849a6267a5478a196cbd412a9c21ff5e1ce1c
Opcode Fuzzy Hash: e491a7d6f42c75504c71a5e7953d07181b375c44107470c8b3c9d1cb0ee1d4e6
Instruction Fuzzy Hash: D4016DB0D192499FCB44DFB8E5052AEBFF5AF49301F1088AAD814E3381EB318A08CB41

Function 07A0B2E8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760866175.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1de758e711e72c4bb1658de2eddda9f0fbe695d3bde382ec653ddc72a3fc9586
Instruction ID: f8c9ca645b724baad151389f3b9bcca029c7643b84ecd18d9600b0f31c95d98c
Opcode Fuzzy Hash: 1de758e711e72c4bb1658de2eddda9f0fbe695d3bde382ec653ddc72a3fc9586
Instruction Fuzzy Hash: 44F04FB4E042099FCB44DFA8D9416AEFBF4EB45300F1098999824E7780EB719A01CB91

Function 07A07F9A Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760866175.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 753bc3be74b2f2ac5267186e6e022c0fac932ef9245eb0e24a2cac53c3fd7614
Instruction ID: 7a8daa91458b954b1ee456be6bf3f37e04f5deea0ae3fc330c05fb0b03149743
Opcode Fuzzy Hash: 753bc3be74b2f2ac5267186e6e022c0fac932ef9245eb0e24a2cac53c3fd7614
Instruction Fuzzy Hash: 8601F4B1A04149EFCF05EFB8E5856DCBF70EF81310F400AA9D5149B291DB312A06C781

Function 07A0FC38 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760866175.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 220513cca5d9198cb595aaa52deab47974c3f91a3b3aab90abaf73fbeb4024d3
Instruction ID: a87cd573ba75496b1358b8922eca91b4232e20648035a3099ccf1ed0c2305785
Opcode Fuzzy Hash: 220513cca5d9198cb595aaa52deab47974c3f91a3b3aab90abaf73fbeb4024d3
Instruction Fuzzy Hash: F6F097B4D1520ADFCB54DFA9D5425AEBBF4AB49300F1099AAD819F3340EB709A01DB91

Function 07A0C3D8 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760866175.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec4fb59bbcf25df7a3ab5669d5651cdadc8a780d3f18d563cb343a25a9c4357d
Instruction ID: 959ec079907d1426d8a715937fcc5b8c768a9c4973d68663e51ad04b781371c7
Opcode Fuzzy Hash: ec4fb59bbcf25df7a3ab5669d5651cdadc8a780d3f18d563cb343a25a9c4357d
Instruction Fuzzy Hash: 7CF0C4B4D1520A9BCB44DFA9E5055EEBBF5BB48310F1095699819E3240EB319A009BA1

Function 07A0BD48 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760866175.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6d5def0f8d11cb1ecde71cb15b0f88824724a23e798cca979d9077db97de785
Instruction ID: b11342e3973a4f5af31e85fc9c76061ece7f78c4538f3efa9ca37083fc88ab20
Opcode Fuzzy Hash: d6d5def0f8d11cb1ecde71cb15b0f88824724a23e798cca979d9077db97de785
Instruction Fuzzy Hash: 2FF0DAF4D15219DFCB44DFB9E9455ADFBF4EB49310F1098AAD828E3340E7705A408B90

Function 07A0FC28 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760866175.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c84974cf3a4267fae31d0278f4602b25994b275ef14d4980e940bd912d8674bb
Instruction ID: 80ce154a5274347ee5a2e6d8be58c115ac836f3f1a22c00fe425d8a258037925
Opcode Fuzzy Hash: c84974cf3a4267fae31d0278f4602b25994b275ef14d4980e940bd912d8674bb
Instruction Fuzzy Hash: F8F090B0D0420A8FCB25CFA9D5466ADFFB4EB48310F1489AAE854A7290DB754642CF80

Function 07A0C3C8 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760866175.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e884c7aaaae5be85c58fce7cbb3ebafd9b909bdeae49b8a94010bec64ce9567e
Instruction ID: 2f26be54b50b98162f8891b35862e822ee92d5f061178b0840b1480e531cb56e
Opcode Fuzzy Hash: e884c7aaaae5be85c58fce7cbb3ebafd9b909bdeae49b8a94010bec64ce9567e
Instruction Fuzzy Hash: 77F090B4D0520A8FCB15CFA8D5456EDFFF5FB44310F1086A9E855A7290DB354642CB40

Function 07A0F060 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760866175.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92f84eaa182f01a80fb181898df5894e3aaadcaca273aca1c11720fab8256360
Instruction ID: 9bd4c276fe340b78ab7f55f3f270793f4501820601c0dae18d1cdbeaa6e1cf90
Opcode Fuzzy Hash: 92f84eaa182f01a80fb181898df5894e3aaadcaca273aca1c11720fab8256360
Instruction Fuzzy Hash: F7F0E272604004AFDF08EFA8E960E9EBFBEEB44310F10C56AE004D7364E630A900CB80

Function 07A07FA8 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760866175.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6540f74154fc10fd4f7f83e210c8c8f7b37284eabb60f608dd3154b7ca90ba3b
Instruction ID: 6360c661b11cbaa21859041e7f1e1cdec6458d7e50871ad82e294455baa67547
Opcode Fuzzy Hash: 6540f74154fc10fd4f7f83e210c8c8f7b37284eabb60f608dd3154b7ca90ba3b
Instruction Fuzzy Hash: 35F0F870950109EFCB40EFA8E9955DCBBB5EF84200F905AA89909EB654EA306E498B41

Function 07A0CEA8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760866175.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 586f753b4214554305ead9280f2525cfdc9b3f32867564325fd530d139ef079f
Instruction ID: fe66894ed30707dbcf3a5e83f5606b623df7cf0735968ee363e513df75ca7d7a
Opcode Fuzzy Hash: 586f753b4214554305ead9280f2525cfdc9b3f32867564325fd530d139ef079f
Instruction Fuzzy Hash: 98E0C2F098610CD7CB00EBB4E5052EDBBB89F01320F104A98D40593280DA310B44A7E1

Function 07A07618 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760866175.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: 942b340669cfb0e3a4bccdc4f179ccfd49164ccebe7f25c02767f20957051aeb
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: B9C08CB320C1282AAA38104E7C84EA7BB8CC3C23F4E210537F92CC3280AC52AC8142F5

Function 07A05268 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760866175.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef530157c8d12929144548de658731e939f0f6b3c024a4d6dbf32460510ad8c2
Instruction ID: 69e5ff0f4a372f613a291d311d1ea81bfdde4d5a2778ed5b91df4e734b40bcc1
Opcode Fuzzy Hash: ef530157c8d12929144548de658731e939f0f6b3c024a4d6dbf32460510ad8c2
Instruction Fuzzy Hash: 3AD05E354441040ACA0AEB78AAA1BA0B77AFBC6200F646A6594548A169EB3449898640

Function 07A05278 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760866175.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c43a7d83a2796d07749c2a6db525c8108d5d6d63261c2ffb110b751e30d3a228
Instruction ID: f04d108b261486e6be8453a23a5ea07e20f01b0e7e2096923894f20a0ec8226b
Opcode Fuzzy Hash: c43a7d83a2796d07749c2a6db525c8108d5d6d63261c2ffb110b751e30d3a228
Instruction Fuzzy Hash: 0EC080311542094FCA02F7B5F995695F77EFEC0300F504530A4094E62DFF745C484690

Function 07A09684 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760866175.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78671c373268442a1a5da592ef0d42f76645e5816c90cd0cd839c6df37e174c8
Instruction ID: fbd1acc5253957fb630c1eb13c623ae8b33640fa729fc1b6a85eb19e4fec1d2b
Opcode Fuzzy Hash: 78671c373268442a1a5da592ef0d42f76645e5816c90cd0cd839c6df37e174c8
Instruction Fuzzy Hash: 96C02BBF140000DE8600F740C6C0C25FEB1FF45300B80CC11E11486074C620C438A783

Function 07A0CD5C Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760866175.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 793864b09a85141d26de22c35fc7ff108cfdf1edb779ecbe1889f198b15779bb
Instruction ID: 8bfa4ef5277eddfe3211bbf333a7c7c6d19fdcea9286004a51f65356dec89651
Opcode Fuzzy Hash: 793864b09a85141d26de22c35fc7ff108cfdf1edb779ecbe1889f198b15779bb
Instruction Fuzzy Hash: B1B012FB1EC500E6641037649A9083AD461FBB3700F80CC21F31A9409494608468B157

Non-executed Functions

Function 07A02C38 Relevance: 8.1, Strings: 6, Instructions: 624COMMON

Download Yara Rule

Strings

$^q, xrefs: 07A02D00
4|cq, xrefs: 07A02E43
4|cq, xrefs: 07A02E28
4'^q, xrefs: 07A02C53
4'^q, xrefs: 07A02CDE
4'^q, xrefs: 07A02CAE

Memory Dump Source

Source File: 00000000.00000002.1760866175.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_rrequestforquotation.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4|cq$4|cq$$^q
API String ID: 0-1027864050
Opcode ID: c9c3368daf08c6efdda0c26a2c85035f1bf18c49d5771b6d9c88a094025b2127
Instruction ID: 7afb7eec8ae5397a1950dfe8ffab72078ae03072db7d807be79153325eb4bae8
Opcode Fuzzy Hash: c9c3368daf08c6efdda0c26a2c85035f1bf18c49d5771b6d9c88a094025b2127
Instruction Fuzzy Hash: A622F6B17442618FDB15AF3CE5A46A97FA2BFC5300B1948AAD055CF3E2CA20DC86C7D5

Function 07785238 Relevance: 1.6, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

R>", xrefs: 07785293

Memory Dump Source

Source File: 00000000.00000002.1760575069.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7780000_rrequestforquotation.jbxd

Similarity

API ID:
String ID: R>"
API String ID: 0-713062378
Opcode ID: 167a6d181f42c3e50fd611bbd16613a73a8f77b0a2a80e6a565419431646e1a0
Instruction ID: 176cf9814383a311e742845f23d772a4806049718319f353f6f287a67c8fd057
Opcode Fuzzy Hash: 167a6d181f42c3e50fd611bbd16613a73a8f77b0a2a80e6a565419431646e1a0
Instruction Fuzzy Hash: B9E1E9B4E002198FCB54DFA9C5809AEFBF2BF89345F248169E815AB356D730AD41CF61

Function 07785228 Relevance: 1.4, Strings: 1, Instructions: 135COMMON

Download Yara Rule

Strings

R>", xrefs: 07785293

Memory Dump Source

Source File: 00000000.00000002.1760575069.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7780000_rrequestforquotation.jbxd

Similarity

API ID:
String ID: R>"
API String ID: 0-713062378
Opcode ID: 4320b7620dc2813b30aac95a683fb89ff190a856a6744177ab7c7e24d4d926b3
Instruction ID: 0b6a73107fb9b1fa91b1534b7f876f68de9043c489380ce83b7bb631df39b90d
Opcode Fuzzy Hash: 4320b7620dc2813b30aac95a683fb89ff190a856a6744177ab7c7e24d4d926b3
Instruction Fuzzy Hash: 7A5109B0E002198FCB54DFA9C5805AEFBF2BF89344F24816AD418AB256D7309D42CFA1

Function 077849A7 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760575069.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7780000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a11c5f4a4417ae6c0d408d27bc53453b1063a3b1d8582a93841313df0d893c5f
Instruction ID: 021271c9734bfeda9f8df566cd78160f2467c2779a8c8ee30eb934f1725e17a8
Opcode Fuzzy Hash: a11c5f4a4417ae6c0d408d27bc53453b1063a3b1d8582a93841313df0d893c5f
Instruction Fuzzy Hash: C4E13AB4E0025A8FCB54DFA9C580AAEFBF2BF89344F248159D815AB316D770AD41CF61

Function 07785670 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760575069.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7780000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd07d4b3a75a2dde4dbb70aaee35c6c0c89bc6209151504578d714634aea0c3e
Instruction ID: 47e8c9d39b5482a884867b80a0002ae86e92d800a249f6ca007ccc81aaef654b
Opcode Fuzzy Hash: fd07d4b3a75a2dde4dbb70aaee35c6c0c89bc6209151504578d714634aea0c3e
Instruction Fuzzy Hash: 33E1E9B4E001198FCB54DFA9C580AAEFBB2FF89344F248169E815AB356D730AD41CF61

Function 07784E00 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760575069.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7780000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 931beb3df5071e9c1e65299d326d530e7f8a73b84cfb064244704d0de9b413ed
Instruction ID: 2c91b41b9a2e750c048d58dcfb01873a54c18a111f73f955e564a83001735781
Opcode Fuzzy Hash: 931beb3df5071e9c1e65299d326d530e7f8a73b84cfb064244704d0de9b413ed
Instruction Fuzzy Hash: B6E1FBB4E401198FCB54DFA9C580AAEFBB2BF89344F248169D815AB356D730AD41CF61

Function 07786E88 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760575069.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7780000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a9c5a83d6d7b27e9257f7db6d94129a2009fa6e85a868d0a5f8c632c3681f37
Instruction ID: 55686db95316649ccbefe364552f43b4bbfa88b47471319cfb7f1fa0691fadc2
Opcode Fuzzy Hash: 2a9c5a83d6d7b27e9257f7db6d94129a2009fa6e85a868d0a5f8c632c3681f37
Instruction Fuzzy Hash: DCE1FBB4E001198FCB14DFA9C580AAEFBB2FF89344F248559E815AB356D731AD41CFA1

Function 07A0E279 Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760866175.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36d2318536c0e924e629ec26e2d50be07d6a10819799a24a2911255209ae723d
Instruction ID: db680ce0a13fb61b6c8a5d4310962def6fe09e47ce17a7c9bdd27bcb6bae837e
Opcode Fuzzy Hash: 36d2318536c0e924e629ec26e2d50be07d6a10819799a24a2911255209ae723d
Instruction Fuzzy Hash: 81D1E83192065ADACB10EB64D990AD9B7B1FFD6300F20979AD14977224FB706AC9CF81

Function 07A0E288 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760866175.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6700f2edd54235717b0a645f1218a9d68ada8acee97b6de66e98ff4d238f6088
Instruction ID: 38037e659c307c6f68db3c99d0d46ebf99879dbcb71a8e75e66cad48d0867c71
Opcode Fuzzy Hash: 6700f2edd54235717b0a645f1218a9d68ada8acee97b6de66e98ff4d238f6088
Instruction Fuzzy Hash: 6DD1D83192075ADACB10EB64D990ADDB7B1FFD6300F20879AD14977224FB706AC9CB41

Function 012ADF94 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745759181.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12a0000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 593825d57225409ea9e64c2e9998b14e4a8cf7a53e95e07ac440ad35cb0060b8
Instruction ID: 05d6c5335e1d244db0156f77709e7603560825f2ed911ad0b79627da7456ac7e
Opcode Fuzzy Hash: 593825d57225409ea9e64c2e9998b14e4a8cf7a53e95e07ac440ad35cb0060b8
Instruction Fuzzy Hash: 07A18032E1020ACFCF19DFB4D9845AEBBB2FF84300B55456AE905BB265EB35D946CB40

Function 077849C8 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760575069.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7780000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc3b51cc25345c7058545d3ac09f755b4313bc8f17d41c4e31403564d6a344b4
Instruction ID: f9fddea11c540cbb461066d995d48cbb9f83122f16bc42dac37c2712d19053c9
Opcode Fuzzy Hash: cc3b51cc25345c7058545d3ac09f755b4313bc8f17d41c4e31403564d6a344b4
Instruction Fuzzy Hash: 2A512AB4E0021A8BCB54DFA9C5805AEFBF2BF89344F24C169D418AB316D731AD41CFA5

Function 0778A756 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760575069.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7780000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcc73aa95d03f4d4d6ad3ac4f4031cca610107bdb82a645669448703e5c62739
Instruction ID: e6e85c40437368be74af73401434d46a5babb7ea6f04122105a3c59f8ba7baac
Opcode Fuzzy Hash: bcc73aa95d03f4d4d6ad3ac4f4031cca610107bdb82a645669448703e5c62739
Instruction Fuzzy Hash: B9E0EDB599A114CBCB54AF84E5453F8B778EB4F3A1F02E097C40EA6211D7344A94CE12

Function 07A05360 Relevance: 5.1, Strings: 4, Instructions: 126COMMON

Download Yara Rule

Strings

\;^q, xrefs: 07A05486
\;^q, xrefs: 07A0545E
\;^q, xrefs: 07A05454
\;^q, xrefs: 07A0547A

Memory Dump Source

Source File: 00000000.00000002.1760866175.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_rrequestforquotation.jbxd

Similarity

API ID:
String ID: \;^q$\;^q$\;^q$\;^q
API String ID: 0-3001612457
Opcode ID: d726ab9770336bbcc2c92f3ff3cfa7613beef7b57a84212f5ec242b669cbe038
Instruction ID: 5a65b155c6b1011f8205d8dc270e2ba1e58f2fe20e32b2f257d9667c07ecc596
Opcode Fuzzy Hash: d726ab9770336bbcc2c92f3ff3cfa7613beef7b57a84212f5ec242b669cbe038
Instruction Fuzzy Hash: 504103B1B102069FCB18CF2CE490E697BBAEF85711B2548A9E415CB3A1DA62DC51CFC1

Analysis Process: rrequestforquotation.exePID: 7792, Parent PID: 7284COMMON

Executed Functions

Function 00F96730 Relevance: 6.7, Strings: 5, Instructions: 462COMMON

Download Yara Rule

Strings

,bq, xrefs: 00F96A00
(o^q, xrefs: 00F96CA5
(o^q, xrefs: 00F9697A
(o^q, xrefs: 00F96988
,bq, xrefs: 00F969F2

Memory Dump Source

Source File: 00000008.00000002.4145048353.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f90000_rrequestforquotation.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$(o^q$,bq$,bq
API String ID: 0-2525668591
Opcode ID: 12b9f1e1f6ea6c47db822c2519aefa56c0bfd12ae39df004fbe0e6423503f289
Instruction ID: 87c8cc5ebacf36524c633c84a2faea7c559cd96eb17c6f29e1f6c43ef214cb85
Opcode Fuzzy Hash: 12b9f1e1f6ea6c47db822c2519aefa56c0bfd12ae39df004fbe0e6423503f289
Instruction Fuzzy Hash: F7024B71A00219DFDF14CFA9C984AADBBB2FF88355F14806AE445EB261D734EC41EB51

Function 00F96108 Relevance: 3.0, Strings: 2, Instructions: 515COMMON

Download Yara Rule

Strings

(o^q, xrefs: 00F96642
Hbq, xrefs: 00F9650E

Memory Dump Source

Source File: 00000008.00000002.4145048353.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f90000_rrequestforquotation.jbxd

Similarity

API ID:
String ID: (o^q$Hbq
API String ID: 0-662517225
Opcode ID: 7d657829bc964ef180a5268e3a79d9adc87c55ac91ef401b531e3411a1643b39
Instruction ID: c34e3b490b8b68126c8621d64788ff27fe1ed0c1237fcbf5630453f67c91e150
Opcode Fuzzy Hash: 7d657829bc964ef180a5268e3a79d9adc87c55ac91ef401b531e3411a1643b39
Instruction Fuzzy Hash: 19129E70A002189FDB14DFA9C894AAEBBF6FF88304F208569E509DB391DF349D45DB90

Function 06758B58 Relevance: 2.8, Strings: 2, Instructions: 276COMMON

Download Yara Rule

Strings

PH^q, xrefs: 06758E9A
PH^q, xrefs: 06758EAB

Memory Dump Source

Source File: 00000008.00000002.4151174997.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_rrequestforquotation.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 45e8c076573c9d78a95e172a45deb20fff05aed6ecf9c63de61cbe5170d6257a
Instruction ID: 411d546503bbd3c0785d6d803ade8ef15d5b1a4651c59332152b100c749610f0
Opcode Fuzzy Hash: 45e8c076573c9d78a95e172a45deb20fff05aed6ecf9c63de61cbe5170d6257a
Instruction Fuzzy Hash: 3CB17870E05228CFDFA5DFA5C8446ACBBB2BF89310F1482AAD859AB351DBB05941CF51

Function 00F9BEB0 Relevance: 2.7, Strings: 2, Instructions: 203COMMON

Download Yara Rule

Strings

PH^q, xrefs: 00F9C107
PH^q, xrefs: 00F9C118

Memory Dump Source

Source File: 00000008.00000002.4145048353.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f90000_rrequestforquotation.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 016e0595f4de5329a6be1f2b7c8455c5a677083b04b3f8317929a996d3fbe1b0
Instruction ID: 1e726c8eb6dae375851dd61f4136a8544b8aa44f8f29d3c60fa5287b669205d0
Opcode Fuzzy Hash: 016e0595f4de5329a6be1f2b7c8455c5a677083b04b3f8317929a996d3fbe1b0
Instruction Fuzzy Hash: 3881D674E00218CFEF14DFAAD984A9DBBF2BF89310F10806AE409AB365DB345985DF50

Function 00F9BBD7 Relevance: 2.7, Strings: 2, Instructions: 201COMMON

Download Yara Rule

Strings

PH^q, xrefs: 00F9BE27
PH^q, xrefs: 00F9BE38

Memory Dump Source

Source File: 00000008.00000002.4145048353.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f90000_rrequestforquotation.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: e2eb94eabbb8c37b4d3b5800292bfab842ea48bd83a8fbe2d689561c97db3138
Instruction ID: a55e9123d43830e5676aeb6b3f83e6fc0ec7fb2925f235cd8267b335b728d626
Opcode Fuzzy Hash: e2eb94eabbb8c37b4d3b5800292bfab842ea48bd83a8fbe2d689561c97db3138
Instruction Fuzzy Hash: 3391C775E01218DFEB14DFAAD984A9DBBF2FF89310F14806AE408AB365DB309945DF10

Function 00F9C190 Relevance: 2.7, Strings: 2, Instructions: 200COMMON

Download Yara Rule

Strings

PH^q, xrefs: 00F9C3F8
PH^q, xrefs: 00F9C3E7

Memory Dump Source

Source File: 00000008.00000002.4145048353.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f90000_rrequestforquotation.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 348abb7aa7a49666588928dc6bb4ea64bf12a2af2c9191097d4d0fc7df9a2097
Instruction ID: abd514a64b83aac8db84c5ad2028424e19f7cc59d5d0fc5743764acc6cdb4458
Opcode Fuzzy Hash: 348abb7aa7a49666588928dc6bb4ea64bf12a2af2c9191097d4d0fc7df9a2097
Instruction Fuzzy Hash: 4481D874E00218DFEB14DFAAD994A9DBBF2BF89310F14C06AE409AB365DB309945DF50

Function 00F94AD9 Relevance: 2.7, Strings: 2, Instructions: 188COMMON

Download Yara Rule

Strings

PH^q, xrefs: 00F94D30
PH^q, xrefs: 00F94D41

Memory Dump Source

Source File: 00000008.00000002.4145048353.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f90000_rrequestforquotation.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: c3ed4a753e857a9d5be83927cb665854a00b0732cd91ce3115f19da89f6323ee
Instruction ID: 3df246c5953b71cfcac953c1d93327d5695a1f599349de5fff113323b45f67fb
Opcode Fuzzy Hash: c3ed4a753e857a9d5be83927cb665854a00b0732cd91ce3115f19da89f6323ee
Instruction Fuzzy Hash: 8B81C974E01218DFEB14DFAAD984A9DBBF2FF88310F148069E419AB365DB349946DF10

Function 00F9CA31 Relevance: 2.7, Strings: 2, Instructions: 188COMMON

Download Yara Rule

Strings

PH^q, xrefs: 00F9CC98
PH^q, xrefs: 00F9CC87

Memory Dump Source

Source File: 00000008.00000002.4145048353.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f90000_rrequestforquotation.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 53dc28e79639c29eaba254e2c9a7474a4042be65c67ecfd72ed1c6c2184e699b
Instruction ID: 3e698549ebca39f06514a26d15f4ecb05d2ef3fd34ee10fa10915f6228f0b08f
Opcode Fuzzy Hash: 53dc28e79639c29eaba254e2c9a7474a4042be65c67ecfd72ed1c6c2184e699b
Instruction Fuzzy Hash: 9081C874E00218DFEB14DFAAD994A9DBBF2BF88310F108069E409AB365DB349945DF50

Function 00F9B4FB Relevance: 2.7, Strings: 2, Instructions: 183COMMON

Download Yara Rule

Strings

PH^q, xrefs: 00F9B747
PH^q, xrefs: 00F9B758

Memory Dump Source

Source File: 00000008.00000002.4145048353.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f90000_rrequestforquotation.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: d8748cf58dfc0cb3bf754ace114d6191d874e01cfd7b982f8dd8566ce90922ae
Instruction ID: d9a0c48ddb4d3b92def3607e656357adc2b1f6b01f960d465524eac57f1bc347
Opcode Fuzzy Hash: d8748cf58dfc0cb3bf754ace114d6191d874e01cfd7b982f8dd8566ce90922ae
Instruction Fuzzy Hash: E381C374E01218DFEB18DFAAD984A9DBBF2BF88310F148069E409AB365DB309945DF10

Function 00F9C477 Relevance: 2.7, Strings: 2, Instructions: 182COMMON

Download Yara Rule

Strings

PH^q, xrefs: 00F9C6D8
PH^q, xrefs: 00F9C6C7

Memory Dump Source

Source File: 00000008.00000002.4145048353.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f90000_rrequestforquotation.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 7e317210f63163dbb99dc21d5528dbcbd6320558ad846aa0644dce54846db51c
Instruction ID: f5df42fe1f8013b2d3ab929974211925f819021b440c00ae0f460793ab55db05
Opcode Fuzzy Hash: 7e317210f63163dbb99dc21d5528dbcbd6320558ad846aa0644dce54846db51c
Instruction Fuzzy Hash: BF81C374E00218DFEB18DFAAD984A9DBBF2BF88310F14D069E409AB365DB349945DF50

Function 00F9C75F Relevance: 2.7, Strings: 2, Instructions: 180COMMON

Download Yara Rule

Strings

PH^q, xrefs: 00F9C9A7
PH^q, xrefs: 00F9C9B8

Memory Dump Source

Source File: 00000008.00000002.4145048353.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f90000_rrequestforquotation.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 2e1d6d3bc4daf5a27e8a21bb1e3fbf4331b6c766a7225678c59fb2445ed2000d
Instruction ID: b2012836962de0088e4c00081b410d1d9abdd0cea558090549f48081bbab3596
Opcode Fuzzy Hash: 2e1d6d3bc4daf5a27e8a21bb1e3fbf4331b6c766a7225678c59fb2445ed2000d
Instruction Fuzzy Hash: B581B374E01218DFEB18DFAAD984A9DBBF2BF89310F14C069E409AB365DB309945DF50

Function 067511A0 Relevance: .7, Instructions: 745COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4151174997.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 584671fab6ff30ff146588490180c1f665692d51b0df584938085e19875827b1
Instruction ID: 60d6af9656a3624653e0b6286c408417caaf424582cc94291ef55005d88c745d
Opcode Fuzzy Hash: 584671fab6ff30ff146588490180c1f665692d51b0df584938085e19875827b1
Instruction Fuzzy Hash: EB827D74E012288FDB64DF69D984BDDBBB2BF89301F1081EA980DA7265DB315E81CF51

Function 00F9F017 Relevance: .7, Instructions: 709COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4145048353.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f90000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9dae8418b55ac544f475a251d14409496a610bbdff8a3a1c420e154082eec1b
Instruction ID: 6d52138c4455406bab870b497ad1925ef33b740dca2e4a4dbe53b915f6d38a37
Opcode Fuzzy Hash: c9dae8418b55ac544f475a251d14409496a610bbdff8a3a1c420e154082eec1b
Instruction Fuzzy Hash: E172CF74E052298FEB64DF69C984BD9BBB2BB49300F2491EAD408A7355DB309EC5DF40

Function 06758608 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4151174997.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 673a2c77016132eb1e6cd3bce4ac7ef6b3d4574234e38afefe3cb83fedf28a9f
Instruction ID: c7498604d7977d94c50919ce0e4ab4223d0e7f453e39a3e04c7aecfc591a015a
Opcode Fuzzy Hash: 673a2c77016132eb1e6cd3bce4ac7ef6b3d4574234e38afefe3cb83fedf28a9f
Instruction Fuzzy Hash: ADE1D074E01218CFEB54DFA5D984B9DBBB2BF88304F2081AAD408AB394DB755E85CF51

Function 0675D670 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4151174997.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a8e8da9d69188e3bdfea46056bb7906ebcda37c4439d8e1d09fbdc02832998f
Instruction ID: 7d914b8fba0d7b6146baecb6be03b730854dcef8f5b2fd497d59f57513c9714b
Opcode Fuzzy Hash: 8a8e8da9d69188e3bdfea46056bb7906ebcda37c4439d8e1d09fbdc02832998f
Instruction Fuzzy Hash: 4AA1B170E012288FEB68CF6AD944B9DBBF2AF89300F14D0EAD40CA7255DB745A85CF55

Function 0675B6E8 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4151174997.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8e5550842b1ce32e320aeb3760171d145be0a9be6016ced7d6c87ed3385221f
Instruction ID: d408e994cf6fdc79078ca738f4db40a9221a8c2411ac48eb6c5dcc1cc3ba32f1
Opcode Fuzzy Hash: c8e5550842b1ce32e320aeb3760171d145be0a9be6016ced7d6c87ed3385221f
Instruction Fuzzy Hash: 9BA19274E01228CFEB58CF6AD944BADBAF2AF89300F14D0AAD40CA7255DB745A85CF51

Function 0675C388 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4151174997.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 328a69a86c2641aa32f35ad914aee5d1ee36bcd7ca271ef98a4b184ec45ac0f7
Instruction ID: 2dd5711a6a849bdf063401ad7d5b56728d86b429d6e7e082895b10cac3cd2aa0
Opcode Fuzzy Hash: 328a69a86c2641aa32f35ad914aee5d1ee36bcd7ca271ef98a4b184ec45ac0f7
Instruction Fuzzy Hash: 4EA1A374E012188FEB68CF6AD944B9DBBF2AF89300F14C0EAD40DA7255DB745A85CF50

Function 0675A408 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4151174997.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3189035ef48deb3b080cb5ccbace089d17ddb98dd9343455ee046fd4a092630
Instruction ID: 7a17ce390d007017fac1662dd079205c8ccb8c8b4bfaaa2d6a6655268f486dbd
Opcode Fuzzy Hash: e3189035ef48deb3b080cb5ccbace089d17ddb98dd9343455ee046fd4a092630
Instruction Fuzzy Hash: 1BA1B274E012288FEB68CF6AD944B9DBBF2AF89300F14C1EAD40CA7255DB745A85CF51

Function 0675BD38 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4151174997.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e237a90f216b5d6a3f22a8dc16db0e358dbd6c014add49eb60ec1f70a67ad036
Instruction ID: 7bdebec33bc293682e3adc6bb22d403254d380e4bfb4feec9076dde08c37e45a
Opcode Fuzzy Hash: e237a90f216b5d6a3f22a8dc16db0e358dbd6c014add49eb60ec1f70a67ad036
Instruction Fuzzy Hash: C0A19274E012288FEB68CF6AD944B9DBBF2AF89300F14C0EAD40DA7255DB745A85CF51

Function 0675C9D8 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4151174997.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87705eba593e52d6e917ca4f6c32f4b13f9097c05cd47a5c6d183a048ea91a02
Instruction ID: 05f7ca2ceee166b5bc73dbb8d34df15ea4e33bfc932e9c3edc3d35d3bb5843b9
Opcode Fuzzy Hash: 87705eba593e52d6e917ca4f6c32f4b13f9097c05cd47a5c6d183a048ea91a02
Instruction Fuzzy Hash: 30A1A170E012288FEB68CF6AD944B9DBBF2AF89300F14C1AAD40DA7255DB745A85CF50

Function 0675AA58 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4151174997.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a1a596e7403e2d2000d0ff8adb8afb631ced30240266e0c908b7c14cfa78940
Instruction ID: 808966d0f14ef2ccb330d5647aa669a6023048cdf7a9e975cb7520558478a093
Opcode Fuzzy Hash: 3a1a596e7403e2d2000d0ff8adb8afb631ced30240266e0c908b7c14cfa78940
Instruction Fuzzy Hash: F9A1A374E012288FEB58CF6AD944B9DBBF2AF89300F14C1AAD80CA7255DB745A85CF50

Function 0675D028 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4151174997.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 169cda203509b9ba147dfdb8b9b7b43f48231a02448c60004cc8f44e0119d377
Instruction ID: 4bd711d5e78e2a188eb5b26f78938e3359c9c7a897cdd9bb5782c073a82f6015
Opcode Fuzzy Hash: 169cda203509b9ba147dfdb8b9b7b43f48231a02448c60004cc8f44e0119d377
Instruction Fuzzy Hash: B7A1A270E012288FEB68CF6AD944B9DFBF2AF89300F14C0AAD40CA7255DB745A85CF55

Function 0675B0A0 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4151174997.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98acc7cf633860bb95ab5d2c5dc3295f5b25bef61ac67e2f20d7989a0711e46f
Instruction ID: 2cef045bc63f35d465e2f30fcc9b7feea5a2aaf581bc4b2ec7ac379b6fb603ff
Opcode Fuzzy Hash: 98acc7cf633860bb95ab5d2c5dc3295f5b25bef61ac67e2f20d7989a0711e46f
Instruction Fuzzy Hash: 5EA19274E012188FEB68CF6AD944BADBAF2AF89300F14C0AAD408A7255DB745A85CF51

Function 0675B090 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4151174997.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d847852fdcbc58cc0ad30cacd0149aed59521e5d7c04c4d90b51c64556c840c7
Instruction ID: 25eed34cec8ed067a8265dd56d652c850fb5ad772dae0e66e43c190d8d6d090f
Opcode Fuzzy Hash: d847852fdcbc58cc0ad30cacd0149aed59521e5d7c04c4d90b51c64556c840c7
Instruction Fuzzy Hash: 0991EC71D052588FEB68CF6AD884BADBBB2BF89304F14C4EAD44CAB255D7311A85CF11

Function 06751191 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4151174997.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b853f5ad1bbde67cb41b8c944ab5a33c38e00b37f56640dc23f8edf5ce435922
Instruction ID: 3c7b5d18267b9b20d2ba2d1d8ac8caf861f5e9de74f5c325c641b5d252e25337
Opcode Fuzzy Hash: b853f5ad1bbde67cb41b8c944ab5a33c38e00b37f56640dc23f8edf5ce435922
Instruction Fuzzy Hash: 7381A174E452289FEB64DF29DC91BDDBBB2BB89300F1081EAD809A7254DB705E81CF45

Function 0675AA48 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4151174997.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2685125f48ed87f9554ec40890bae61822ae221582a2763afb4d210ac82299da
Instruction ID: f6b7ef7da5f5a8800dcab0c735deb65c792f7c8b31c77dd4e3d1569800fdc7a9
Opcode Fuzzy Hash: 2685125f48ed87f9554ec40890bae61822ae221582a2763afb4d210ac82299da
Instruction Fuzzy Hash: 7C719371E006288FEB68CF6AC944B9DBBF2AF89300F14C1EAD40DA7255DB744A85CF51

Function 0675D018 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4151174997.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61129a14ba513e983e005f7b91feca3f7df3f3fa465ad4a51f35b911d1b31814
Instruction ID: ed128f3e38ca70d932a9a16f6033c5049c795e127fde1f2aabaf552ec9ef8870
Opcode Fuzzy Hash: 61129a14ba513e983e005f7b91feca3f7df3f3fa465ad4a51f35b911d1b31814
Instruction Fuzzy Hash: B2719371E016288FEB68CF6AC944B9DFAF2AF89300F14C0EAD40CA7255DB745A85CF55

Function 0675C9C8 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4151174997.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43d084d90c7996690253df9ad7d2586df6e0cb76866f4f8e5d2bc0175e160893
Instruction ID: e072db8708ae264d0f4780188f3091c8796c42179a58372f723bbcc550f3a4be
Opcode Fuzzy Hash: 43d084d90c7996690253df9ad7d2586df6e0cb76866f4f8e5d2bc0175e160893
Instruction Fuzzy Hash: 765197B1E016188BEB58CF6BDD457D9FAF3AFC9310F04C0AAC50CA6264DB740A868F51

Function 067585FC Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4151174997.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f35d4947b91ba6aa4723c0e522fa074d86c7bfe22fbb1e4b4ac3c8c0b6cd9a46
Instruction ID: ee512bc2891688a1af20c3191d37c399e789b45c80b864be1dfc6d95bfc865e5
Opcode Fuzzy Hash: f35d4947b91ba6aa4723c0e522fa074d86c7bfe22fbb1e4b4ac3c8c0b6cd9a46
Instruction Fuzzy Hash: 1241E3B0E002188FEB58DFAAD8447DEBBF2AF88300F14C16AD418BB294DB754946CF55

Function 0675A3F8 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4151174997.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e5207b828bd3349c06424e1d767b0f10633d5c83c4ec7a29a8058fc8ce3dcf3
Instruction ID: 060ffe32c72aed0b7819fbf2595c9105778951f39765b922ce5004f308dfb3a0
Opcode Fuzzy Hash: 7e5207b828bd3349c06424e1d767b0f10633d5c83c4ec7a29a8058fc8ce3dcf3
Instruction Fuzzy Hash: 81416AB1D016188FEB58CF6BD9457DAFAF3AFC8300F14C1AAD50CA6255DB740A858F51

Function 0675C378 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4151174997.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aed271279635a396605377e979e9a741e84a1b29f9ead465f31098363ed44063
Instruction ID: 2608c6b0efc8660275bfccae0c3d16ab027f5a7d735cc80f6871be6db32d796f
Opcode Fuzzy Hash: aed271279635a396605377e979e9a741e84a1b29f9ead465f31098363ed44063
Instruction Fuzzy Hash: 6D416AB1E016189BEB58CF6BDD457C9FAF3AFC9304F14C0AAD50CA6264DB740A868F51

Function 0675BD28 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4151174997.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4682e5792d453b6eafb4bb3a3bfbc9f87d5d8d29c2397ae4dfce0bf31660d481
Instruction ID: c3cfe6d346fce25fee485908bf89ea1acbfa6b449ca4cc96732208f482a4de39
Opcode Fuzzy Hash: 4682e5792d453b6eafb4bb3a3bfbc9f87d5d8d29c2397ae4dfce0bf31660d481
Instruction Fuzzy Hash: 08416AB1E016188BEB58CF6BDD457D9FAF3AFC9310F14C1AAC50CA6264DB740A868F51

Function 0675D663 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4151174997.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd0918b72c90ea8c4ca8913e472bbad08cc8d3c0d4421d7be98a501520691370
Instruction ID: c115d2e0b830bc0736fbfa7b9ac97e7b577b211cd4b51285e64f465d52f0e1c2
Opcode Fuzzy Hash: bd0918b72c90ea8c4ca8913e472bbad08cc8d3c0d4421d7be98a501520691370
Instruction Fuzzy Hash: 57416AB1E016188BEB58CF6BDD457D9FAF3AFC9300F14C1AAC50CA6264EB740A858F51

Function 0675B6D9 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4151174997.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c93eb4e3117e42cc7cb6e7a962eaf84bcf7c5047aa7d76f4fce7d476898833e1
Instruction ID: fb9234eab35e182c5f89f42f3f669ae2eaf51b68cdc0cad16aa779fd8ab58e7c
Opcode Fuzzy Hash: c93eb4e3117e42cc7cb6e7a962eaf84bcf7c5047aa7d76f4fce7d476898833e1
Instruction Fuzzy Hash: 294167B1E016188BEB58CF6BD9457D9FAF3AFC8314F14C1AAC50CA6264DB740A868F51

Function 00F96E58 Relevance: 10.5, Strings: 8, Instructions: 456COMMON

Download Yara Rule

Strings

(o^q, xrefs: 00F96F7D
,bq, xrefs: 00F972F8
(o^q, xrefs: 00F97367
(o^q, xrefs: 00F96F51
(o^q, xrefs: 00F96E96
,bq, xrefs: 00F97308
(o^q, xrefs: 00F97377
(o^q, xrefs: 00F9701A

Memory Dump Source

Source File: 00000008.00000002.4145048353.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f90000_rrequestforquotation.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$(o^q$(o^q$(o^q$(o^q$,bq$,bq
API String ID: 0-1932283790
Opcode ID: f68d3202ee9d8f3687789529ae6fc5b242a44d7f7b3b2bf7c4d37444ed8a152e
Instruction ID: 23e7bfc9b8257e9e20e3cb48c658d96056680468d9e51261acef5985189655aa
Opcode Fuzzy Hash: f68d3202ee9d8f3687789529ae6fc5b242a44d7f7b3b2bf7c4d37444ed8a152e
Instruction Fuzzy Hash: 27125730A143098FDF24DF69D984A9EBBF2AF88314F148569E819DB2A1DB30ED45DB50

Function 00F92150 Relevance: 8.4, Strings: 6, Instructions: 901COMMON

Download Yara Rule

Strings

Xbq, xrefs: 00F92314
Xbq, xrefs: 00F9345E
Xbq, xrefs: 00F92248
Xbq, xrefs: 00F922C7
Xbq, xrefs: 00F9220E
Xbq, xrefs: 00F93435

Memory Dump Source

Source File: 00000008.00000002.4145048353.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f90000_rrequestforquotation.jbxd

Similarity

API ID:
String ID: Xbq$Xbq$Xbq$Xbq$Xbq$Xbq
API String ID: 0-1317942629
Opcode ID: 0c5978a8fe134c595dfe581d232b9cf80289bbdd59500f06d2d56830ea071d38
Instruction ID: 8f48ca9b1986d6b96e423dfc6dbdffd553f68843ee399d4e2530015df788fc94
Opcode Fuzzy Hash: 0c5978a8fe134c595dfe581d232b9cf80289bbdd59500f06d2d56830ea071d38
Instruction Fuzzy Hash: 03422966D9D2814FCF034F3849FF2B93FE4EF89124B2882FE858597646D9D4840BA716

Function 00F987E9 Relevance: 4.2, Strings: 3, Instructions: 493COMMON

Download Yara Rule

Strings

4'^q, xrefs: 00F98811
4'^q, xrefs: 00F98837
;^q, xrefs: 00F98C2C

Memory Dump Source

Source File: 00000008.00000002.4145048353.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f90000_rrequestforquotation.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$;^q
API String ID: 0-799016360
Opcode ID: bae89014ab90e73e9061bcdd7eec1d5b6b110d73a67e36a27cac039bcb5be353
Instruction ID: 50e97e2f8b7958275c2a4ace095fd22fa35c1192ca2d852cd418b9e4cd2a7175
Opcode Fuzzy Hash: bae89014ab90e73e9061bcdd7eec1d5b6b110d73a67e36a27cac039bcb5be353
Instruction Fuzzy Hash: 96F18D71B041018FFF199A39C958B393696AFC7794F1844AAE506CF3A1EE29CC83E751

Function 00F977F0 Relevance: 3.2, Strings: 2, Instructions: 700COMMON

Download Yara Rule

Strings

$^q, xrefs: 00F98337
$^q, xrefs: 00F98314

Memory Dump Source

Source File: 00000008.00000002.4145048353.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f90000_rrequestforquotation.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 2158774ea10c744a0897c49c7cde50ffbce01e50141abd0c874907295ff4782d
Instruction ID: 9d9f43da274d6a4d8841edf2f52adebf8e3f5aaae3c93d11c4e0c9c5c035c4b4
Opcode Fuzzy Hash: 2158774ea10c744a0897c49c7cde50ffbce01e50141abd0c874907295ff4782d
Instruction Fuzzy Hash: A4522574A00218CFEB24DBA4C850B9EBB76EF54340F1081A9D10A7B3A5DF359E85EF65

Function 00F99B48 Relevance: 3.1, Strings: 2, Instructions: 635COMMON

Download Yara Rule

Strings

(o^q, xrefs: 00F99C78
4'^q, xrefs: 00F9A273

Memory Dump Source

Source File: 00000008.00000002.4145048353.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f90000_rrequestforquotation.jbxd

Similarity

API ID:
String ID: (o^q$4'^q
API String ID: 0-273632683
Opcode ID: ce9dc5362823c02468e182698dc31b1b9e9775004390fc68764ffbaa489fe0be
Instruction ID: 266fefdf029339a2406138556b4883d8134b2b771b23182ee69c323a347ab908
Opcode Fuzzy Hash: ce9dc5362823c02468e182698dc31b1b9e9775004390fc68764ffbaa489fe0be
Instruction Fuzzy Hash: 16427E31A04109DFDF15CF68C984AAEBBB2BF88310F158559E4159B2A1D770EC85EFA2

Function 00F956A8 Relevance: 2.8, Strings: 2, Instructions: 329COMMON

Download Yara Rule

Strings

Hbq, xrefs: 00F957C6
Hbq, xrefs: 00F95793

Memory Dump Source

Source File: 00000008.00000002.4145048353.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f90000_rrequestforquotation.jbxd

Similarity

API ID:
String ID: Hbq$Hbq
API String ID: 0-4258043069
Opcode ID: 396257f6cd3b363cdc2722067beeac15024756d028eb49623d384795192f19df
Instruction ID: 4ab40d79b8e9b24fa2aaf9dd6fbc90c9496e07b95d9a89fe3d7a225d85891de7
Opcode Fuzzy Hash: 396257f6cd3b363cdc2722067beeac15024756d028eb49623d384795192f19df
Instruction Fuzzy Hash: B8B1C1317046188FEF169F79D894B3E7BA6AF88710F144629E406CB391DB79CC01EB91

Function 067523E0 Relevance: 2.7, Strings: 2, Instructions: 229COMMON

Download Yara Rule

Strings

LR^q, xrefs: 067523FC
LR^q, xrefs: 06752529

Memory Dump Source

Source File: 00000008.00000002.4151174997.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_rrequestforquotation.jbxd

Similarity

API ID:
String ID: LR^q$LR^q
API String ID: 0-4089051495
Opcode ID: 158e35c6b2e6070644b2a190283f8dbedb564740055ee689d716de6e29083c82
Instruction ID: a060e79b8a5f13a60d0118bcafffd78288eacb77dad0f913d2cacf168f1187a1
Opcode Fuzzy Hash: 158e35c6b2e6070644b2a190283f8dbedb564740055ee689d716de6e29083c82
Instruction Fuzzy Hash: 8D81D231B101058FCB48EF79D85496E77B6EF88600B1684E9E915DB3B6EB70DD02CBA1

Function 06759510 Relevance: 2.7, Strings: 2, Instructions: 209COMMON

Download Yara Rule

Strings

(bq, xrefs: 067596EA
(&^q, xrefs: 0675962B

Memory Dump Source

Source File: 00000008.00000002.4151174997.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_rrequestforquotation.jbxd

Similarity

API ID:
String ID: (&^q$(bq
API String ID: 0-1294341849
Opcode ID: cc66b7ec0e76ed1ac6a9b6567a33aefbc361c480ef5aba0a2f14ac956380f7a0
Instruction ID: c28a5617a6d7c24e3881522f243d889606267692acf3519fe0027bd48bb9ea7b
Opcode Fuzzy Hash: cc66b7ec0e76ed1ac6a9b6567a33aefbc361c480ef5aba0a2f14ac956380f7a0
Instruction Fuzzy Hash: 1671C231F002598BCB55EFB8D850AAEBBB2EFC4700F158469E505AB380DF749D06CBA5

Function 00F95C08 Relevance: 2.7, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

,bq, xrefs: 00F95CDE
,bq, xrefs: 00F95CE8

Memory Dump Source

Source File: 00000008.00000002.4145048353.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f90000_rrequestforquotation.jbxd

Similarity

API ID:
String ID: ,bq$,bq
API String ID: 0-2699258169
Opcode ID: e5387a3ca0330c9fdda41706b5dcd84f8085c4276cf6a01077434100774e3c64
Instruction ID: 86453ece5d79d6b767003120f89a6062e640f2f834ba4897a2536871ab8df2b0
Opcode Fuzzy Hash: e5387a3ca0330c9fdda41706b5dcd84f8085c4276cf6a01077434100774e3c64
Instruction Fuzzy Hash: B2719E35E04A05CFEF16DFA9C888A6EB7B2BF89B10B248166D415EB360D731EC41DB51

Function 00F90C8F Relevance: 1.7, Strings: 1, Instructions: 406COMMON

Download Yara Rule

Strings

LR^q, xrefs: 00F90E5E

Memory Dump Source

Source File: 00000008.00000002.4145048353.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f90000_rrequestforquotation.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 9b2d1c6f89f396a41a3264f49adebeefdafe788fac8f9446435c2068587e3077
Instruction ID: 06e0302ee14ccd61f3eae64a62e33b4aaaebe9989324f3476bd127ccc353610c
Opcode Fuzzy Hash: 9b2d1c6f89f396a41a3264f49adebeefdafe788fac8f9446435c2068587e3077
Instruction Fuzzy Hash: 6C22E178904219DFCB54EF68ED85A9DBBB5FF88301F1086A6D409AB369DB306D85CF40

Function 00F90CA0 Relevance: 1.6, Strings: 1, Instructions: 395COMMON

Download Yara Rule

Strings

LR^q, xrefs: 00F90E5E

Memory Dump Source

Source File: 00000008.00000002.4145048353.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f90000_rrequestforquotation.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 159713e7219aca70a1189a47e3623dcef921bfdf6ac13cdebb7156721e63a78b
Instruction ID: 449def6057cddfaca836be9b1e4a6fa63bffa173906c82da22b995cef94b297a
Opcode Fuzzy Hash: 159713e7219aca70a1189a47e3623dcef921bfdf6ac13cdebb7156721e63a78b
Instruction Fuzzy Hash: 5222D178904219DFCB54EF68ED85A9DBBB5FF88301F108666D409AB369DB305D85CF40

Function 00F9A65F Relevance: 1.4, Strings: 1, Instructions: 116COMMON

Download Yara Rule

Strings

(o^q, xrefs: 00F9A7D9

Memory Dump Source

Source File: 00000008.00000002.4145048353.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f90000_rrequestforquotation.jbxd

Similarity

API ID:
String ID: (o^q
API String ID: 0-74704288
Opcode ID: 0e42aabe5d29b885c96b5d6d05206785ce627d28633130210ed64c4341c1144c
Instruction ID: 61384d8a15f1a654cd4f97377d5aa8f1a5fb90244216fea23ef2699fe4bd70f1
Opcode Fuzzy Hash: 0e42aabe5d29b885c96b5d6d05206785ce627d28633130210ed64c4341c1144c
Instruction Fuzzy Hash: E141DF35B042489FCB159F79D854AAE7BF6BBC8310F244569E906E73A1CE348C01DBA1

Function 00F91F61 Relevance: 1.3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

T, xrefs: 00F91F6C

Memory Dump Source

Source File: 00000008.00000002.4145048353.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f90000_rrequestforquotation.jbxd

Similarity

API ID:
String ID: T
API String ID: 0-286829874
Opcode ID: 8ae6ba76fca7f4baf39b16f4ee6bd534c8f2eb1206c82d2102ec7dd96c34bb03
Instruction ID: c77e1515b281203d551cd53d69000c3d6ff67c35a663d7ecbb262228f2e2e234
Opcode Fuzzy Hash: 8ae6ba76fca7f4baf39b16f4ee6bd534c8f2eb1206c82d2102ec7dd96c34bb03
Instruction Fuzzy Hash: 5521ABB4D0520A8FCB41EFA8D8855ADBBF4BB4A301F10526AD805B7260EB305A56DFA1

Function 06759350 Relevance: 1.3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

Strings

Lv+Y, xrefs: 067599BA

Memory Dump Source

Source File: 00000008.00000002.4151174997.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_rrequestforquotation.jbxd

Similarity

API ID:
String ID: Lv+Y
API String ID: 0-3292346434
Opcode ID: 226d05e126865e141af32bc88385ecdeb40bacbacb99d8c3bf7022e23f3436cc
Instruction ID: fdf8b6bab394ae21306d9229e7705cdc2d4ea699461d049fbe41f3cdfd840695
Opcode Fuzzy Hash: 226d05e126865e141af32bc88385ecdeb40bacbacb99d8c3bf7022e23f3436cc
Instruction Fuzzy Hash: F41164B2800249DFCB10CF99C944BEEBFF4EF48320F148469EA58A7210C379A950DFA5

Function 06759999 Relevance: 1.3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

Strings

Lv+Y, xrefs: 067599BA

Memory Dump Source

Source File: 00000008.00000002.4151174997.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_rrequestforquotation.jbxd

Similarity

API ID:
String ID: Lv+Y
API String ID: 0-3292346434
Opcode ID: 65422934d3c65d925522207073ef3da7046635782888618ce7ba42ffbec4e7fc
Instruction ID: bef19dd75c9904c7aa2617f5683fd117fd8bf1b298cd1c5867435e2bb61b08b3
Opcode Fuzzy Hash: 65422934d3c65d925522207073ef3da7046635782888618ce7ba42ffbec4e7fc
Instruction Fuzzy Hash: 4D1146B6800249DFDB10DF99C845BEEBFF4EF48320F148419EA58A7251C379A590DFA5

Function 00F9990B Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4145048353.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f90000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47b27f49492b3de544efd4737989bf3a8ec0c2b3b1a9cb720a46e6e07eb5c6c6
Instruction ID: 78ba9c78a4f6e4b48a89dc88b3556bd6dde2340e9e3ee37723eef27484ec6dd8
Opcode Fuzzy Hash: 47b27f49492b3de544efd4737989bf3a8ec0c2b3b1a9cb720a46e6e07eb5c6c6
Instruction Fuzzy Hash: F491AC71E04249DFDF05CFA8C844ADEBFB2FF88310F15811AE805AB260D7B49955EB90

Function 00F97438 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4145048353.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f90000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edc681509ee37a70493e8d282ebe894d9ea5d5067b2c9146aece492a8381324c
Instruction ID: bd07eb006d4e82d7a62b601a535d1fb58a48c046d4ee1ea25d1311d0e3f1cbaa
Opcode Fuzzy Hash: edc681509ee37a70493e8d282ebe894d9ea5d5067b2c9146aece492a8381324c
Instruction Fuzzy Hash: D0711734B187058FDF55EF2CC898AA97BE5AF49710B1940A9E902CB3B1DB70DC41EB90

Function 00F9CEC7 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4145048353.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f90000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ead1d7aca4a5453b90c3d9be25fc98c1372ce4fa89f7acc0d6eed76cc90bd22c
Instruction ID: 6508652f635fe8e0c9bdb0ae17eafd88c5143daacf29899ea305a9514d7300ae
Opcode Fuzzy Hash: ead1d7aca4a5453b90c3d9be25fc98c1372ce4fa89f7acc0d6eed76cc90bd22c
Instruction Fuzzy Hash: 6C51A33902174BCFD3487F25ADEC16A7BA5FB5F3277096E14A11E95022AF30544AAE22

Function 00F9CED8 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4145048353.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f90000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b7a6c07c462631164b97a63377cfef97a5304846eb4a6af45d619e6a0111cb6
Instruction ID: eb1ae56ccebafda886bf9e27dbde0d2998e945dfeb5abab6297ce3550d5de380
Opcode Fuzzy Hash: 3b7a6c07c462631164b97a63377cfef97a5304846eb4a6af45d619e6a0111cb6
Instruction Fuzzy Hash: CC51933902174BCFC2487F25ADEC12A7BA5FB4F3277086E14B11E91036AF705449AE22

Function 00F9E2E7 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4145048353.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f90000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36c22cb064b7e35e411fc972576bce38d20c3673efd9e3e4c3ea9768d79a0989
Instruction ID: ae12cd65c934796643d5fc3661ce6110348f7129c36569b759999bb5cf32cb66
Opcode Fuzzy Hash: 36c22cb064b7e35e411fc972576bce38d20c3673efd9e3e4c3ea9768d79a0989
Instruction Fuzzy Hash: 34512274E01218DFDB14DFA5D984AEDBBB2FF88304F208529D809AB3A4DB359985DF41

Function 00F9CD10 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4145048353.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f90000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1ec8762160185451df6760b63926dbcb60aad443bbaa134cbf6893e83c55ecf
Instruction ID: 5c7d7f7ef88076ec740107b45d6153c4025a6411c6faa4b136c48b287ea8f295
Opcode Fuzzy Hash: d1ec8762160185451df6760b63926dbcb60aad443bbaa134cbf6893e83c55ecf
Instruction Fuzzy Hash: BA517374E012189FDB48DFAAD9849DDBBF2FF89300F209169E419AB365DB30A905CF54

Function 0675DCC0 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4151174997.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5360add674239db9d6c89761790fb0da29f4f9b7ac7e8283f5977e3652d7d710
Instruction ID: 8f8ded4c0f3d37cf80a28ac080e320d471baa8bd1d1dbfa662dfd9502db9fdd1
Opcode Fuzzy Hash: 5360add674239db9d6c89761790fb0da29f4f9b7ac7e8283f5977e3652d7d710
Instruction Fuzzy Hash: 2541AE36905319CFEB00AFA1C49C7FE7BB5EB8A315F004865D20667291CBB80A49CF94

Function 00F93908 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4145048353.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f90000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8adf82b8e4f0786f7442e6ab07475dbc499902aae988b43663fe3c1dd4c57a7
Instruction ID: a4187f43d93faed47e6875e8bd022538c762793ebdf92d4fb70351a26caeaadb
Opcode Fuzzy Hash: e8adf82b8e4f0786f7442e6ab07475dbc499902aae988b43663fe3c1dd4c57a7
Instruction Fuzzy Hash: 4A51A875E01208DFDB08DFA9D99499DBBF2FF8D310B209469E805AB364DB35A946CF40

Function 00F9F0E9 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4145048353.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f90000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c73ee516f25795df26ac9bc2d84a5df934a6664892199e60541b2e03ca709e17
Instruction ID: e67f9235069ea02b50918b713a0c94fe05e91e257bc33f82c8efeceaab9c6a97
Opcode Fuzzy Hash: c73ee516f25795df26ac9bc2d84a5df934a6664892199e60541b2e03ca709e17
Instruction Fuzzy Hash: 2151CF74E06228CFDB24DF68C984BEDBBB1BB89305F2055AAD409A7350D735AE85DF40

Function 00F99A63 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4145048353.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f90000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a77086d02b135b51521512e3dcfd313516036995e7e2eac3207eb831cce0c3f8
Instruction ID: 0e0de306aebb289bd261f8a3f38adfaa5898b379c77e3a97642083aa489b3dab
Opcode Fuzzy Hash: a77086d02b135b51521512e3dcfd313516036995e7e2eac3207eb831cce0c3f8
Instruction Fuzzy Hash: DE41E131A08249DFEF11CFA8CC44AADBBB2FF89310F118159E8059B2A1D3B4D910EB50

Function 06759500 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4151174997.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f52481dc0b627d975d1effcb301fe70672de75aef1f9876ecacdad132add629
Instruction ID: 282f82457268569a25131149aa752d5cd84b577025cf2fa88bd45c67075d4caa
Opcode Fuzzy Hash: 7f52481dc0b627d975d1effcb301fe70672de75aef1f9876ecacdad132add629
Instruction Fuzzy Hash: 48416D71E00319DBDB54CFA5C980AEEBBF5EF88700F158169E915B7280EB70A946CB91

Function 06759A49 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4151174997.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08f7796617d99cc13376484832bf49a5d01450c82f9100bb214f813ae93f5ab8
Instruction ID: 7a2a856dfa8c46f376778e11a1838f37927e7cb5542ccc2083227df7f59e48f6
Opcode Fuzzy Hash: 08f7796617d99cc13376484832bf49a5d01450c82f9100bb214f813ae93f5ab8
Instruction Fuzzy Hash: F341D178E04249CFDB44DFA9D5847EDBBF1EB48304F24812AD819AB394EB745A46CF50

Function 00F9D7CE Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4145048353.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f90000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b94931860d5d740fb561dc012e2a5b513c0fd7264086a87485304c78899c0248
Instruction ID: ab978c8191dcbee2274c56f49066dbf4e9b3aa3a941573019fd5a1569be07e36
Opcode Fuzzy Hash: b94931860d5d740fb561dc012e2a5b513c0fd7264086a87485304c78899c0248
Instruction Fuzzy Hash: 0D414575D05208CFEF14DFA8E8846EDBBB2FB49300F709119E00AAB255DB749841EF16

Function 06759A58 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4151174997.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4f9ba582bb3d6d2c15c3300a0c82d34ed83201f5114f4b1dfe12f886c31643f
Instruction ID: 37d7694694070d7bf757e5cd813fcfed6c2b894eb0b8ef7b27e8d25987b89906
Opcode Fuzzy Hash: f4f9ba582bb3d6d2c15c3300a0c82d34ed83201f5114f4b1dfe12f886c31643f
Instruction Fuzzy Hash: 1541C078E04209DFDB44DFA9D5846EDBBF2FF88304F10912AD819AB294EB745A46CF50

Function 00F9D76E Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4145048353.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f90000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ba3f99ca324d877d21cbb9d8a927eb3d9c0e1b28268135080a508f17bf3aae8
Instruction ID: 02e152288d6f3f54e9489951fd5d45c29424ae027006ad6ccde091c789186139
Opcode Fuzzy Hash: 3ba3f99ca324d877d21cbb9d8a927eb3d9c0e1b28268135080a508f17bf3aae8
Instruction Fuzzy Hash: 8D410174D05208CFEF04DFA8E8846EDBBB6FB49311F70912AE409AB295D7349841EF55

Function 00F9D620 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4145048353.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f90000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae7197604c8948c189c98a29640545e0d8abf37f36180bd757590ee19522ef49
Instruction ID: 757e90f53bc6dff00a6eca927b84c8353ea5939f21489a355a8f12a0c744420f
Opcode Fuzzy Hash: ae7197604c8948c189c98a29640545e0d8abf37f36180bd757590ee19522ef49
Instruction Fuzzy Hash: 2A412674D05208CBEB04DFAAD8846DEFBB6BB89300F24D129E408B7255DB749841DF55

Function 00F94DC8 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4145048353.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f90000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f16243c9aab2e18142863ff67766f753f8a574be8670e3e9c0a378229e6a07f7
Instruction ID: f4d9b940a16581a109a9fa365885258d529675ffb35717b511c656ccb236afce
Opcode Fuzzy Hash: f16243c9aab2e18142863ff67766f753f8a574be8670e3e9c0a378229e6a07f7
Instruction Fuzzy Hash: 8F31A53160420A9FDF06AF65D894AAF3BA2FF98314F104465F9158B251CB34ED62EFA1

Function 00F9A818 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4145048353.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f90000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4f106eac843783c31fb14f5f410ab03720e59365aea68ae5e1d92bb20e34a3c
Instruction ID: e8223b2436464afdd34eeb1430a191132800d16a439c93608528bd1ff49b2bd5
Opcode Fuzzy Hash: c4f106eac843783c31fb14f5f410ab03720e59365aea68ae5e1d92bb20e34a3c
Instruction Fuzzy Hash: FB319470A006198FDB05CF6DC8889AEBBB2FF85320B158255E525973A1CB34ED52CFE1

Function 00F976E0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4145048353.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f90000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21d4fa18d45caabca1a412d24edba9d092777f6d5d46c0ab0dc374e031a4b316
Instruction ID: 99a0a1133507983d99450c07b42c8480f996de23998f7930376e59fc54f49af7
Opcode Fuzzy Hash: 21d4fa18d45caabca1a412d24edba9d092777f6d5d46c0ab0dc374e031a4b316
Instruction Fuzzy Hash: F2219D35B2C3055BFF1827658894A7A36979FC4B68F244078D506CB794EE65CC82B682

Function 00F976D0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4145048353.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f90000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd65d47b15bf340cf69c98df1525c6c7163bf47518b3664deaee7c58d5c4307c
Instruction ID: 9a76ac4f0e7f87d77c0bb2c93d36beb14019f1f7167a95e425263a21c67b02c8
Opcode Fuzzy Hash: cd65d47b15bf340cf69c98df1525c6c7163bf47518b3664deaee7c58d5c4307c
Instruction Fuzzy Hash: 38210035B2C3045BFF1837798C94A3A3697AFC47687280179D506CB764EE25CC42F682

Function 00F9A809 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4145048353.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f90000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e75eabd431727b45ba3437361f0582eed07edc03b418164e7546230979aa1dfa
Instruction ID: b2032a4206ccb1edc4d521faa0179953282f66f899dfbb21188eceb2887088f3
Opcode Fuzzy Hash: e75eabd431727b45ba3437361f0582eed07edc03b418164e7546230979aa1dfa
Instruction Fuzzy Hash: 39316D71A005198FDB04CFADC8889AEBBB2FF88350B158259E516973A1CB34DD52DFD1

Function 00F976DF Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4145048353.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f90000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 689b9befe649a9eeb63021d808f3b5399fe0ff783017d62f763b4530e83075ff
Instruction ID: 12836724da0bcf39b1d52b48fdfac459a7ec8e0b6533e3f6ce33f2559fb5f6b8
Opcode Fuzzy Hash: 689b9befe649a9eeb63021d808f3b5399fe0ff783017d62f763b4530e83075ff
Instruction Fuzzy Hash: 2021DE35B2C3045BEF2837798C94A3E36979FC4768B184178D506CB7A4EE25CC42B683

Function 00F95A60 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4145048353.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f90000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9038e141d2f9dd861ed05f9ccee34b233b3f41cd1c19bd9f7c9e5374f9fa5d4e
Instruction ID: 75bed02be86d881235e3b3197b754d62298da99f81adb662c544496e1473f129
Opcode Fuzzy Hash: 9038e141d2f9dd861ed05f9ccee34b233b3f41cd1c19bd9f7c9e5374f9fa5d4e
Instruction Fuzzy Hash: B621D431705A128FDB26AB29D89453E7792EFC4B257148269E806CB350CE34DC03EBC4

Function 00F92060 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4145048353.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f90000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83e769dfde6cff4515c913dd2a20df1c023c53cf6a5adead71da12b0bcf9fda1
Instruction ID: c3ed2b6aa3c97f802b3629041a0b6d3db2e2b63ad1ceffd4db579e1a98bb8ef7
Opcode Fuzzy Hash: 83e769dfde6cff4515c913dd2a20df1c023c53cf6a5adead71da12b0bcf9fda1
Instruction Fuzzy Hash: 9621F171A00205AFCF60DF34C4409AE37A5EB9D764F10C419D84A8B340DB35EE42DBD2

Function 00E4D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4143656102.0000000000E4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_e4d000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d269d5ec1d4b0fc58543117319b87b705b0ddea0db8dbb2fbd3f9a5c2bc6897f
Instruction ID: 0f97ea81e065f5ecc6eb0ea810970b0a37fa70efae1e5e221256e7e175ad3b58
Opcode Fuzzy Hash: d269d5ec1d4b0fc58543117319b87b705b0ddea0db8dbb2fbd3f9a5c2bc6897f
Instruction Fuzzy Hash: 47212671608204DFCB14DF24EDC4B26BBA6FB88318F20C5ADE8495B352C77AD846CA61

Function 00F939ED Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4145048353.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f90000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f32f171b37442eeebd69819a8da3a6ab934c9f38ed5a428a755adfb8e342af3
Instruction ID: 65922be0f5a7a8aab898101d47c97e6e7df998f6d50583e6efc694c229c99303
Opcode Fuzzy Hash: 5f32f171b37442eeebd69819a8da3a6ab934c9f38ed5a428a755adfb8e342af3
Instruction Fuzzy Hash: 5E31A078E05209DFCB04EFA8E5948ADBBB2FF4D305B20446AE859AB324D731AD45CF40

Function 067596F0 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4151174997.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9f7fcc09bceed5a53dc2fb105328fd9bb79cb90d5f74b2938679a5ad14dbf0c
Instruction ID: 411747a95c5508af7d301744a13886c1c446f6fb3eada953d35fc9ecc42399a4
Opcode Fuzzy Hash: f9f7fcc09bceed5a53dc2fb105328fd9bb79cb90d5f74b2938679a5ad14dbf0c
Instruction Fuzzy Hash: 75112E353042A45FCB466FBCA82557E3FA3EFC4250B14446AE545D73C2CE384E05C3A5

Function 00F94DB9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4145048353.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f90000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e99ccda0de8f9086cd23af7bb25b6bbfd512ba8f119e45c67ef002a4fb777b63
Instruction ID: d883930623009dcab78c6abe5995a98231c196fde0ad5246b33cbb4fabc20835
Opcode Fuzzy Hash: e99ccda0de8f9086cd23af7bb25b6bbfd512ba8f119e45c67ef002a4fb777b63
Instruction Fuzzy Hash: F521A131A081098FDF05AF68E454B6B3BA2FBA8314F104065F9058B255CB34ED52EFE0

Function 00F94DC7 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4145048353.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f90000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33022d25fbd9913c0e6e814d6e4fb2ff736bb7e7e3e0657cd7accf7d7e11f3d6
Instruction ID: ffa1beb0a2873499603616d770a8dd56e3cd1e2df97f1ea6f23281b9c363a586
Opcode Fuzzy Hash: 33022d25fbd9913c0e6e814d6e4fb2ff736bb7e7e3e0657cd7accf7d7e11f3d6
Instruction Fuzzy Hash: 3F21D5316081099FDF15BF68E454A6B3BA2FB94314F104069F8058B251CB34ED52EFE0

Function 0675E0C0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4151174997.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acf967b83411b656b51134afbcaf243aee354342dec7bfa806ab6f43f4211749
Instruction ID: 3cdd27b9803b3c1ef6b5a0e9492c06c6db4c98b2c8ac6263cb7ab6a4134c693f
Opcode Fuzzy Hash: acf967b83411b656b51134afbcaf243aee354342dec7bfa806ab6f43f4211749
Instruction Fuzzy Hash: 8011E5317052588FD7050B799C945BBBFABAFCA290B1584B7E54AC3296CD748D0AC760

Function 00F9E1F8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4145048353.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f90000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0251047038b5ea99bc07b1f860b9d850baa9a47b71085bc54748edea0c2ee3c
Instruction ID: a6f0bf580a9b07b47b4e0ebdeb089e0f8506c6b0a9e4033d60bbe220538fe294
Opcode Fuzzy Hash: d0251047038b5ea99bc07b1f860b9d850baa9a47b71085bc54748edea0c2ee3c
Instruction Fuzzy Hash: BB218E74E00109DFDB44EFB9D98179EBFF2FB45304F10956AD005AB365EB305A4A9B80

Function 00F95A70 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4145048353.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f90000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6b40657401d12bdc46e25e185b23b1a63e49db965edeac4d1d62f5170ececba
Instruction ID: b886de64aee1966668e628260c157b99db2fa74970b94ffc968eabe246ba2575
Opcode Fuzzy Hash: f6b40657401d12bdc46e25e185b23b1a63e49db965edeac4d1d62f5170ececba
Instruction Fuzzy Hash: BE11E531701A129FDB165B29D89453E77A6FFC4B6071542B8E806CB350CF34DC029BD4

Function 06758EC1 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4151174997.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9de69b1a1b69b5970fdd76f4ae1b8e00c2209d66e5085aff243a177d0ad6ef8
Instruction ID: f9a14104b3d487897c73a92aaaba995dd4fe70d3654e0fdfbbfe49b4515f488f
Opcode Fuzzy Hash: d9de69b1a1b69b5970fdd76f4ae1b8e00c2209d66e5085aff243a177d0ad6ef8
Instruction Fuzzy Hash: D5112A34F001598FEB00DFE8E850BAEBBB2AB49315F0190A5E908E7349EA7099428F51

Function 00F9E208 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4145048353.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f90000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 252b159f13c4fb7824b796926e9dcb5efcb0be37f9b150dca8b7f4cc226d58e0
Instruction ID: d36c68b4d181f4999d0c5ee4e4a4b8a7b456098b003c0daf4f0c8bf30933b01e
Opcode Fuzzy Hash: 252b159f13c4fb7824b796926e9dcb5efcb0be37f9b150dca8b7f4cc226d58e0
Instruction Fuzzy Hash: D6117C74E00209DFDB44EFBDD98179EBBF2FB45304F0095AAD004AB365EB305A4A9B80

Function 00E4D03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4143656102.0000000000E4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_e4d000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: b2c30c8c982a8623d498501ebb14c2f68e3c1cf0073b38bd4233f905d761c961
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: BB118B75508284DFDB15CF14D9C4B16BBA2FB88318F24C6AED8494B656C33AD84ACB62

Function 00F91F08 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4145048353.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f90000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfbe9ceecabb2aab3d3d7d28b289b8ad9e9518bd23fe2d5c339420fdba67e6f3
Instruction ID: 6b6ddd815eef092d1bc4719f51eaebc671129608f2350bcefd7eeb4a41ce5446
Opcode Fuzzy Hash: dfbe9ceecabb2aab3d3d7d28b289b8ad9e9518bd23fe2d5c339420fdba67e6f3
Instruction Fuzzy Hash: A921F7B5D0460D8FCB11EFA8D8845EDBFB0BF4A314F1442AAD445B7264EB305A45DBA1

Function 06752670 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4151174997.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d4cd2206fad7920de47a39cb24f23f5f13bfabbb94ab236624a926359861e82
Instruction ID: b6d8d79eac89d639193c106db9e20159bb789cc6c86fe887dc5134484391ba0e
Opcode Fuzzy Hash: 0d4cd2206fad7920de47a39cb24f23f5f13bfabbb94ab236624a926359861e82
Instruction Fuzzy Hash: 7211C079B002118FC750EF78E848AAE3BF4EF8822171105A9E915DB325EB71CA068F90

Function 00F95607 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4145048353.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f90000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff321791c4ea82428a94c7e3c88d2551cf616388837dafdd9b44ed62036a26a5
Instruction ID: 03b1852a048d21c4eeef1171eb0d40f6e96f03d2c031c46fb281be4e59cfcf7a
Opcode Fuzzy Hash: ff321791c4ea82428a94c7e3c88d2551cf616388837dafdd9b44ed62036a26a5
Instruction Fuzzy Hash: CA012872B041146FDF069E69AC106EF3FA7DBC8751B18802AF905C7295CA35CD02ABB1

Function 067525E8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4151174997.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09bb16531b03ac867eb51a6de9de811374fd2a982736a768928051e336f0f8e5
Instruction ID: f490f7c39e604bd428f4879a5ea0f0eba2cf5b62ba39152aa7b1004c5e3894da
Opcode Fuzzy Hash: 09bb16531b03ac867eb51a6de9de811374fd2a982736a768928051e336f0f8e5
Instruction Fuzzy Hash: DE01B670E003199FDF54EFB9C8416AEBBF5AF88200F10856AD919E7250E7789A01CF95

Function 06759760 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4151174997.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 328fdaadc1d7d92d31f35a21683297825280e558151b73eb11734fe17a6a81fc
Instruction ID: 278b9bfcb1b1b3d24ad6245524ac4e7987c3b6d9b039c7a410ea3f2267cd82fb
Opcode Fuzzy Hash: 328fdaadc1d7d92d31f35a21683297825280e558151b73eb11734fe17a6a81fc
Instruction Fuzzy Hash: 5FF054363001197F8B056E98AC549AF7FABEBC8260B044829FA0997351DB31991197B5

Function 00F92010 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4145048353.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f90000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8549fec82b163457c99ae418e1bec198573856ddafd25f4c31d29beb11c155a2
Instruction ID: dc15380a9e1774fba20d3ebd4a60838ce027d1354f6bc57bdcf9abf6b58d7698
Opcode Fuzzy Hash: 8549fec82b163457c99ae418e1bec198573856ddafd25f4c31d29beb11c155a2
Instruction Fuzzy Hash: C3E09235D2426A5FCB02DB70D8508EEBF30EE97314B14569AC06567151D7B1251ACB62

Function 00F9D4B4 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4145048353.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f90000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73e1d0ae991d6f5f64267a99cd3df5464cb12f95b917de096f5b3bf2cb1fb53d
Instruction ID: 3563521c205c28306b492dcd6754cbc6ae52140bb1bd8bd5da61700ed9b0fdff
Opcode Fuzzy Hash: 73e1d0ae991d6f5f64267a99cd3df5464cb12f95b917de096f5b3bf2cb1fb53d
Instruction Fuzzy Hash: 6AE020D3D09140CBEB14CFAA64151B4BF30CDD735175460D7D089D7125D624D606FB11

Function 00F9D457 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4145048353.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f90000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a268c9ea5d1e033d8ad8bdeaa68482ea7581940e92d30b59bda053b1059c6c52
Instruction ID: eacff7d67dda394fd1e48fb652b09b99b0d9102b73a12911170ff3ba7579d772
Opcode Fuzzy Hash: a268c9ea5d1e033d8ad8bdeaa68482ea7581940e92d30b59bda053b1059c6c52
Instruction Fuzzy Hash: 94E08675D04104DEDF04DFAAB8097FEB7719BCB311F10A529D105721A5CBB015199A51

Function 00F9DF17 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4145048353.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f90000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbc001355a10c85786bade3972eac293895ab92d0938834d2694da23e4426cbc
Instruction ID: 0fa5b2b4bf28546a31d0e6f5a1769310bfd69a471cad9a04a920ef3ce13f2a8a
Opcode Fuzzy Hash: bbc001355a10c85786bade3972eac293895ab92d0938834d2694da23e4426cbc
Instruction Fuzzy Hash: 6DE08635E041089EDF049FAAB8197FEB7B5ABCB301F506425E505731A1CBB045199A51

Function 00F92020 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4145048353.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f90000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc14a33a032f59d8b9cf5b3ada1bace648e55168dffd19649aced1df6261908c
Instruction ID: 38500f3bade9f6392afe9a83f925e0f025d31839c3fe1b8d4446b912d8b1d3f2
Opcode Fuzzy Hash: fc14a33a032f59d8b9cf5b3ada1bace648e55168dffd19649aced1df6261908c
Instruction Fuzzy Hash: 72D01231D2022A578B00AAA5DC044EEB738EE95665B504626D55437140EB70665986A2

Function 00F98258 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4145048353.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f90000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: 6c61be059095a56cfc54ce09728a768ed91a84a714d925eff05cbd905d717c8a
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: 02C0123360C1282AAA24108E7C40EA3AB8CC2C27F4A250137F91CA3200A842AC8221A8

Function 00F98257 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4145048353.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f90000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ea38ca88601e5e82f93b0c82c0d0edf9ff416aef91a10dd8e8e3c1f9296e9b9
Instruction ID: 1350d6c152e6260adc09f966930d72f928eaf2d0931d19bea5ffd001cab6d3ef
Opcode Fuzzy Hash: 4ea38ca88601e5e82f93b0c82c0d0edf9ff416aef91a10dd8e8e3c1f9296e9b9
Instruction Fuzzy Hash: 4CC01237A4D0642DAB35409E3C80EFB9B8CC6D23F4A29027BF85DE324098824C8262A4

Function 00F9A70D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4145048353.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f90000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 669a8098fd93984e1a13202be2142c2f36c4d76670846e5643945e18450c5ef0
Instruction ID: 03f71eb8cb13f95120b637a607fa80d218e9b9503f28a777962e7bf53023dbe3
Opcode Fuzzy Hash: 669a8098fd93984e1a13202be2142c2f36c4d76670846e5643945e18450c5ef0
Instruction Fuzzy Hash: 44D0677AB41018DFCB049F99EC808DDB7B6FB9C221B148116E915A7261C6319921DB54

Function 00F95EA8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4145048353.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f90000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6c08516b0dd551b5e8a82b531df6b288495367d38ad74a238866118ffad1c00
Instruction ID: 75fa5d333e7a2f2ea7399719d56e4993bc2b3c2156778d688dfcbd1cb64d1e95
Opcode Fuzzy Hash: c6c08516b0dd551b5e8a82b531df6b288495367d38ad74a238866118ffad1c00
Instruction Fuzzy Hash: 0DD02B7052C3850FC703F374F9A144C3F21FA80208B1043BAE8450E27BDE7449498B61

Function 00F9FBEB Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4145048353.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f90000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f8f9ac1949c1eb0ee643c8f27365634abe55d0d0ef452f767dd4da20c80bb0b
Instruction ID: 55d166dcaf74f0e90bea0a2b03252dc30356adf254b811a73588abc83c5e9be5
Opcode Fuzzy Hash: 1f8f9ac1949c1eb0ee643c8f27365634abe55d0d0ef452f767dd4da20c80bb0b
Instruction Fuzzy Hash: 39D06C79E4412C8BCF20EFA8EA452ECB7B0EB89300F1010E7A909B3210D6705AA4AF11

Function 00F95EB8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4145048353.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f90000_rrequestforquotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eec40952f26e495b0266a861a0bab4d51d444644e73fad07953724e2927e6414
Instruction ID: 83d8bc7cbcbdc686a03a4ad92568b057de43ba3a1a5ff26de64a3318d3bec068
Opcode Fuzzy Hash: eec40952f26e495b0266a861a0bab4d51d444644e73fad07953724e2927e6414
Instruction Fuzzy Hash: 59C012301683094FC602F7B9FA45559771AF6C0304F404621B4090E22EDF78998846A1

Non-executed Functions

Function 06752807 Relevance: 12.9, Strings: 10, Instructions: 388COMMON

Download Yara Rule

Strings

PH^q, xrefs: 06752BFE
PH^q, xrefs: 06752EE6
PH^q, xrefs: 06752CE2
PH^q, xrefs: 06752DD7
", xrefs: 06753087
Hbq, xrefs: 06752869
PH^q, xrefs: 06752ED2
PH^q, xrefs: 06752BEA
PH^q, xrefs: 06752DEB
PH^q, xrefs: 06752CF6

Memory Dump Source

Source File: 00000008.00000002.4151174997.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_rrequestforquotation.jbxd

Similarity

API ID:
String ID: "$Hbq$PH^q$PH^q$PH^q$PH^q$PH^q$PH^q$PH^q$PH^q
API String ID: 0-2450740202
Opcode ID: db4bc0b07c8edbd3090ffe17abf38c10666389fa032296f0173c7f6f751ff722
Instruction ID: 7938bebc2538ad2d88617415e8834a7e5ed72bcf34d4d50a0ff4e958e6c65935
Opcode Fuzzy Hash: db4bc0b07c8edbd3090ffe17abf38c10666389fa032296f0173c7f6f751ff722
Instruction Fuzzy Hash: C712C374E002188FDB58DF69C954B9DBBF2BF89300F2084A9D809AB365DB759E85CF50

Function 00F91478 Relevance: 5.1, Strings: 4, Instructions: 62COMMON

Download Yara Rule

Strings

F, xrefs: 00F91557
F, xrefs: 00F9153A
F, xrefs: 00F91510
4'^q, xrefs: 00F9148B

Memory Dump Source

Source File: 00000008.00000002.4145048353.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f90000_rrequestforquotation.jbxd

Similarity

API ID:
String ID: 4'^q$F$F$F
API String ID: 0-2121171992
Opcode ID: 1820f1e73b2cfbfe8a2c1afd37ed7041b4431c8f5af2373f7ea0b6d37b8dc070
Instruction ID: 3d662dae94fb0792b7b8e29c229f87b1c88122286b8a9ab3630255b99cc9ddf6
Opcode Fuzzy Hash: 1820f1e73b2cfbfe8a2c1afd37ed7041b4431c8f5af2373f7ea0b6d37b8dc070
Instruction Fuzzy Hash: CD21B434A042149FDB06EFB9E48169E7BB1FF85308F1189A9D4059B385CB38A94ACF61

Function 00F96088 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;^q, xrefs: 00F960BA
\;^q, xrefs: 00F96094
\;^q, xrefs: 00F9609E
\;^q, xrefs: 00F960C6

Memory Dump Source

Source File: 00000008.00000002.4145048353.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f90000_rrequestforquotation.jbxd

Similarity

API ID:
String ID: \;^q$\;^q$\;^q$\;^q
API String ID: 0-3001612457
Opcode ID: 597f44cb353609b91258ca7f615d44ce8ad633c6ecdb7e0d8efd212e0b66df7f
Instruction ID: 9fc86f05d689926a06f04a9b1e48c1556779ad18568084a747ce508b1a1d7002
Opcode Fuzzy Hash: 597f44cb353609b91258ca7f615d44ce8ad633c6ecdb7e0d8efd212e0b66df7f
Instruction Fuzzy Hash: 5301DF32B041149FDF648E2DC488A2A77EBBF88B70725417AE106CF3B4DA72DC45A780

Analysis Process: oGnCNPiCwiAocn.exePID: 7896, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	10%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	152
Total number of Limit Nodes:	17

Executed Functions

Function 0258D3C8 Relevance: 6.1, APIs: 4, Instructions: 131
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0258D456
GetCurrentThread.KERNEL32 ref: 0258D493
GetCurrentProcess.KERNEL32 ref: 0258D4D0
GetCurrentThreadId.KERNEL32 ref: 0258D529

Memory Dump Source

Source File: 00000009.00000002.1838528167.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Offset: 02580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2580000_oGnCNPiCwiAocn.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 879b824ca9d202b13a574d2db9f16b9783291e6ad7f49a567da09a423e070c90
Instruction ID: 26ba2b1111d9276cea556a999947068828c2e395bde657c425aaa37c9d816d1d
Opcode Fuzzy Hash: 879b824ca9d202b13a574d2db9f16b9783291e6ad7f49a567da09a423e070c90
Instruction Fuzzy Hash: 175145B09013098FDB14DFAAD548BEEBBF1FB48314F208459D159A73A0D7B4A944CF69

Function 0258D3D8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0258D456
GetCurrentThread.KERNEL32 ref: 0258D493
GetCurrentProcess.KERNEL32 ref: 0258D4D0
GetCurrentThreadId.KERNEL32 ref: 0258D529

Memory Dump Source

Source File: 00000009.00000002.1838528167.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Offset: 02580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2580000_oGnCNPiCwiAocn.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 42020d3fd5bb84aea96a8d57179eb774cc9c544cd610c025576292de52496fec
Instruction ID: b9beec57a0a461d5f1e558fbc6e799aa59f89cc646f3e18566f17c8a0dda70f2
Opcode Fuzzy Hash: 42020d3fd5bb84aea96a8d57179eb774cc9c544cd610c025576292de52496fec
Instruction Fuzzy Hash: 815126B09013098FDB14DFAAD548BEEBBF1FB48314F208459D059A72A0D7B4A944CF65

Function 06F075FE Relevance: 1.8, APIs: 1, Instructions: 257
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06F0783E

Memory Dump Source

Source File: 00000009.00000002.1843486423.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f00000_oGnCNPiCwiAocn.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: aa46bd1a9e37f2472110dbabc9e38ec9f688f150adf1c5aded11a15f83c67502
Instruction ID: 801746ae1d974cfbcb712fd412690dadfc3fc880f46b9d416dde08188e3e9dbb
Opcode Fuzzy Hash: aa46bd1a9e37f2472110dbabc9e38ec9f688f150adf1c5aded11a15f83c67502
Instruction Fuzzy Hash: B4A18E71D00219CFEB60DFA8C841BEDBBB2FF44314F1485A9D849A7290DB74A985DF91

Function 06F07608 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06F0783E

Memory Dump Source

Source File: 00000009.00000002.1843486423.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f00000_oGnCNPiCwiAocn.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 3ca0b3038cb9363d04b457068cffa65aaed73600dfbdadf30b6573a3c816c3ac
Instruction ID: 57b31a4b958e3c4c1fb547e55ba2c50abcc68054aa14e0936894bb43c7aad43d
Opcode Fuzzy Hash: 3ca0b3038cb9363d04b457068cffa65aaed73600dfbdadf30b6573a3c816c3ac
Instruction Fuzzy Hash: 23917E71D00219CFEB64DFA8C840BEDBBB2FF48314F1485A9D849A7290DB74A985DF91

Function 0258B150 Relevance: 1.7, APIs: 1, Instructions: 196
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0258B3A6

Memory Dump Source

Source File: 00000009.00000002.1838528167.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Offset: 02580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2580000_oGnCNPiCwiAocn.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: a742664bc76301d1a91e9dacf71acfdad6f36a392a025850087546735afc2096
Instruction ID: 48de82254956a2f1736739be7f01994dc80a66d59c7e878e1680f8a5ed8f76cb
Opcode Fuzzy Hash: a742664bc76301d1a91e9dacf71acfdad6f36a392a025850087546735afc2096
Instruction Fuzzy Hash: EA713670A00B058FD724EF69D54075ABBF6FF88304F10892ED48AE7A50DBB4E949CB95

Function 02584618 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02585F59

Memory Dump Source

Source File: 00000009.00000002.1838528167.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Offset: 02580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2580000_oGnCNPiCwiAocn.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 40e26ef79bd4572afbf3e525a8a3e0bce362f5b5f8812a5cdd46686dc4004a1f
Instruction ID: de667f14d57f117bfa24286ff3edb1aeb6c5e167ec74c9af3339b567c7f1726c
Opcode Fuzzy Hash: 40e26ef79bd4572afbf3e525a8a3e0bce362f5b5f8812a5cdd46686dc4004a1f
Instruction Fuzzy Hash: 1841E2B0C00619CBDB24DFA9C8447DEBBB5FF48304F2080AAD408BB255EBB56945CF90

Function 02585E9D Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02585F59

Memory Dump Source

Source File: 00000009.00000002.1838528167.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Offset: 02580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2580000_oGnCNPiCwiAocn.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 5af739f9d0d36c26ab049186f108254505e8e79610aebbe357bb0c5acef90ee0
Instruction ID: cf3c4557000451ad8abcb30a039ad45e3ff040c3a045a1cfaa0e2ceeb87dfd7b
Opcode Fuzzy Hash: 5af739f9d0d36c26ab049186f108254505e8e79610aebbe357bb0c5acef90ee0
Instruction Fuzzy Hash: 8641C1B0C00659CEDB24DFA9C8447DEBBB5FF88304F24806AD409AB265DBB56946CF90

Function 06F07378 Relevance: 1.6, APIs: 1, Instructions: 71
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06F07410

Memory Dump Source

Source File: 00000009.00000002.1843486423.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f00000_oGnCNPiCwiAocn.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: a81edba4e7542bbf89ba9fd3e355c86284db9ad8645fe517895b601a95f784bc
Instruction ID: ba4a2a816d67a497dff60184ffe75a4577342a17b21e38f21457a75d65f5ad6e
Opcode Fuzzy Hash: a81edba4e7542bbf89ba9fd3e355c86284db9ad8645fe517895b601a95f784bc
Instruction Fuzzy Hash: CF2135B59002599FDB10DFA9C881BDEBFF4FB48310F148429E959A7250C778A944DBA4

Function 06F07380 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06F07410

Memory Dump Source

Source File: 00000009.00000002.1843486423.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f00000_oGnCNPiCwiAocn.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: ee7fe06b9d07c44f0c2bc52b8816ef79d493c08e83f4ff54e1632318fa9a8586
Instruction ID: be8f46c617eec54ead98c85429e8986c725445b37681e212baf9d3e02e6f67a8
Opcode Fuzzy Hash: ee7fe06b9d07c44f0c2bc52b8816ef79d493c08e83f4ff54e1632318fa9a8586
Instruction Fuzzy Hash: 4F2144B5D003499FDB10DFA9C881BDEBBF4FF48310F10842AE958A7250C778A944DBA4

Function 06F06DA8 Relevance: 1.6, APIs: 1, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06F06E2E

Memory Dump Source

Source File: 00000009.00000002.1843486423.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f00000_oGnCNPiCwiAocn.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 413731fc281f959fc902cbee4de3742a50cd0b014ecb22d88fc80c4c1ed54cb9
Instruction ID: 9ce394262c91bed849ddc047106890399282928608cd6d98839f42e48c409d4d
Opcode Fuzzy Hash: 413731fc281f959fc902cbee4de3742a50cd0b014ecb22d88fc80c4c1ed54cb9
Instruction Fuzzy Hash: 812137B1D003098FDB10DFAAC8857EEBBF4EB48324F148429D459A7291CB789985CFA4

Function 06F07470 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06F074F0

Memory Dump Source

Source File: 00000009.00000002.1843486423.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f00000_oGnCNPiCwiAocn.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 224e283d372d327152dd2c7f161a44c73e99202b4242a417940b46767b628621
Instruction ID: 8485883d6e1467ee83d296351fdd574c6b67c4ab4d26e706de770bec68135fa1
Opcode Fuzzy Hash: 224e283d372d327152dd2c7f161a44c73e99202b4242a417940b46767b628621
Instruction Fuzzy Hash: 122139B5D003599FDB10DFAAC841AEEFBF5FF48310F108429E559A7250C774A544DBA4

Function 06F07468 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06F074F0

Memory Dump Source

Source File: 00000009.00000002.1843486423.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f00000_oGnCNPiCwiAocn.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: a66ff2069a23524034d05abd5a8e41d554b988a3ba8598c7a949962d90feb879
Instruction ID: ecb1c0a004531ada1217db7289c59485bf15087e9c6ae3cfabf96a2744613feb
Opcode Fuzzy Hash: a66ff2069a23524034d05abd5a8e41d554b988a3ba8598c7a949962d90feb879
Instruction Fuzzy Hash: 112145B5D00259DFDB10DFA9C881BEEBBF1FF48310F10882AE559A7250C738A954DBA4

Function 06F06DB0 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06F06E2E

Memory Dump Source

Source File: 00000009.00000002.1843486423.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f00000_oGnCNPiCwiAocn.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: d2a2a37b4f747b2675c05946d0a1e163294bc2148d19166985eba54a1eeae7f0
Instruction ID: 9a67da6583f7dba8b88f1ea24ccc6ebbdb9d6c2a46ea29834a5a1e443159db66
Opcode Fuzzy Hash: d2a2a37b4f747b2675c05946d0a1e163294bc2148d19166985eba54a1eeae7f0
Instruction Fuzzy Hash: 4B2129B1D003098FDB10DFAAC8857EEBBF4EF48324F148429D459A7250C7789985CFA5

Function 0258D618 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0258D6A7

Memory Dump Source

Source File: 00000009.00000002.1838528167.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Offset: 02580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2580000_oGnCNPiCwiAocn.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0e1c77d30433d8444b5dec126accbde47afa5a970e2750d03f4881d265dbfc6b
Instruction ID: 1101452e80abf4290d74261bd71b36d909fa8f6be4f331dbc37afc6694dfdfe7
Opcode Fuzzy Hash: 0e1c77d30433d8444b5dec126accbde47afa5a970e2750d03f4881d265dbfc6b
Instruction Fuzzy Hash: E621E4B5900248DFDB10DFAAD984ADEBBF5FB48310F14801AE958B7360C374A944CF64

Function 0258D620 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0258D6A7

Memory Dump Source

Source File: 00000009.00000002.1838528167.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Offset: 02580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2580000_oGnCNPiCwiAocn.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 71d384b7c16aea8dec5426153a0d20007b95718f5d8fbfa42552326bbb5cf3d6
Instruction ID: e308005064a42fb5482fa7258bf366f9a41dec3624410a940523eceb69b6275e
Opcode Fuzzy Hash: 71d384b7c16aea8dec5426153a0d20007b95718f5d8fbfa42552326bbb5cf3d6
Instruction Fuzzy Hash: 8B21E4B5900248DFDB10CFAAD584ADEBFF4FB48310F14801AE958A7350C374A940CFA4

Function 06F072BA Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06F0732E

Memory Dump Source

Source File: 00000009.00000002.1843486423.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f00000_oGnCNPiCwiAocn.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 864305fce0bef9a373f2778186d2981d37a7d42842f9be1081e28344b0677c8b
Instruction ID: 2857e56341f5517cb870f2312a54b743d48c5f76196bb151f7f56f00aa3c11d6
Opcode Fuzzy Hash: 864305fce0bef9a373f2778186d2981d37a7d42842f9be1081e28344b0677c8b
Instruction Fuzzy Hash: 1B1167728002489FDB10DFAAC845BDEFFF5EF88324F248419E559A7260C775A940CFA4

Function 06F06CF8 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06F06D62

Memory Dump Source

Source File: 00000009.00000002.1843486423.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f00000_oGnCNPiCwiAocn.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 5da5140267c14ab51e554c34723acb588f2206e06402868c8a7db179954a2687
Instruction ID: 2dc7f655b18a045c65cfef6973ddee8453ea5c6b1e83720510eec0bdf9261d24
Opcode Fuzzy Hash: 5da5140267c14ab51e554c34723acb588f2206e06402868c8a7db179954a2687
Instruction Fuzzy Hash: 8E1137B19002498FDB20DFAAC4457EEFBF5AB88324F208419D419A7250C7356544CB95

Function 06F072C0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06F0732E

Memory Dump Source

Source File: 00000009.00000002.1843486423.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f00000_oGnCNPiCwiAocn.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: dff7780ec2d6c6f528617e0a019f6fb7f75a9c214edf6961e8bf1ca9f437da73
Instruction ID: e0c22054602ba57d60177c648343859e4fecc404ec2b8aea296863e5646edc20
Opcode Fuzzy Hash: dff7780ec2d6c6f528617e0a019f6fb7f75a9c214edf6961e8bf1ca9f437da73
Instruction Fuzzy Hash: 311167718002488FDB10DFAAC845BDEBFF5EF88320F208419E519A7260C735A540CFA4

Function 06F06D00 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06F06D62

Memory Dump Source

Source File: 00000009.00000002.1843486423.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f00000_oGnCNPiCwiAocn.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 3b8f4ad4e57a704e693ab4f83d67e6bec4662cee9cceef7ab965cc20e44e81d5
Instruction ID: 289747e55c41a48dbb92fdd5d30de5611418a08c3585a1380c4658b83f767723
Opcode Fuzzy Hash: 3b8f4ad4e57a704e693ab4f83d67e6bec4662cee9cceef7ab965cc20e44e81d5
Instruction Fuzzy Hash: 321125B1D002488BDB20DFAAC4457EEFBF5AB88324F24842AD459A7250CA75A944CBA5

Function 06F03FE8 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06F0A455

Memory Dump Source

Source File: 00000009.00000002.1843486423.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f00000_oGnCNPiCwiAocn.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 89b2bd2305acfc56aac522ddbcdb8c599b77167e82ea619468de914cd53443ea
Instruction ID: ceb2abe29e738a6cf2914f111c9927a188d8fef817a78a97b286f659504efe7b
Opcode Fuzzy Hash: 89b2bd2305acfc56aac522ddbcdb8c599b77167e82ea619468de914cd53443ea
Instruction Fuzzy Hash: 331106B9800349DFDB10DF99C449BDEBBF8FB48314F108459E558A7251C375A944CFA5

Function 0258B340 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0258B3A6

Memory Dump Source

Source File: 00000009.00000002.1838528167.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Offset: 02580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2580000_oGnCNPiCwiAocn.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 7a6dadf87932d0ac8e0ce0043984da6d3a733b73bb012c5e366947df6e24d388
Instruction ID: a4d8ef39855aaeb0149f7f92a90e42c0277406fe4b9e424532c0d18ec70de8f8
Opcode Fuzzy Hash: 7a6dadf87932d0ac8e0ce0043984da6d3a733b73bb012c5e366947df6e24d388
Instruction Fuzzy Hash: 1D1110B5D003498FCB10DF9AC444ADEFBF8AB88324F10842AD819B7210C375A545CFA5

Function 06F0A3F1 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06F0A455

Memory Dump Source

Source File: 00000009.00000002.1843486423.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f00000_oGnCNPiCwiAocn.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 24e57a9f60a92d67eeefe4be0ce882bf97f9496f69b009726d04014d425928f6
Instruction ID: f4c1e336a059f4fd815709336e485030e85fe3f9eac780343554af61f3bce2dc
Opcode Fuzzy Hash: 24e57a9f60a92d67eeefe4be0ce882bf97f9496f69b009726d04014d425928f6
Instruction Fuzzy Hash: 2B11F2B98003499FDB10DF9AC889BDEBBF8FB48324F108419E558A7251C375A944CFA5

Function 0244D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1837941551.000000000244D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0244D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_244d000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e742a502772b409777e95455cf9dab84830a8790e090ab28e6e2f52e147d0cbd
Instruction ID: c08a0872a3f93457811a69bc47a272693844b75629f37f1bf4b73625b3659df1
Opcode Fuzzy Hash: e742a502772b409777e95455cf9dab84830a8790e090ab28e6e2f52e147d0cbd
Instruction Fuzzy Hash: D5210771A04240DFEB05DF14D9C0B2BBF65FB88318F24C56AE9094B356CB36D456CBA1

Function 0245D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1838080757.000000000245D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0245D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_245d000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fc5ba9a1c0f10c42bc204a2fa9c6737ee833a369af285be066449d719041fd2
Instruction ID: 15dfb6fc25d9074184ac8f469337d057dd13812bf851e0c9bddc3712eaddd438
Opcode Fuzzy Hash: 5fc5ba9a1c0f10c42bc204a2fa9c6737ee833a369af285be066449d719041fd2
Instruction Fuzzy Hash: 2721F271A04200DFDB14DF14D9C4B26BBA5EF84B18F20C56ADD8A4B357C33AD447CA61

Function 0245D005 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1838080757.000000000245D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0245D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_245d000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaf7223398e2644f6ec235229510abdc32e32ba3a50a3f4759d1739de75ea5d6
Instruction ID: 976cf76fa32ff7e4fbe08fdaaf6b40a09e18760c509b14c28ca2c394b98633d8
Opcode Fuzzy Hash: aaf7223398e2644f6ec235229510abdc32e32ba3a50a3f4759d1739de75ea5d6
Instruction Fuzzy Hash: 5C217475508380DFDB06CF14D594716BF71EF46214F24C5DAD8894F2A7C33A9806CB62

Function 0244D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1837941551.000000000244D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0244D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_244d000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 7df53b52eab244aff0e4c426f4216101b94c1ab27be42f5b96532b345f095bf2
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 0111D376904280CFDB16CF14D9C4B16BF71FB84318F24C6AAD8494B756C736D45ACBA1

Analysis Process: oGnCNPiCwiAocn.exePID: 6112, Parent PID: 7896COMMON

Executed Functions

Function 01446880 Relevance: 5.3, Strings: 4, Instructions: 334COMMON

Download Yara Rule

Strings

,bq, xrefs: 014469F2
,bq, xrefs: 01446A00
(o^q, xrefs: 0144697A
(o^q, xrefs: 01446988

Memory Dump Source

Source File: 0000000F.00000002.4145168019.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1440000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$,bq$,bq
API String ID: 0-879173519
Opcode ID: 0dcaf775a0bdc599e55457406de2e45525a2210421c317f11e7856035f3dacb5
Instruction ID: 5ae1f5a5cd2fe41f399acb6c3dbc17e6d0dd9f4cb4d4f33b899ffa1313569833
Opcode Fuzzy Hash: 0dcaf775a0bdc599e55457406de2e45525a2210421c317f11e7856035f3dacb5
Instruction Fuzzy Hash: A1D13D71A00119DFEB15CFA9C984AAEBBB2FF8A305F16806AE505AB375D730DC41CB54

Function 01449858 Relevance: 3.4, Strings: 2, Instructions: 851COMMON

Download Yara Rule

Strings

4'^q, xrefs: 0144A273
(o^q, xrefs: 01449C78

Memory Dump Source

Source File: 0000000F.00000002.4145168019.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1440000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID: (o^q$4'^q
API String ID: 0-273632683
Opcode ID: 1d50316572f958442813dc1874200676bdfd0ab3735ca7ae43be5255cfb39732
Instruction ID: efeb316c6dcc3bdae201265b32481bc963bc4e031d7c585463c79e2057294fef
Opcode Fuzzy Hash: 1d50316572f958442813dc1874200676bdfd0ab3735ca7ae43be5255cfb39732
Instruction Fuzzy Hash: B1727F71A00209DFDF15CF68C984AAEBBF2FF88314F25855AE9069B3A5D730E941DB50

Function 01446108 Relevance: 3.0, Strings: 2, Instructions: 514COMMON

Download Yara Rule

Strings

(o^q, xrefs: 01446642
Hbq, xrefs: 0144650E

Memory Dump Source

Source File: 0000000F.00000002.4145168019.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1440000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID: (o^q$Hbq
API String ID: 0-662517225
Opcode ID: 0ff38f63b31cf82d833abe0139b1f021231a30132ee83804fd9a6c1a0ec372b3
Instruction ID: d75e3d42757e0c091a358730bec0fe2fb21578ca3d858a1ebcfc1d354e719226
Opcode Fuzzy Hash: 0ff38f63b31cf82d833abe0139b1f021231a30132ee83804fd9a6c1a0ec372b3
Instruction Fuzzy Hash: DE12A070A002199FDB14DF69C854AAEBBF6FF89304F25856AE509DB3A5DF309C41CB90

Function 0144B328 Relevance: 2.8, Strings: 2, Instructions: 346COMMON

Download Yara Rule

Strings

PH^q, xrefs: 0144B747
PH^q, xrefs: 0144B758

Memory Dump Source

Source File: 0000000F.00000002.4145168019.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1440000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 40d20c726f3a0cee0fa26c7ef60df018aaa3ae2b21b74f149131488614730727
Instruction ID: 8adbbae8ffaca33685f19b5da4f42421489e49727d0c1ce81efb82ff436fe47b
Opcode Fuzzy Hash: 40d20c726f3a0cee0fa26c7ef60df018aaa3ae2b21b74f149131488614730727
Instruction Fuzzy Hash: 35E1FA75E00618CFEB14CFA9D984A9EBBB1FF49310F15846AE919AB361DB30E841CF51

Function 059F8B58 Relevance: 2.7, Strings: 2, Instructions: 220COMMON

Download Yara Rule

Strings

PH^q, xrefs: 059F8E9A
PH^q, xrefs: 059F8EAB

Memory Dump Source

Source File: 0000000F.00000002.4150767222.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59f0000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: f10cee93dae68278b66569469cd22b161a5d11e10d1e1da8327fbbc9a405b308
Instruction ID: 0e0781aec1595fda8da57ae828b728edaa57e766a26b6651b1641ff5cf215440
Opcode Fuzzy Hash: f10cee93dae68278b66569469cd22b161a5d11e10d1e1da8327fbbc9a405b308
Instruction Fuzzy Hash: 7991F270E04218CFDB98CFA9D8946ADBBB2FF89300F14846AD519AB355DB345986CF50

Function 0144C752 Relevance: 2.7, Strings: 2, Instructions: 189COMMON

Download Yara Rule

Strings

PH^q, xrefs: 0144C9B8
PH^q, xrefs: 0144C9A7

Memory Dump Source

Source File: 0000000F.00000002.4145168019.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1440000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: efcb302ad6fbfa5fcc8bbcd67f1510aac1d99f2c62c5507cbd61015c358a69d7
Instruction ID: 387c0eadf3a4a5e9118c267b6c7348d53586435cc8f5ddbb51c85d691aa35947
Opcode Fuzzy Hash: efcb302ad6fbfa5fcc8bbcd67f1510aac1d99f2c62c5507cbd61015c358a69d7
Instruction Fuzzy Hash: 6581B874E01218DFEB14DFAAD984A9DBBF2BF89310F14846AE419AB365DB309945CF10

Function 0144C190 Relevance: 2.7, Strings: 2, Instructions: 188COMMON

Download Yara Rule

Strings

PH^q, xrefs: 0144C3F8
PH^q, xrefs: 0144C3E7

Memory Dump Source

Source File: 0000000F.00000002.4145168019.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1440000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: ce1cd6e989b73f030053461da781a03eaa965b96512fc26a7f60a691da02eb94
Instruction ID: 8c4be1e5e9653e9bf763cddc0b73c8a1ed589a7b3f5e55b06c940c018f9debcf
Opcode Fuzzy Hash: ce1cd6e989b73f030053461da781a03eaa965b96512fc26a7f60a691da02eb94
Instruction Fuzzy Hash: 12819574E01218DFEB14DFAAD984A9DBBF2BF89300F14806AE419AB365DB319945CF50

Function 0144BEB0 Relevance: 2.7, Strings: 2, Instructions: 188COMMON

Download Yara Rule

Strings

PH^q, xrefs: 0144C107
PH^q, xrefs: 0144C118

Memory Dump Source

Source File: 0000000F.00000002.4145168019.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1440000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 625208a2c0183b03438259c1c974a0a34d051142a9c35e43fd6006d26e356a63
Instruction ID: cb72cded5e37169920841be6387c673660fd7f3844887a8161773e8c4c3973f0
Opcode Fuzzy Hash: 625208a2c0183b03438259c1c974a0a34d051142a9c35e43fd6006d26e356a63
Instruction Fuzzy Hash: EF81B674E01218CFEB14DFAAD984A9DBBF2FF89300F14806AE509AB365DB319945CF50

Function 0144C470 Relevance: 2.7, Strings: 2, Instructions: 184COMMON

Download Yara Rule

Strings

PH^q, xrefs: 0144C6C7
PH^q, xrefs: 0144C6D8

Memory Dump Source

Source File: 0000000F.00000002.4145168019.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1440000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 653a9c7d6127d1b5c820376502667b515b2ef31b27b57791b453adf264037f0d
Instruction ID: 7efcef1d88f76e88a2e7016d0fedb9fb1076dabccee12cd6e1ac6c23f3125c45
Opcode Fuzzy Hash: 653a9c7d6127d1b5c820376502667b515b2ef31b27b57791b453adf264037f0d
Instruction Fuzzy Hash: F381A774E01218CFEB14DFAAD984A9DBBF2BF89300F14D06AE419AB365DB319945CF50

Function 0144CA32 Relevance: 2.7, Strings: 2, Instructions: 184COMMON

Download Yara Rule

Strings

PH^q, xrefs: 0144CC87
PH^q, xrefs: 0144CC98

Memory Dump Source

Source File: 0000000F.00000002.4145168019.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1440000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: fb204a13ce4dd773291af86b2a760730c9e169fd8299ec376b8547eb51ab3ff4
Instruction ID: 35e07eb8c6891859bec17a453a8f55473e371a80ee4bd105a6315f34a79e4ae2
Opcode Fuzzy Hash: fb204a13ce4dd773291af86b2a760730c9e169fd8299ec376b8547eb51ab3ff4
Instruction Fuzzy Hash: CB81A574E01218CFEB14DFAAD984A9DFBF2BF88300F14806AE519AB365DB309945CF54

Function 01444AD9 Relevance: 2.7, Strings: 2, Instructions: 184COMMON

Download Yara Rule

Strings

PH^q, xrefs: 01444D41
PH^q, xrefs: 01444D30

Memory Dump Source

Source File: 0000000F.00000002.4145168019.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1440000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 6ba07d3d0b49ae1a2beb47a1d89e2406106b55cb3a1527b03181448418209c81
Instruction ID: 89a461480b39dec6923910f8eff7802f4fa535617e374b271ee6cc18e11f3c98
Opcode Fuzzy Hash: 6ba07d3d0b49ae1a2beb47a1d89e2406106b55cb3a1527b03181448418209c81
Instruction Fuzzy Hash: 3E819574E00258CFEB58DFAAD984A9DBBF2BF89300F15806AE419AB365DB305945CF14

Function 0144BBD2 Relevance: 2.7, Strings: 2, Instructions: 183COMMON

Download Yara Rule

Strings

PH^q, xrefs: 0144BE27
PH^q, xrefs: 0144BE38

Memory Dump Source

Source File: 0000000F.00000002.4145168019.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1440000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 02cbc2e36504fb9a4190b5192c5647ad3f3a129f4f4bc90dc3b8ae086dd1e104
Instruction ID: cc17e43223656a0e933e396ce51c4478a3c1fd0cb700d61f31e542e6332363f7
Opcode Fuzzy Hash: 02cbc2e36504fb9a4190b5192c5647ad3f3a129f4f4bc90dc3b8ae086dd1e104
Instruction Fuzzy Hash: 9981A974D00258CFEB18DFAAD984A9DBBF2FF89300F14906AD549AB365DB309945CF11

Function 0144B4F2 Relevance: 2.7, Strings: 2, Instructions: 153COMMON

Download Yara Rule

Strings

PH^q, xrefs: 0144B747
PH^q, xrefs: 0144B758

Memory Dump Source

Source File: 0000000F.00000002.4145168019.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1440000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 844b3b49e5de9c1aa6f974efa2d5344b01d8d512cd41725c7fec3192495a9754
Instruction ID: c9bdfabc7cd72441b60f6ded97a709bfba0269d2726dffeb78a397e14e3c5627
Opcode Fuzzy Hash: 844b3b49e5de9c1aa6f974efa2d5344b01d8d512cd41725c7fec3192495a9754
Instruction Fuzzy Hash: 9161A874D006189FEB18DFAAD944A9EFBF2FF89300F14802AE519AB365DB349941CF51

Function 0144F007 Relevance: .7, Instructions: 715COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4145168019.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1440000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b553fbd7eaaaaf4f7b8b47c082ef9a5fe4ace7fbe270d3a4de67b9ecb1fe6082
Instruction ID: 19c0d4ad317c244b640eb36c576df2ef09f229b8de0a0445e14df2b4004c50cc
Opcode Fuzzy Hash: b553fbd7eaaaaf4f7b8b47c082ef9a5fe4ace7fbe270d3a4de67b9ecb1fe6082
Instruction Fuzzy Hash: 5A72C274E012298FEB65DF69C980BD9BBB2BB49300F1491EAD50CA7365DB309E85CF50

Function 059F8608 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4150767222.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59f0000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5177115b81174217b50da0c4d94327e665cd086b72da60c538a93b17b0c0112b
Instruction ID: b198bbf6077411b6f44664efa11fb82c849554102347a49af1646bc06f5baa65
Opcode Fuzzy Hash: 5177115b81174217b50da0c4d94327e665cd086b72da60c538a93b17b0c0112b
Instruction Fuzzy Hash: B7E1C174E01218CFEB64DFA5D954B9DBBB2BF88304F2081AAD409A73A4DB355E85CF50

Function 059FC9D8 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4150767222.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59f0000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eeff3665ba35a70000d51c5868a49880a1fd0d148751fcd6a7489422ec0d738
Instruction ID: da97c856a3081f28dda7d79277b5341a200ab724fb12e986712712215b9ef1fb
Opcode Fuzzy Hash: 9eeff3665ba35a70000d51c5868a49880a1fd0d148751fcd6a7489422ec0d738
Instruction Fuzzy Hash: 96A19074E052288FEB28CF6AD944B9DFAF2BF89300F14C4AAD50DA7254DB305A85CF51

Function 059FBD38 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4150767222.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59f0000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97a64d52a9f069060261cb8fc729d1ccbf876a364146193de7b5d27215a11746
Instruction ID: 1faf3e51f543fe43a43f2c7f0cab23359ace72b7f51b34c4e76aed6eee6383ab
Opcode Fuzzy Hash: 97a64d52a9f069060261cb8fc729d1ccbf876a364146193de7b5d27215a11746
Instruction Fuzzy Hash: 69A19F74E012288FEB28DF6AD944B9DBBF2BF89300F14C0AAD50DA7255DB305A85CF51

Function 059FA408 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4150767222.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59f0000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9945e99c5332b6d02d17fff217dc5c197ca72fcb706dcbef96ca1950814e5a7
Instruction ID: d0232db1f318a2434dd162d831229f3c96a4763605342967e95562d5c492e794
Opcode Fuzzy Hash: d9945e99c5332b6d02d17fff217dc5c197ca72fcb706dcbef96ca1950814e5a7
Instruction Fuzzy Hash: B5A19F75E012288FEB28CF6AD944B9DBBF2BF89300F14C0AAD50DA7254DB345A85CF11

Function 059FC388 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4150767222.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59f0000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b65dddc0fde349aed0ea3dd75b3144db3c023262d774620d5e0220b41e888f42
Instruction ID: 9379ea19b0b9507b4f0538b3c4fbccfab3b284bf1e1abc0b24ff04f6df66a0e8
Opcode Fuzzy Hash: b65dddc0fde349aed0ea3dd75b3144db3c023262d774620d5e0220b41e888f42
Instruction Fuzzy Hash: E5A19175E052288FEB28CF6AD944B9DFAF2BF89300F14D0AAD50DA7255DB305A85CF11

Function 059FB6E8 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4150767222.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59f0000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a2783f3789d417f7d82a28e422b0311d231b307e0bb360aa28236736576ec98
Instruction ID: f86b373a7e74b1479d7ad7bc7ba8b7573b894492ee20bc7fa4fe74989fd3ceee
Opcode Fuzzy Hash: 8a2783f3789d417f7d82a28e422b0311d231b307e0bb360aa28236736576ec98
Instruction Fuzzy Hash: A4A19F75E012288FEB28CF6AD944B9DBBF2BF89300F14C0AAD50DA7255DB345A85CF11

Function 059FD670 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4150767222.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59f0000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e09ff4687d00329923eba7cfe53501cebbf82930663b80f1debeafd1d60a0296
Instruction ID: f13e82b7e7856cba46a0a4793dfeaaba2f28bb4b42ddfc105bc6817f2e71435d
Opcode Fuzzy Hash: e09ff4687d00329923eba7cfe53501cebbf82930663b80f1debeafd1d60a0296
Instruction Fuzzy Hash: 23A18E74E012288FEB28CF6AD944B9DFBF2BB89300F14C0AAD50DA7255DB745A85CF51

Function 059FB0A0 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4150767222.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59f0000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93ab4ad88164dd75f43546de67853b2b74e50d4c1fc7f59f4bfa07e9bd27da60
Instruction ID: dbb350cc7ff14feb5363012c0fe7f0cc5085335926d93142f7cc19107e3ad14d
Opcode Fuzzy Hash: 93ab4ad88164dd75f43546de67853b2b74e50d4c1fc7f59f4bfa07e9bd27da60
Instruction Fuzzy Hash: 8CA19F75E012288FEB28CF6AD944B9DBBF2BF89300F14C1AAD509A7254DB305A85CF11

Function 059FD028 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4150767222.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59f0000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10bffac2ce91b6ce49b1079ead886c5695258bdb465a5744e27d82c65e8291a7
Instruction ID: b0bfe34926b3d8b3efbb5e10ec6d919efeb3aab339cce9bf7ced35816a488550
Opcode Fuzzy Hash: 10bffac2ce91b6ce49b1079ead886c5695258bdb465a5744e27d82c65e8291a7
Instruction Fuzzy Hash: 88A19F70E012288FEB28CF6AD944B9DFBF2BF89300F14C0AAD509A7254DB305A85CF51

Function 059FAA58 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4150767222.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59f0000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edf1d8153380f9e866c2a8f11f3f6c442cba89bb1368785b0c5318fb461a9ba9
Instruction ID: 461bb3383a08800a03908c1fc0dfb2763fc7f163ea528d815df72fca77b93f1a
Opcode Fuzzy Hash: edf1d8153380f9e866c2a8f11f3f6c442cba89bb1368785b0c5318fb461a9ba9
Instruction Fuzzy Hash: F6A19E75E012288FEB28CF6AD944B9DBBF2BF89300F14C0AAD50DA7254DB345A85CF51

Function 059FB08F Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4150767222.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59f0000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67c8f6cbfa74480875d0bd0cb406c812319122592111473af3a7d0ec69569dfd
Instruction ID: caca96c45d8c35329c1940793643349a55ad6f2a4624ec1041c3c4288820f88c
Opcode Fuzzy Hash: 67c8f6cbfa74480875d0bd0cb406c812319122592111473af3a7d0ec69569dfd
Instruction Fuzzy Hash: 3A81A371E00618CFEB68CF6AC944B9EBBF2AF89300F14C5AAD50DA7254DB305A85CF51

Function 059FD018 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4150767222.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59f0000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40d8dd6928dadde1e30ab97f6fc241dd82ceebc9ee2173cf051cf2776b08e3a7
Instruction ID: d48c526b31629d2ded3f7ef0e6eb5514e4fa8533fd4cd5edf09d5dc40a39f2d4
Opcode Fuzzy Hash: 40d8dd6928dadde1e30ab97f6fc241dd82ceebc9ee2173cf051cf2776b08e3a7
Instruction Fuzzy Hash: 71718471E016188FEB68CF6AC944B9DFAF2BF89304F14C0AAD50DA7254DB705A85CF51

Function 059FAA48 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4150767222.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59f0000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fbd378bcfb076f68ccd37bda4c6f951eca145877d4e54dad24d0f07830e3669
Instruction ID: 736d930c25384090e73bbebce9849a3383dc888303421659f1e724814a3c91b9
Opcode Fuzzy Hash: 6fbd378bcfb076f68ccd37bda4c6f951eca145877d4e54dad24d0f07830e3669
Instruction Fuzzy Hash: 63717271E006288FEB68CF6AC944B9DFBF2AF89300F14C5AAD50DA7254DB345A85CF51

Function 059FC9C8 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4150767222.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59f0000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4af1f699b8ff5364820ede3129babcc7aaef2d859bd39486839c1cc24cf218cb
Instruction ID: c35904c07e990536133d89be54bac31b519d452638ce6383a139e02e767d5204
Opcode Fuzzy Hash: 4af1f699b8ff5364820ede3129babcc7aaef2d859bd39486839c1cc24cf218cb
Instruction Fuzzy Hash: D0418871E016188BEB58CF6BDD447DAFAF3AFC8314F04C1AAC50CA6264EB744A858F51

Function 059F85FC Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4150767222.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59f0000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82cfddf9ca4b27be85f40a85c5bfc39e04c6588a5370f68334afd646e907ea79
Instruction ID: 76d2920995bd07dd648512d230dd81bdcad33475f0a72fd7971ac89e7773d75a
Opcode Fuzzy Hash: 82cfddf9ca4b27be85f40a85c5bfc39e04c6588a5370f68334afd646e907ea79
Instruction Fuzzy Hash: 3641D0B0D002088BEB58DFAAD9547EEBBF2BF88300F14D16AC418BB254DB754946CF64

Function 059FBD28 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4150767222.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59f0000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7b960b1a996a05e34dd897abb75f89fb11391df33e8807c3a1d7fafb4b66a4b
Instruction ID: c2973c0cdf4cf785691690875ca1a0c31c1bedb019497a8126f193e55b472161
Opcode Fuzzy Hash: d7b960b1a996a05e34dd897abb75f89fb11391df33e8807c3a1d7fafb4b66a4b
Instruction Fuzzy Hash: 28416CB1D016188BEB58CF6BDD557C9FAF7AFC9304F04C1AAC50CA6264DB740A858F51

Function 059FC378 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4150767222.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59f0000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26ee668895c5c35dc1769c3815e682c8c25c1d43071a1342d2765fb0247f04ab
Instruction ID: 4687e7663ca04f33354b22d4a3c8a0e157f6f995a53297148b2c66e790913bca
Opcode Fuzzy Hash: 26ee668895c5c35dc1769c3815e682c8c25c1d43071a1342d2765fb0247f04ab
Instruction Fuzzy Hash: 3F416BB1D016188BEB58CF6BCD557CAFAF3AFC8300F04C1AAD50CA6264DB740A868F51

Function 059FB6D9 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4150767222.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59f0000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8132b5ea5412d569d3b59f115c9be2a8fb53d767ddde985946494d7ce07ffa73
Instruction ID: e520133c456cd302b78268d7130dae65b1913fcfdc2eadcc0d9e26f5099a619b
Opcode Fuzzy Hash: 8132b5ea5412d569d3b59f115c9be2a8fb53d767ddde985946494d7ce07ffa73
Instruction Fuzzy Hash: DE4178B1E016188BEB58CF6BDD457CAFAF3AFC8314F14C1AAC50CA6264DB740A858F51

Function 059FA3F8 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4150767222.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59f0000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 035cf6a29404e6cdf1dca38bf0d5a75bf203f86c4b9da4c4bc21778345931a0b
Instruction ID: bed3d42206c62876302a8becfa88ac01f63f92c31899a0393a1a28774b7e64a5
Opcode Fuzzy Hash: 035cf6a29404e6cdf1dca38bf0d5a75bf203f86c4b9da4c4bc21778345931a0b
Instruction Fuzzy Hash: 074169B1D016188FEB58CF6BC9457DAFAF3AFC8310F14C1AAC50CA6264EB740A858F11

Function 059FD662 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4150767222.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59f0000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a20e36ef4ad7f6c2af2bcf22a72911defe2113052ec36a25c89b9046578c37db
Instruction ID: 2dcc9e2e2cb28f3ce94e9bcf5f8f24c3a959b67b93010cf1098f33654a8b4550
Opcode Fuzzy Hash: a20e36ef4ad7f6c2af2bcf22a72911defe2113052ec36a25c89b9046578c37db
Instruction Fuzzy Hash: 52415BB1E016188BEB58CF6BDD45789FAF3AFC9300F14C1AAC50CA7265EB740A858F51

Function 01446E58 Relevance: 10.5, Strings: 8, Instructions: 473COMMON

Download Yara Rule

Strings

(o^q, xrefs: 01447377
(o^q, xrefs: 01446E96
(o^q, xrefs: 0144701A
(o^q, xrefs: 01447367
,bq, xrefs: 01447308
(o^q, xrefs: 01446F7D
(o^q, xrefs: 01446F51
,bq, xrefs: 014472F8

Memory Dump Source

Source File: 0000000F.00000002.4145168019.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1440000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$(o^q$(o^q$(o^q$(o^q$,bq$,bq
API String ID: 0-1932283790
Opcode ID: a397b66a37c7e702c7d8aaaccae96299aaee82922aa2c43780a8deec4e5497fa
Instruction ID: 3636777b56fbd1f202aaa2ebd7ca3d7c480a2b6aac2c1b09931fdfd9954ec58e
Opcode Fuzzy Hash: a397b66a37c7e702c7d8aaaccae96299aaee82922aa2c43780a8deec4e5497fa
Instruction Fuzzy Hash: 5B125830A002098FDB25CF69D984A9EBBF2FF49315F15856AE9199B371DB30ED42CB50

Function 014477F0 Relevance: 3.2, Strings: 2, Instructions: 688COMMON

Download Yara Rule

Strings

$^q, xrefs: 01448314
$^q, xrefs: 01448337

Memory Dump Source

Source File: 0000000F.00000002.4145168019.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1440000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 1ca6f963e2db02b37d073ecab34bb676fd2c9bf4bf7cddc8deb6eae2338a634d
Instruction ID: b68de8783f8cfcd6dc680da5869d71a18c2f264bff6f20bc56f56db21ed70ed8
Opcode Fuzzy Hash: 1ca6f963e2db02b37d073ecab34bb676fd2c9bf4bf7cddc8deb6eae2338a634d
Instruction Fuzzy Hash: 06522274A00219CFEB159BE8C8A0B9EBB76FF95300F1081AAC10A6B3A5DF355D85DF51

Function 014456A8 Relevance: 2.8, Strings: 2, Instructions: 325COMMON

Download Yara Rule

Strings

Hbq, xrefs: 014457C6
Hbq, xrefs: 01445793

Memory Dump Source

Source File: 0000000F.00000002.4145168019.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1440000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID: Hbq$Hbq
API String ID: 0-4258043069
Opcode ID: b44a00d9cf7c235abf7db9398a2c8f3b661ab448491e4cf4ac72cdd1590f056c
Instruction ID: 272f7cd28f170bdde234c5342e1fc9a3cd9402945f4da33d4c2fa9144ae4a573
Opcode Fuzzy Hash: b44a00d9cf7c235abf7db9398a2c8f3b661ab448491e4cf4ac72cdd1590f056c
Instruction Fuzzy Hash: 45B1AD317042558FEF259F78C854B2B7BA2BB89314F14856AE506CF3A5DF74C842C791

Function 014487E9 Relevance: 2.8, Strings: 2, Instructions: 324COMMON

Download Yara Rule

Strings

4'^q, xrefs: 01448811
4'^q, xrefs: 01448837

Memory Dump Source

Source File: 0000000F.00000002.4145168019.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1440000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: ec81b9b71396d06cb2aea303b31640cb789760be3a609798cb4e8e1ec84f75dc
Instruction ID: 0f93f7187b7d30f880e17fa9c31d041d5a482c7be691c36f1aa14c0297c65ca9
Opcode Fuzzy Hash: ec81b9b71396d06cb2aea303b31640cb789760be3a609798cb4e8e1ec84f75dc
Instruction Fuzzy Hash: F9B140707105038FFB159BADC958B3A3A96EF85644F18446BE606DF3B1EA75CC428742

Function 01445C08 Relevance: 2.7, Strings: 2, Instructions: 229COMMON

Download Yara Rule

Strings

,bq, xrefs: 01445CE8
,bq, xrefs: 01445CDE

Memory Dump Source

Source File: 0000000F.00000002.4145168019.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1440000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID: ,bq$,bq
API String ID: 0-2699258169
Opcode ID: 0fc7723fd9f669ea6cb37f1517cbb895e2ea1801685a4f03c8c5163fb4b3131e
Instruction ID: 3351df9dd75763013283a9b94539e55298783d9266a57e74d0b680eb542e5f37
Opcode Fuzzy Hash: 0fc7723fd9f669ea6cb37f1517cbb895e2ea1801685a4f03c8c5163fb4b3131e
Instruction Fuzzy Hash: 2D81AF75A005058FEF24DF6DC88896ABBB2FF89210B24C56AD506EF375DB31E842CB50

Function 059F9510 Relevance: 2.7, Strings: 2, Instructions: 210COMMON

Download Yara Rule

Strings

(bq, xrefs: 059F96EA
(&^q, xrefs: 059F962B

Memory Dump Source

Source File: 0000000F.00000002.4150767222.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59f0000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID: (&^q$(bq
API String ID: 0-1294341849
Opcode ID: 72e1daeec63911b6248000c7d1e0f5c8800752a2f9cf45b6cfc949fcddfe3c93
Instruction ID: d45c761cab9f00e2e62a2f5b923b6c1fc1c18c4120f5eedf51411715c757d4a1
Opcode Fuzzy Hash: 72e1daeec63911b6248000c7d1e0f5c8800752a2f9cf45b6cfc949fcddfe3c93
Instruction Fuzzy Hash: 62718E31F002199BDB15DFB9C8546AEBBB6FFC8710F144529D506AB380DF70AD468BA1

Function 01443428 Relevance: 2.6, Strings: 2, Instructions: 112COMMON

Download Yara Rule

Strings

Xbq, xrefs: 0144345E
Xbq, xrefs: 01443435

Memory Dump Source

Source File: 0000000F.00000002.4145168019.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1440000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID: Xbq$Xbq
API String ID: 0-1243427068
Opcode ID: 1cfcf440f8d842c53745fad1a7b294b398eae20eba2524efad36e803df6f1b84
Instruction ID: 22dfaeb3f0a14c7a0d4dc1bd0ac33914a0530ddde1484dc9b94c5a2ec3031981
Opcode Fuzzy Hash: 1cfcf440f8d842c53745fad1a7b294b398eae20eba2524efad36e803df6f1b84
Instruction Fuzzy Hash: 5A31B239B003358BFF1E9E6E49942BBA5DABBC4A10F14453BE906C33A4DB74C84187A1

Function 01440C8F Relevance: 1.7, Strings: 1, Instructions: 401COMMON

Download Yara Rule

Strings

LR^q, xrefs: 01440E5E

Memory Dump Source

Source File: 0000000F.00000002.4145168019.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1440000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 21abb5357b9d1203c22037fd8a80e0178e34ed5450475edb5148c0620bc5eaab
Instruction ID: 1db98600ba38e2920bf1cd6dda37f7f29dd59a6d1f5c1fdaf48fe2421d2d27b3
Opcode Fuzzy Hash: 21abb5357b9d1203c22037fd8a80e0178e34ed5450475edb5148c0620bc5eaab
Instruction Fuzzy Hash: 5222227490121ACFCF55EF65E985A9EBBB1FF48301F1086A9D509A7328EB306D85CF50

Function 01440CA0 Relevance: 1.6, Strings: 1, Instructions: 395COMMON

Download Yara Rule

Strings

LR^q, xrefs: 01440E5E

Memory Dump Source

Source File: 0000000F.00000002.4145168019.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1440000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 6f5ba6237246c26aef3247423da056eb8982687320b8339bacc4831c41ec365a
Instruction ID: 1a7a0a112111f6d72e41439da87143f4f06045ac923c97b8e914e4a30425cc84
Opcode Fuzzy Hash: 6f5ba6237246c26aef3247423da056eb8982687320b8339bacc4831c41ec365a
Instruction Fuzzy Hash: CD22107490122ACFCF55EF65E985A9EBBB1FF48301F1086A9D509A7328EB306D85CF50

Function 0144A650 Relevance: 1.4, Strings: 1, Instructions: 122COMMON

Download Yara Rule

Strings

(o^q, xrefs: 0144A7D9

Memory Dump Source

Source File: 0000000F.00000002.4145168019.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1440000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID: (o^q
API String ID: 0-74704288
Opcode ID: c342c6fca62440caeb8ca58666fbee245428c7cb846127c8c75c691a03f972f9
Instruction ID: 41ec647ce2ef8e457eef8f3381a278da60c40c0e9547f903ff928b28456ee8cb
Opcode Fuzzy Hash: c342c6fca62440caeb8ca58666fbee245428c7cb846127c8c75c691a03f972f9
Instruction Fuzzy Hash: 0F41BF357002089FDB259F79D8586AEBBF6FBC8211F24856AD916D73A1CE319C06CB90

Function 0144A818 Relevance: .4, Instructions: 409COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4145168019.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1440000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3731cf2c721ea08eeb51c70d31a1266497154d99c26678159ced22e6500e71bb
Instruction ID: c33d5278b88707c9c483ed09ef0986df11c6ee7c581b27d3f4155f34677ae9a5
Opcode Fuzzy Hash: 3731cf2c721ea08eeb51c70d31a1266497154d99c26678159ced22e6500e71bb
Instruction Fuzzy Hash: 0FF11A75A405158FDB04CF6DC9849AEBBF6FF88310B2A845AE516AB371CB31EC81CB50

Function 01447438 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4145168019.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1440000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a9da0927aa644f553f27b9259b8fb5f6d37f8b9e03f8d91e2cc1f36dda2b87d
Instruction ID: 40b518061e7fa9e6e092cf79dea5cb58a75bde2c7da1caac568d25077bc8485c
Opcode Fuzzy Hash: 6a9da0927aa644f553f27b9259b8fb5f6d37f8b9e03f8d91e2cc1f36dda2b87d
Instruction Fuzzy Hash: 39712E34700245CFEB25DF2CC894AAE7BE6AF49612F1540AAE506CB3B1DB70DC42CB90

Function 0144CEC7 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4145168019.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1440000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88fe4337b8d020b9bddcf48f588b0a445889515b63b39549e25f41307b580163
Instruction ID: 166fd44877c3fde52a4ed5b8ec99339b7ab0b7dfeb7379b9b06eb29e13c6d14b
Opcode Fuzzy Hash: 88fe4337b8d020b9bddcf48f588b0a445889515b63b39549e25f41307b580163
Instruction Fuzzy Hash: D851A0309623079FDB643FA4A6EC16ABFA8FB4F327B456D14A15EC10A9DF705045CB50

Function 0144CED8 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4145168019.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1440000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f08140f6acbb000a1b7e3703ef0aae7e81ef17ce2a59c5e4bdf804a103b9bc3e
Instruction ID: 1842522c86c015edad571e516a060cdeeb8afc96ec0ff6cf22b821f18508d6b8
Opcode Fuzzy Hash: f08140f6acbb000a1b7e3703ef0aae7e81ef17ce2a59c5e4bdf804a103b9bc3e
Instruction Fuzzy Hash: 9B518E309623079FCB643FA4A6EC17ABFA8FB4F327B456D14A21EC50AD9F7054458B60

Function 0144E2D9 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4145168019.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1440000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21b515ee9910c51a2da55f77d2a4b7a806914525515ff817416626301e65c0cd
Instruction ID: 08c968d62481de5f2eb31caba66e92e3c5d4d0136dcea1b1f53a71b7dc89afa8
Opcode Fuzzy Hash: 21b515ee9910c51a2da55f77d2a4b7a806914525515ff817416626301e65c0cd
Instruction Fuzzy Hash: A8512274D01218DFDB15DFA5D954A9EBBB2FF88304F208529D809BB3A8DB359986CF40

Function 0144CD10 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4145168019.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1440000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb655549f7f46d6266f480bc6d30a59960b3cfd09b206078c42cfe8a1c908e9e
Instruction ID: df77c34f02681236d4ab671430e8562833c79dc14ecf2a049febf828ad963fd6
Opcode Fuzzy Hash: fb655549f7f46d6266f480bc6d30a59960b3cfd09b206078c42cfe8a1c908e9e
Instruction Fuzzy Hash: 01518274E012189FDB58DFA9D98499DBBF2FF89300F248169E819AB364DB30A901CF50

Function 059FDCC0 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4150767222.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59f0000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78a833a27119c2bdbda93ab820a9a757345da3fcab825427465775808d709b92
Instruction ID: 4f72f024375552aae5ed4aadffd57ffe78b606a204b9a2e35e2f36a3fa7fd36b
Opcode Fuzzy Hash: 78a833a27119c2bdbda93ab820a9a757345da3fcab825427465775808d709b92
Instruction Fuzzy Hash: 82418135901319DFDB14AFB1E0AC7EE7BB9FB8A316F005829D20667294DB780A44CF95

Function 01443908 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4145168019.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1440000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 758f22599a15242ae8631dac61161ed0c319eaea3123e05f855502e78afdcc35
Instruction ID: db6fcd9a8f8220cac32d7aa4239e684b85c261b6681a147cdf77c386d1f983e9
Opcode Fuzzy Hash: 758f22599a15242ae8631dac61161ed0c319eaea3123e05f855502e78afdcc35
Instruction Fuzzy Hash: 1751C674E01219CFDB09DFAAD49089DBBF2FF89310B209569E905BB324DB31A942CF50

Function 01449A63 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4145168019.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1440000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb886016a898cab6145a2fe728a0d1178cf9fb8accca9654bc8cb80a321c697f
Instruction ID: 4271690b357f29783a189745656b488035ce5478ca11c059ad0660e92885523c
Opcode Fuzzy Hash: eb886016a898cab6145a2fe728a0d1178cf9fb8accca9654bc8cb80a321c697f
Instruction Fuzzy Hash: 2F41AF31A00289DFEF15CFA8C844A9FBFB2FF89354F048556E915AB2A1D330D910DB90

Function 059F9500 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4150767222.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59f0000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad38679d39a496eb803959f5a46a3cb6ec09c495f28b624684d957ca04e79c62
Instruction ID: 387783fa9dcc6dd6c8d945db70594bd2fd14c84d064c22881ce70b0b66aaf2ad
Opcode Fuzzy Hash: ad38679d39a496eb803959f5a46a3cb6ec09c495f28b624684d957ca04e79c62
Instruction Fuzzy Hash: 53413031E002199BDB14DFA5C884BDEFBF5BF88710F14852AE516B7240EB70A946CB91

Function 059F9A49 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4150767222.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59f0000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: deac1f30fbfa64a68cfe11540a6d5029d9b5224a3a60f944f9820736a85ae56e
Instruction ID: d3c03a1fc9edb048778ee09d5e0a77a4e6361c40f90919fa374759ff59e12c74
Opcode Fuzzy Hash: deac1f30fbfa64a68cfe11540a6d5029d9b5224a3a60f944f9820736a85ae56e
Instruction Fuzzy Hash: C841D074E012188FDB14DFA5D994BEDBBF2BB88304F20912AD419A7294EB349A46CF54

Function 0144D7CE Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4145168019.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1440000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3c6982d3705527610c6c1174382040f601e2442d5dbd74565e9aa834419b42e
Instruction ID: b351bad090509b2a4fd9ad51d7212ffeee79843850bd99182b26513bcf3edd84
Opcode Fuzzy Hash: e3c6982d3705527610c6c1174382040f601e2442d5dbd74565e9aa834419b42e
Instruction Fuzzy Hash: 52415974D01248CFEB15DFE9D4846EDBBB2FF69301F20912AE019A7265DB359842CF54

Function 01446730 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4145168019.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1440000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec4ab6682b244be4ce0051d3d39b915158f987af337f93d0ccecbc3b85529796
Instruction ID: 206f6f1fd14801b4643609f6e1d4b35092734377636b79153366a13cb262b08a
Opcode Fuzzy Hash: ec4ab6682b244be4ce0051d3d39b915158f987af337f93d0ccecbc3b85529796
Instruction Fuzzy Hash: 2341CE31A00208DFEF15DF69C804BABBBB6FB45304F05842AE8159B361EB74DD45CBA1

Function 059F9A58 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4150767222.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59f0000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d87b6b553cafa7c8190dbe0d4b7a29812ea293a6be143294aac9e0cd6076fd58
Instruction ID: f4e710424ceb333dfbb1f44a28532921d753794366732a94b758dca78c691a09
Opcode Fuzzy Hash: d87b6b553cafa7c8190dbe0d4b7a29812ea293a6be143294aac9e0cd6076fd58
Instruction Fuzzy Hash: 8941C074E01218CFDB14DFA9D5947EEBBF2BF88304F10912AD419A7294EB345A46CF54

Function 0144D76E Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4145168019.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1440000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6070bfaaaa785af5cf5c6a546e905f32df646f6ebbb64b8ff0a555677fa9645f
Instruction ID: be726d8c432a2f96a09fe280d9bbfd6fe8fa931bcc7d2e31edf3f686d77f1ac6
Opcode Fuzzy Hash: 6070bfaaaa785af5cf5c6a546e905f32df646f6ebbb64b8ff0a555677fa9645f
Instruction Fuzzy Hash: 2B411374D02208CFEB11DFE9E4846EDBBB2FB59311F20912AE419A7265DB359842CF54

Function 0144D620 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4145168019.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1440000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 516b520f9fa19ffc21288679cd24fd52cc52c08e32708079ef6efae7f4749c6d
Instruction ID: cd569f6a0ecfef811a7fda531d8361ae47dae2a29a37854e94c31cb1f6efd1c3
Opcode Fuzzy Hash: 516b520f9fa19ffc21288679cd24fd52cc52c08e32708079ef6efae7f4749c6d
Instruction Fuzzy Hash: 25411570D01208CBEB05DFAAD444AEEFBB2BB99300F14D12AD518A7365DB359842CF54

Function 01444DC8 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4145168019.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1440000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69e4c59b3e97d3816302a265732c934eee9369d5fe5e29526334f12a7987b565
Instruction ID: 866532834d0947bf2eca69cf7f83ef384a336fc82a37c285660c85638a24d94e
Opcode Fuzzy Hash: 69e4c59b3e97d3816302a265732c934eee9369d5fe5e29526334f12a7987b565
Instruction Fuzzy Hash: F531837120410A9FDF169F68D454AAF7BA6FF88325F244426F91587764CB34CC62DBA0

Function 059FDCB1 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4150767222.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59f0000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6d4e9e59f467456e677946dec865e8e6bd9e8589445a07e9cffd53336b1e6e1
Instruction ID: 343c362814cd21d13822de857716599667b5fbcf28edb5dc65e7b22ef5cfebf3
Opcode Fuzzy Hash: b6d4e9e59f467456e677946dec865e8e6bd9e8589445a07e9cffd53336b1e6e1
Instruction Fuzzy Hash: 14318171901319DFDB10AFA5D0AC7EE7BB9FB8A315F005829D21667294DB781A44CF90

Function 014476E0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4145168019.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1440000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7456f0882fb83465dda72359e698ba74efd4be89e217a93ac8fddd997d24674e
Instruction ID: fc8de137ac72ce4d73248239f9079dd7bb36bce8daf7c5700f6c8623bed35c11
Opcode Fuzzy Hash: 7456f0882fb83465dda72359e698ba74efd4be89e217a93ac8fddd997d24674e
Instruction Fuzzy Hash: E621A1393002054BFB259729C894A3B769BAFC4A1AF54807AD506CB7B9EF35DC439381

Function 0144A809 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4145168019.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1440000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28b2efe96fc5e84a14ac53d36566c83255a76250e645c6eb7d14102348d6cea9
Instruction ID: 04b96cc8911e13618cb24adb128507d1aad9c1ce7b044d8107be691c7bab0557
Opcode Fuzzy Hash: 28b2efe96fc5e84a14ac53d36566c83255a76250e645c6eb7d14102348d6cea9
Instruction Fuzzy Hash: 8331B475A401098FDB04DF6DC888AAEBBF6FF84350B258559E516973B1CB30ED42CB90

Function 0144DF79 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4145168019.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1440000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb475311d5c628b5b27734b80d513e2bfeb3c8d125048c1677670d10ec340edc
Instruction ID: e22e9e2439efad4d5a480ba88e5bad86edbe276a6a8d394e148018053ffa460b
Opcode Fuzzy Hash: fb475311d5c628b5b27734b80d513e2bfeb3c8d125048c1677670d10ec340edc
Instruction Fuzzy Hash: ED219DB1E002098BEB18DFEBD8046EEFBB6BBD9300F04E526D514B7265EB7485068B54

Function 01442060 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4145168019.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1440000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d567347681443c4e09c1c1bb9bedc288a17abe72b05e6eac82170c60b54e9f
Instruction ID: 936d4081eb5af1e20612822685bec42b22c2cdbfc11912bee2a1225d9bac48af
Opcode Fuzzy Hash: 67d567347681443c4e09c1c1bb9bedc288a17abe72b05e6eac82170c60b54e9f
Instruction Fuzzy Hash: 94212474A002159FDB11DF34D4409AF37A6EF89254F10C41AE94A8B350DF34EA42CBD2

Function 013AD4F0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4144355488.00000000013AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_13ad000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c5d1cc018d46bc9300e238e452f93f7ba82cf97aba63478162e23b921c0139c
Instruction ID: c57f3482c859616fb260b72c4ab52ab139aacf58f40161e39d4463b1bae0fd90
Opcode Fuzzy Hash: 8c5d1cc018d46bc9300e238e452f93f7ba82cf97aba63478162e23b921c0139c
Instruction Fuzzy Hash: 002167B1500204DFDB05DF58D9C4B27BFA5FB9831CF60C569E84A0BA56C336D446CBA1

Function 01445A70 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4145168019.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1440000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c0b28b7aa85e28fcfaead030c07c10762901f257409935c1b85a74ecb4da598
Instruction ID: 1f3a84d443b72a540f833efeabbc0ed7ca42acdb85f2a6cfa49337f4b40e8c1b
Opcode Fuzzy Hash: 9c0b28b7aa85e28fcfaead030c07c10762901f257409935c1b85a74ecb4da598
Instruction Fuzzy Hash: E921A1353016118FEF259A29C49452FB796FFC8665B14416AE906EF364CF30DC028BC0

Function 013BD044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4144516260.00000000013BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_13bd000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f8be6ff08b1dc425a4ea2fc636ef6d83b0752fc0582d5ecb5742677d866a11c
Instruction ID: 669a9daaccf89e7ce7dc3617801f51ee8bb1be6b3782371c118f81cf672f3fde
Opcode Fuzzy Hash: 1f8be6ff08b1dc425a4ea2fc636ef6d83b0752fc0582d5ecb5742677d866a11c
Instruction Fuzzy Hash: 82214271600208DFCB01CF68C9C0B26BBA5FB8431CF20C56DEA094BA52D73AD446CA61

Function 01444DB9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4145168019.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1440000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63265a74189ff0ba59848813c049e33fee647a5b3baefb8ab9ec080336600c93
Instruction ID: a2c65daaee00fc46f6c4786a2b978939c62c2bac7bfe24579ef0d0a2d111800b
Opcode Fuzzy Hash: 63265a74189ff0ba59848813c049e33fee647a5b3baefb8ab9ec080336600c93
Instruction Fuzzy Hash: B82106716041099FDF259F68D454B6B3BA2FB88325F244026F9098B365CB38CC52CBE0

Function 059F96F0 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4150767222.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59f0000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49adbf3b7d2d34cf0543c5e348215aea0e2deceed0746ced98abaf0e0914d979
Instruction ID: ac7f895c933d1fa0be78d9cf9c089b0cf721364ef07f2b45f895d8674ec7293a
Opcode Fuzzy Hash: 49adbf3b7d2d34cf0543c5e348215aea0e2deceed0746ced98abaf0e0914d979
Instruction Fuzzy Hash: CB1127363082545FCB46AFB858281AE7FB7EFC9260B54486AD405DB385DF348E0187B6

Function 0144D60F Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4145168019.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1440000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c76d827a5e981a7ee9d198babe2c9cf347d39496048a24b689a19c5c8203c61
Instruction ID: 7ef2f996adf57d1d2cb40717fffad8057bb8f706e166b66cf8c1ca2854ad76b2
Opcode Fuzzy Hash: 6c76d827a5e981a7ee9d198babe2c9cf347d39496048a24b689a19c5c8203c61
Instruction Fuzzy Hash: 26113A71E006088BEF08DFAAD8456DEFBF2EBC9310F18D126D418B7269DB3445068F54

Function 059FE0C0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4150767222.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59f0000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c7045daa0d21922893fdcc110d863d4ea7e2d18066d880f91babb5a78977b6d
Instruction ID: 7a35dda99c3536351648e3f315a1eef27ac35e6c654b5033fee1ee52f91a2996
Opcode Fuzzy Hash: 5c7045daa0d21922893fdcc110d863d4ea7e2d18066d880f91babb5a78977b6d
Instruction Fuzzy Hash: 2F1104317052449FD7151B3A58585BBBFABAFCA310B158877E146C73AACE348C0A8320

Function 0144E201 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4145168019.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1440000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecf2995b496e7f972ddfaa0ca4f2463c20692efbad1a8b3422ed0b06f93ed1a0
Instruction ID: c0941aa8470b4e8e9bb82477168777e4d85a7e8bba69daaee367cd64f2bfbe17
Opcode Fuzzy Hash: ecf2995b496e7f972ddfaa0ca4f2463c20692efbad1a8b3422ed0b06f93ed1a0
Instruction Fuzzy Hash: 97216D70D00109DFDB45EFB9D58168EBBF2FB45304F0096AAD115AB329FB305A468B81

Function 013AD4EB Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4144355488.00000000013AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_13ad000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: c48e166f6104874eff1515b1dc5dfa7963ecf13b9b5fc33174ecc24c957f5f56
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 1411D376504240CFDB16CF54D5C4B16BF71FB84318F24C5A9D9490B657C336D45ACBA1

Function 01441F61 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4145168019.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1440000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b054905c59647a887bb2fa62eaaa7574f3b82f47f0153f3cda426c87a8934ce0
Instruction ID: 77af42ce9ee33f280248b55dc1f1a430847f10193e34724b2280b6a5ceb4b120
Opcode Fuzzy Hash: b054905c59647a887bb2fa62eaaa7574f3b82f47f0153f3cda426c87a8934ce0
Instruction Fuzzy Hash: 0221C0B4C0520A8FCB51EFA8D8955EEBFF4BF09304F10516AD905B7264EB305A85CBA1

Function 059F9999 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4150767222.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59f0000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 794f521b3e38c5ea87746e28403585aecc785bded2f697195dce841ce194bc60
Instruction ID: 5c2383938f920cdb80719070e87d848878d8188b496431e0b2f074323c176a72
Opcode Fuzzy Hash: 794f521b3e38c5ea87746e28403585aecc785bded2f697195dce841ce194bc60
Instruction Fuzzy Hash: 081134B6800349DFDB10CF99C845BDEBFF4EB48320F148419E658A7261C339A594DFA5

Function 059F9350 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4150767222.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59f0000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c60e50e239b575010f6fce8a4289835355d921d309a275d6b1de5817bf44a8ee
Instruction ID: 939e500664ca36ed13eac7f81774101779970257702ce1223d26ed343d23818f
Opcode Fuzzy Hash: c60e50e239b575010f6fce8a4289835355d921d309a275d6b1de5817bf44a8ee
Instruction Fuzzy Hash: 6F1134B6800349DFDB10DF99C944BEEBFF5EB48320F148419EA58A7211C379A990DFA5

Function 0144E208 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4145168019.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1440000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9d284584362083080821d96b636fe006bce63ada378273f6f2c43997717f909
Instruction ID: f62ae661ca5a4a6c48e7c53ed376a8fe6c27ad4e34ad8c6d6f019766508b8dbd
Opcode Fuzzy Hash: a9d284584362083080821d96b636fe006bce63ada378273f6f2c43997717f909
Instruction Fuzzy Hash: C2113A70D00209DFDB45EFB9D58169EBBF2FB45304F1096AAD115AB329FB305A458B81

Function 059F8EC1 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4150767222.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59f0000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb47d5dfce9bc98b2e73fbf394a56f79e762d9a1d5b3bb204c62a34133c0f23e
Instruction ID: b1acba27ca5581b87f06ca443530ad0428437b528e3ea7be955a2ae0a6a7053e
Opcode Fuzzy Hash: eb47d5dfce9bc98b2e73fbf394a56f79e762d9a1d5b3bb204c62a34133c0f23e
Instruction Fuzzy Hash: 5B110C75F001498FDB04DFBCE850BEEBBB6EB59315F4094A5EA08E7349EB3099428B51

Function 013BD03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4144516260.00000000013BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_13bd000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: f70192a43e7aeb8d019e32c7f67fa80da506d7b972969db918dbc8e86b1e6351
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 2411DD75504284CFDB12CF54C9C4B56BFA2FB84318F24C6AAD9494B656C33AD44ACF62

Function 01441F08 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4145168019.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1440000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50b9e10a8458fda7b7cc0ca839a1453e8dda8eb5210bba1a75212b6068115607
Instruction ID: 68414c85d65ae7aac6c151ae799d7be65bcdb82c852ad29887c0152673ba2cb7
Opcode Fuzzy Hash: 50b9e10a8458fda7b7cc0ca839a1453e8dda8eb5210bba1a75212b6068115607
Instruction Fuzzy Hash: FE2147B4D0560A8FDB11EFA8D4485EEBFF0BF4A314F1442AAD545B7264EB301A85CBA1

Function 01445607 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4145168019.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1440000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3cd2281a4d19ede51e2ab0125cb516396498e0490b0000701f4e0885fa7b3f0
Instruction ID: 0c367303812bd0141eb20e435c8a224dd8b721de3e26a7704a83b66089937e44
Opcode Fuzzy Hash: f3cd2281a4d19ede51e2ab0125cb516396498e0490b0000701f4e0885fa7b3f0
Instruction Fuzzy Hash: 1001F7727001156FDF119E59E814BEF3BDBEBD8750F28802AF519DB354CA75C8128BA0

Function 059F9760 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4150767222.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59f0000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb44b7454354f629c4691fcf2d15f12fab2a749600d9cd8b0acde21e3680b050
Instruction ID: 35f750a49dc440e382b378ff4e4526cd5252aa014618f1e089443464a574eb4d
Opcode Fuzzy Hash: fb44b7454354f629c4691fcf2d15f12fab2a749600d9cd8b0acde21e3680b050
Instruction Fuzzy Hash: DCF054363001196F8B059E9898549EF7AABEBC8260B404429FA0997250DB71991197B5

Function 0144D449 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4145168019.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1440000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83ab08973f7a6bac155863b96528708897222c9cec1129ca782ab33cec018aa4
Instruction ID: 9d743100717d58a1d2c2b3fabfcb545293914c04b01c80bc388b95a14b10f2c8
Opcode Fuzzy Hash: 83ab08973f7a6bac155863b96528708897222c9cec1129ca782ab33cec018aa4
Instruction Fuzzy Hash: 93E0D875E4010997E704AA99EC0A7EAB778D78A310F406035D208E7395EB74A1168A91

Function 0144DF08 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4145168019.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1440000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f00f95a2da0034225b489630a1c52bfd229158fdf373fee245e2472edba6df75
Instruction ID: 93744057cccb434c10b8e846de890b261d91f8c2d695248b61e1a1f72697ca96
Opcode Fuzzy Hash: f00f95a2da0034225b489630a1c52bfd229158fdf373fee245e2472edba6df75
Instruction Fuzzy Hash: 54E0D835D04304DFDB14DEA9EC993BAB7F9EB8B300F445865D205A32A1EBB09215DB91

Function 0144D4B4 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4145168019.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1440000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 742b5187f01e980daaa295581efe01dfad9645c9e0fe8c224b2c62dab6fdab0e
Instruction ID: d31ca2dcc975a57db56cb87c7ae4b9588d04bf87a735bc66263837d3827d1cb3
Opcode Fuzzy Hash: 742b5187f01e980daaa295581efe01dfad9645c9e0fe8c224b2c62dab6fdab0e
Instruction Fuzzy Hash: 56E0DFA2D091408BE7109BEA64260B9BF30D9F3211B8460A7D0898B675EA34E2079B11

Function 01442010 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4145168019.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1440000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5e8e3a8fc0aaee7d27f74e8d01bfdb345937c60af56c03c61f47187663a128f
Instruction ID: 5733fdac649c5337a481c9f89da10103a1637a9fbe82d08d28715f74d5225e75
Opcode Fuzzy Hash: c5e8e3a8fc0aaee7d27f74e8d01bfdb345937c60af56c03c61f47187663a128f
Instruction Fuzzy Hash: 5DE092319243665FC7019B649C540EEBB30FE92328B51456AD09466041E770195ACBA2

Function 01442020 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4145168019.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1440000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a174c044be89e3a365066880f137b63a2723183f2fe7c35c545c4ace7f7bd525
Instruction ID: 38500f3bade9f6392afe9a83f925e0f025d31839c3fe1b8d4446b912d8b1d3f2
Opcode Fuzzy Hash: a174c044be89e3a365066880f137b63a2723183f2fe7c35c545c4ace7f7bd525
Instruction Fuzzy Hash: 72D01231D2022A578B00AAA5DC044EEB738EE95665B504626D55437140EB70665986A2

Function 01448258 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4145168019.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1440000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: 83cca6be6a90317e6e10313891367e1ab804d76c2475639cd178c22b251a2055
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: 26C0123320C1282BA625108E7C40AA3BB8CD2C12F4A250137F91CA3220A8529C8101A8

Function 0144A70D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4145168019.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1440000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61132418eb0c26ff7c70fa85e6a740aa62a97959c9657b4808f1a3cbd0f3d65e
Instruction ID: 6f0a948244e87f5663947ba5b8cbc369c86d0d354ab601e0a804a6f918dd7105
Opcode Fuzzy Hash: 61132418eb0c26ff7c70fa85e6a740aa62a97959c9657b4808f1a3cbd0f3d65e
Instruction Fuzzy Hash: CFD0173AB01008DFCF008F88E8408DDB7B6FB9C221B108056E911A3260C6319821CB50

Function 01445EA8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4145168019.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1440000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9d7838ac58ec3c0511dbf47427fe205cf3a2289a19bffa99c123922eaf44a35
Instruction ID: 80f07a2db353e6dcdcfc3b7e6e58c85be2cf0b035f73e78f48c133f4e78005c8
Opcode Fuzzy Hash: e9d7838ac58ec3c0511dbf47427fe205cf3a2289a19bffa99c123922eaf44a35
Instruction Fuzzy Hash: 06D0C2705143494FCB16F734E91545A7BB5FBC0204B5042AAD8414692EEA74584D4710

Function 01445EB8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4145168019.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1440000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 620d401709647bfaa09201a2218dd101eadef065389858b6de6a10a24ce8b225
Instruction ID: 8a36132fa7cf2f08ef8e926461c5d9430a676802b399cc18d7588415d3603890
Opcode Fuzzy Hash: 620d401709647bfaa09201a2218dd101eadef065389858b6de6a10a24ce8b225
Instruction Fuzzy Hash: 65C0127014430A4FC906F776EA45557B7AAFBC0304F508620A5090662DEF7468884790

Non-executed Functions

Function 059F2807 Relevance: 12.9, Strings: 10, Instructions: 388COMMON

Download Yara Rule

Strings

PH^q, xrefs: 059F2DD7
PH^q, xrefs: 059F2EE6
PH^q, xrefs: 059F2BEA
PH^q, xrefs: 059F2DEB
PH^q, xrefs: 059F2BFE
", xrefs: 059F3087
PH^q, xrefs: 059F2ED2
Hbq, xrefs: 059F2869
PH^q, xrefs: 059F2CF6
PH^q, xrefs: 059F2CE2

Memory Dump Source

Source File: 0000000F.00000002.4150767222.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59f0000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID: "$Hbq$PH^q$PH^q$PH^q$PH^q$PH^q$PH^q$PH^q$PH^q
API String ID: 0-2450740202
Opcode ID: 764c63179a3148110283623a1e9824a432dbe451b1924b7b264f4ed592fcb02a
Instruction ID: efaa7721079f515899af35c797afaf41b4ac3aa5b3decd0fddbeb0e6c4d93e08
Opcode Fuzzy Hash: 764c63179a3148110283623a1e9824a432dbe451b1924b7b264f4ed592fcb02a
Instruction Fuzzy Hash: 1712C074E002188FDB58DF69C994B9DBBF2BF89300F2085A9D509AB364DB759E85CF10

Function 01446088 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;^q, xrefs: 01446094
\;^q, xrefs: 014460C6
\;^q, xrefs: 014460BA
\;^q, xrefs: 0144609E

Memory Dump Source

Source File: 0000000F.00000002.4145168019.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1440000_oGnCNPiCwiAocn.jbxd

Similarity

API ID:
String ID: \;^q$\;^q$\;^q$\;^q
API String ID: 0-3001612457
Opcode ID: ff7d8d528c5587311f93df516e4e0f4e56c96f0c6c809b7ebceaff4d7ddb2f34
Instruction ID: 55c09022f600f18f6f1c7812ed9c0561b91fe84c613158b4e295f30f9e38937c
Opcode Fuzzy Hash: ff7d8d528c5587311f93df516e4e0f4e56c96f0c6c809b7ebceaff4d7ddb2f34
Instruction Fuzzy Hash: F201D4717001149FEB28CE2CC44492677FBAF8AA60316817BE202CF3B4DA72DC428740

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report rrequestforquotation.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\oGnCNPiCwiAocn.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rrequestforquotation.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4zx4jgfc.ryv.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ewgtqzvh.5xd.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kuzz3bkh.m3f.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_llvbzpdn.aqz.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tha1q2k3.b4x.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wvobn35q.obr.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xeflaksy.riu.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zaohc415.w4a.psm1

C:\Users\user\AppData\Local\Temp\tmpC98D.tmp

C:\Users\user\AppData\Local\Temp\tmpEF35.tmp

Windows Analysis Report
rrequestforquotation.exe

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre