31.0.0 Red Diamond
IR
319686
CloudBasic
15:00:58
18/11/2020
INQUIRY.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
0b940145d7d02e5b1b975c99dd5197a4
53ae0b576f7b362b90a25ace1470d33068db4490
bf487ff7cdbbd998b633b1858a939d8c808bcce65ab9937695475b39deea70a8
Win32 Executable (generic) a (10002005/4) 99.66%
true
false
false
false
100
0
100
5
0
5
false
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_INQUIRY.exe_9acf60ae8258c649d949998398a696799dd6ab7_31a5ab7c_0466ea22\Report.wer
true
C8F2F641B01A44390EE72AB0291023BB
73DD3194D00A241D6506AC88E94A31C0872AAD9E
253F7456400E5CD904BCCB71A341A89DDED83968C28A9ECDED505C38833040EE
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_INQUIRY.exe_9acf60ae8258c649d949998398a696799dd6ab7_31a5ab7c_1a2a4622\Report.wer
true
0F2339E59B1382CFEBA7C65E0204DB37
869CD3F293F945FE0B794C50EF4899CCC318B52C
EBD1A41084A86F927C8E65CD72B32DC6B9A5E16C62205A82F52EC9B364A79947
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_inquiry.exe_e6c573bafb277a8e53b04fdad891cf6b8aba558_00000000_009f3881\Report.wer
false
FBCEA239031271D5FC498B4CCFF7FFC5
A317C75282FB18400F1DA04EE684D29A375F5919
96D8D97D8A8C4F15EE1E0D1B75A78F8BEEBF3845EDD82E72E8D46F7F92F6B92E
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_inquiry.exe_e6c573bafb277a8e53b04fdad891cf6b8aba558_00000000_18bf7163\Report.wer
false
5856CBF6D7376E0047754E49722CDE9A
051FCA316BE423B3D5475C843573239C084BB0AE
AC6415AD3FD401C7E0B4547121023266CF2ABBC2F75A35FCCB2763DB2B36AEF3
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_inquiry.exe_e6c573bafb277a8e53b04fdad891cf6b8aba558_00000000_1a860a22\Report.wer
false
BEA478764A49288FAE5D2C58DEA9E7F7
8601AF0DC1CFDBA1A6FD96882B78E44800F059AF
D55EC04B23C4335716973DD1BE81A228576593188597B2FF2422E7CA596DAC57
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_inquiry.exe_e6c573bafb277a8e53b04fdad891cf6b8aba558_00000000_1b4a9849\Report.wer
false
4E9027E389CF59A8E643336BC538513A
5FC1F51DA07FA44C69EF4DC8C46AF896176E76F0
5E35F7BEAF0E442F1923D24380FE8A32309325B08F6C6815AC221527631AEBEF
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B59.tmp.mdmp
true
B959EB0600252402A18BFCF647E10552
0626EAF638F4FEF2920A77E3BC56740E52E126C5
92E8F1B478C7EB956AD40A33A3739229D6C1ACB0793A32A327CF426C6CCE2A77
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2E55.tmp.WERInternalMetadata.xml
false
878E1942EA193A0986BDC8426E80F69E
D47C31FC7B12BA957F6D61AB8E0C5FFDCE2585D6
B31B2972C250517AF12D08CD15DE379C47B1FAA215DF97926D7227400370543A
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3043.tmp.WERInternalMetadata.xml
false
3ACCC42FCA2CB02425C8B5FEB60C324D
2EF2A521BF4C9A6F3FA58C56A803D919B985BBE7
2ECDDEC9C38A915BD80665FAFBE7779795C1342454EA3C57D8D682FA52A2089E
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3106.tmp.xml
false
A8469566DD777304B6389CE1094F7028
E5C9D56772A35FD2D8DCA937B993B3F4C092F9B9
507E6016E8640ECE9E662D46F13B0C0322C64175A78028E65A471791CF7EB03D
C:\ProgramData\Microsoft\Windows\WER\Temp\WER310F.tmp.xml
false
E90B24327D824129769567901CF443FD
136452E7C618931A5D39470F24C97B3CE9FB8858
27C78A3143AFDA038D4939AED93E3CB8B249CC9032C6568D01BAC4B57B298BAE
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6231.tmp.WERInternalMetadata.xml
false
0EF540DE4DBDF43FBCFEE50AB55FA136
7ECED9AE0FCF5AAC17BF09D4114C09D2285FC38E
8DAEF505D2FE71360A1544D35C3E1ACBE7AE5A4EFF9617AC844B591E55E9DCB1
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6389.tmp.xml
false
2ABC6F088DE2C790C718E4B5C042A11F
663A6B84DE9F3B0284CB8F8F56F68836D59199BA
B78C0C1912AF53D5A3855576A4F1759E27E916D0CDDEA8F9ECD6B179302BB31D
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7CAE.tmp.mdmp
true
FEAD06C9C1479F402088C5790CB54810
98E6C5DBB08872323131736E654FA53615B587B4
E5C77118B53DF48454D8706ADB3AA5E603848B19056510A90343E9C8229EEBC6
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8867.tmp.WERInternalMetadata.xml
false
443C182B00527E31B1E4AD64BFFA8241
F1D745B2744B4224FD43AE752DAA83B8E7FB10E8
25D2AD246A4ACEB2DBF6DD75A5DD3B06CC824F525D990939B860A4E259E71E64
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8933.tmp.xml
false
52FC903ED30F5B61BA8F727424907241
40816AF32399226225A46FA9841CC819A894B75A
CD4FF732AB018C9AAC4D92F681006C0FB246283D3ADC6A040F8CA7B31F48FF38
C:\ProgramData\Microsoft\Windows\WER\Temp\WER89A3.tmp.WERInternalMetadata.xml
false
B3060F69B30CC0B7BE8A0EEBBC0F66AE
14ED5EC297764359163C1F4AF27BA5D9CD96F73B
E42AE8026F9C077C31416C917B6B9EBE48907C17E9D392B0B900FA94CB1F7121
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8B0B.tmp.xml
false
18F66061D1D492E5837EDA572C603EF7
09D9099E03FF5F8A1A481E9C16C706253EF312C8
40F6DA190C8F79EA3E49E49A4FF2165C43FDFA39C281EE54BEC83B22ABAD4810
C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB44.tmp.mdmp
true
727EDE66BE753BF43CC3BB8AD0424846
6D36C62C3F02AC08483F5C46ECAE760987320DCF
790BA9AF55C3D758F27EF0D7863D6CB9A56EAFA041302FF6E05DD97CF97AC35F
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC3AF.tmp.WERInternalMetadata.xml
false
5D356EEFFF6F12474642A2400398FCD4
51D9FB907FDCABE46A83942DF50444C241FC8F63
53E30E0481710B622CD95CFADFD2017035084D91E8EFDF6D2BF3EEDF642EF4F5
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC6FC.tmp.xml
false
4433E23608B8B2A3855C267846E81EA3
20A828E188264B443EC9BF44921A81DADFD4B472
9632AC9115185AB53965AF43D06F0E22DC58CA6013D9DC82F82F636370757E73
C:\ProgramData\Microsoft\Windows\WER\Temp\WEREF38.tmp.WERInternalMetadata.xml
false
ACACA69C6A291286C08D46EDABFF5680
D7B1662B910D8FD7961E37DB9E444921E4639EA4
8EEB4DDDCF0548A987BD4BF9FE0C06E0B2C14C390D2F0F99C49CD1C5C541F745
C:\ProgramData\Microsoft\Windows\WER\Temp\WEREFF4.tmp.xml
false
DF582E1905AE5003E6954E4AD881502D
CA58F2D441FEA0F0EDB1918239EA99A9E579DE90
DA6CA008EF7A7B3630E4B663CB2A6E8CE38BCC4E32E7E416950FAB100EA1F2FB
C:\Users\user\AppData\Local\Temp\holderwb.txt
false
F3B25701FE362EC84616A93A45CE9998
D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
C:\Users\user\AppData\Roaming\pid.txt
false
EFFC299A1ADDB07E7089F9B269C31F2F
6AFB24DE207D2E6952BA43F0E5B20BCDF0596CE5
50E9A8665B62C8D68BCCC77C7C92431A1AA26CCBD38ED4BBA8DD7422A3A4AB70
C:\Users\user\AppData\Roaming\pidloc.txt
false
4FA80C1B433C83F339F774D6347C74D8
B5F7CA62EFB43F9A32A112C991CE22C07A8908D2
25E8C1425C844373EBE82F274167A8ADEA6581F5A4F3ABC6B5F4BD0E5AE80092
104.16.154.36
104.16.155.36
192.168.2.1
166.62.27.57
whatismyipaddress.com
false
104.16.154.36
mail.iigcest.com
true
166.62.27.57
121.205.6.0.in-addr.arpa
true
unknown
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to detect sleep reduction / modifications
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Sample uses process hollowing technique
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
Detected HawkEye Rat
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected HawkEye Keylogger
Yara detected MailPassView