Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Inquiry - Specifications 002021.exe

Overview

General Information

Sample Name:Inquiry - Specifications 002021.exe
Analysis ID:491433
MD5:768a1127c119149f96a29c0d0c0b56ec
SHA1:afe86ab8d4a8b5b092e95f1cb2ae563f5ea5867d
SHA256:2442c3ecd04264f108429a954275ee27986e00b79cbce6d07843dfefdf4d24af
Tags:exe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Installs a global keyboard hook
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code contains very large strings
Moves itself to temp directory
Tries to steal Mail credentials (via file access)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Yara detected Credential Stealer
Creates processes with suspicious names
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "annett.jalowi@vern-group.com", "Password": "HUSTLE2021", "Host": "smtp.vern-group.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.559497777.00000000030EF000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000005.00000002.553693912.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000005.00000002.553693912.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
        00000005.00000002.558228658.0000000002E01000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000005.00000002.558228658.0000000002E01000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 8 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.Inquiry - Specifications 002021.exe.35a8b58.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.Inquiry - Specifications 002021.exe.35a8b58.4.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                0.2.Inquiry - Specifications 002021.exe.2528614.1.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
                  0.2.Inquiry - Specifications 002021.exe.36d73e0.3.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    0.2.Inquiry - Specifications 002021.exe.36d73e0.3.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                      Click to see the 4 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 0.2.Inquiry - Specifications 002021.exe.35a8b58.4.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "annett.jalowi@vern-group.com", "Password": "HUSTLE2021", "Host": "smtp.vern-group.com"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: Inquiry - Specifications 002021.exeVirustotal: Detection: 7%Perma Link
                      Source: Inquiry - Specifications 002021.exeReversingLabs: Detection: 42%
                      Source: 5.2.Inquiry - Specifications 002021.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: Inquiry - Specifications 002021.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: Inquiry - Specifications 002021.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49849 -> 208.91.198.143:587
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49850 -> 208.91.199.224:587
                      Source: Joe Sandbox ViewASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS
                      Source: Joe Sandbox ViewIP Address: 208.91.198.143 208.91.198.143
                      Source: Joe Sandbox ViewIP Address: 208.91.199.224 208.91.199.224
                      Source: global trafficTCP traffic: 192.168.2.3:49849 -> 208.91.198.143:587
                      Source: global trafficTCP traffic: 192.168.2.3:49850 -> 208.91.199.224:587
                      Source: global trafficTCP traffic: 192.168.2.3:49849 -> 208.91.198.143:587
                      Source: global trafficTCP traffic: 192.168.2.3:49850 -> 208.91.199.224:587
                      Source: Inquiry - Specifications 002021.exe, 00000005.00000002.558228658.0000000002E01000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: Inquiry - Specifications 002021.exe, 00000005.00000002.558228658.0000000002E01000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: Inquiry - Specifications 002021.exe, 00000000.00000002.331984585.00000000065C2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: Inquiry - Specifications 002021.exe, 00000005.00000002.559762309.0000000003180000.00000004.00000001.sdmpString found in binary or memory: http://smtp.vern-group.com
                      Source: Inquiry - Specifications 002021.exe, 00000005.00000002.558228658.0000000002E01000.00000004.00000001.sdmpString found in binary or memory: http://tbdUKh.com
                      Source: Inquiry - Specifications 002021.exe, 00000005.00000002.559762309.0000000003180000.00000004.00000001.sdmpString found in binary or memory: http://us2.smtp.mailhostbox.com
                      Source: Inquiry - Specifications 002021.exe, 00000000.00000003.312590262.00000000053E0000.00000004.00000001.sdmpString found in binary or memory: http://www.agfamonotype.%AF
                      Source: Inquiry - Specifications 002021.exe, 00000000.00000002.331984585.00000000065C2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: Inquiry - Specifications 002021.exe, 00000000.00000002.331984585.00000000065C2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: Inquiry - Specifications 002021.exe, 00000000.00000002.331984585.00000000065C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: Inquiry - Specifications 002021.exe, 00000000.00000002.331984585.00000000065C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: Inquiry - Specifications 002021.exe, 00000000.00000003.303059470.00000000053B9000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
                      Source: Inquiry - Specifications 002021.exe, 00000000.00000002.331984585.00000000065C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: Inquiry - Specifications 002021.exe, 00000000.00000003.304621163.00000000053DC000.00000004.00000001.sdmp, Inquiry - Specifications 002021.exe, 00000000.00000003.304589020.00000000053DC000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
                      Source: Inquiry - Specifications 002021.exe, 00000000.00000002.331984585.00000000065C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: Inquiry - Specifications 002021.exe, 00000000.00000002.331984585.00000000065C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: Inquiry - Specifications 002021.exe, 00000000.00000002.331984585.00000000065C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: Inquiry - Specifications 002021.exe, 00000000.00000002.331984585.00000000065C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: Inquiry - Specifications 002021.exe, 00000000.00000002.331984585.00000000065C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: Inquiry - Specifications 002021.exe, 00000000.00000003.303059470.00000000053B9000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersl
                      Source: Inquiry - Specifications 002021.exe, 00000000.00000003.318162533.00000000053B0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comttvc
                      Source: Inquiry - Specifications 002021.exe, 00000000.00000003.318162533.00000000053B0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com~
                      Source: Inquiry - Specifications 002021.exe, 00000000.00000003.292829166.00000000053EE000.00000004.00000001.sdmp, Inquiry - Specifications 002021.exe, 00000000.00000003.292750034.00000000053EE000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: Inquiry - Specifications 002021.exe, 00000000.00000003.292829166.00000000053EE000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comON
                      Source: Inquiry - Specifications 002021.exe, 00000000.00000003.292829166.00000000053EE000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comwN
                      Source: Inquiry - Specifications 002021.exe, 00000000.00000002.331984585.00000000065C2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: Inquiry - Specifications 002021.exe, 00000000.00000002.331984585.00000000065C2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: Inquiry - Specifications 002021.exe, 00000000.00000002.331984585.00000000065C2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: Inquiry - Specifications 002021.exe, 00000000.00000002.331984585.00000000065C2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: Inquiry - Specifications 002021.exe, 00000000.00000002.331984585.00000000065C2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: Inquiry - Specifications 002021.exe, 00000000.00000002.331984585.00000000065C2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: Inquiry - Specifications 002021.exe, 00000000.00000002.331984585.00000000065C2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: Inquiry - Specifications 002021.exe, 00000000.00000003.304395330.00000000053DC000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.ccN/
                      Source: Inquiry - Specifications 002021.exe, 00000000.00000003.304499547.00000000053DC000.00000004.00000001.sdmp, Inquiry - Specifications 002021.exe, 00000000.00000003.304256608.00000000053DC000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.y
                      Source: Inquiry - Specifications 002021.exeString found in binary or memory: http://www.rspb.org.uk/wildlife/birdguide/name/
                      Source: Inquiry - Specifications 002021.exe, 00000000.00000003.293144259.00000000053CB000.00000004.00000001.sdmp, Inquiry - Specifications 002021.exe, 00000000.00000002.331984585.00000000065C2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: Inquiry - Specifications 002021.exe, 00000000.00000003.292167827.00000000053D0000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com#
                      Source: Inquiry - Specifications 002021.exe, 00000000.00000003.292790308.00000000053CB000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com-e
                      Source: Inquiry - Specifications 002021.exe, 00000000.00000003.292790308.00000000053CB000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com=
                      Source: Inquiry - Specifications 002021.exe, 00000000.00000003.292167827.00000000053D0000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comiv
                      Source: Inquiry - Specifications 002021.exe, 00000000.00000003.292451686.00000000053D0000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comus
                      Source: Inquiry - Specifications 002021.exe, 00000000.00000003.292988250.00000000053CB000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comus0
                      Source: Inquiry - Specifications 002021.exe, 00000000.00000003.292790308.00000000053CB000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comusJ
                      Source: Inquiry - Specifications 002021.exe, 00000000.00000003.292814955.00000000053CB000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comusW
                      Source: Inquiry - Specifications 002021.exe, 00000000.00000002.331984585.00000000065C2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: Inquiry - Specifications 002021.exe, 00000000.00000002.331984585.00000000065C2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: Inquiry - Specifications 002021.exe, 00000000.00000002.331984585.00000000065C2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: Inquiry - Specifications 002021.exe, 00000000.00000003.293144259.00000000053CB000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.net
                      Source: Inquiry - Specifications 002021.exe, 00000000.00000002.331984585.00000000065C2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: Inquiry - Specifications 002021.exe, 00000000.00000003.293144259.00000000053CB000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netI.TTFB5
                      Source: Inquiry - Specifications 002021.exe, 00000000.00000003.293144259.00000000053CB000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.nete
                      Source: Inquiry - Specifications 002021.exe, 00000000.00000003.293144259.00000000053CB000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netl
                      Source: Inquiry - Specifications 002021.exe, 00000000.00000002.331984585.00000000065C2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: Inquiry - Specifications 002021.exe, 00000000.00000002.331984585.00000000065C2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: Inquiry - Specifications 002021.exe, 00000005.00000002.559497777.00000000030EF000.00000004.00000001.sdmpString found in binary or memory: https://SAIitQOLdjJT1PWF4ciQ.net
                      Source: Inquiry - Specifications 002021.exe, 00000005.00000002.559497777.00000000030EF000.00000004.00000001.sdmpString found in binary or memory: https://SAIitQOLdjJT1PWF4ciQ.net(0
                      Source: Inquiry - Specifications 002021.exe, 00000000.00000002.329163786.00000000034D1000.00000004.00000001.sdmp, Inquiry - Specifications 002021.exe, 00000005.00000002.553693912.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: Inquiry - Specifications 002021.exe, 00000005.00000002.558228658.0000000002E01000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownDNS traffic detected: queries for: smtp.vern-group.com

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Installs a global keyboard hookShow sources
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\Inquiry - Specifications 002021.exe
                      Source: Inquiry - Specifications 002021.exe, 00000000.00000002.320291325.000000000089B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeWindow created: window name: CLIPBRDWNDCLASS

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 5.2.Inquiry - Specifications 002021.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bE2C89848u002dC789u002d47AEu002d81EBu002d0E579C324E4Cu007d/u003011CEB48u002d442Bu002d4552u002dAD04u002dDFCA3A37BAA6.csLarge array initialization: .cctor: array initializer size 12003
                      .NET source code contains very large stringsShow sources
                      Source: Inquiry - Specifications 002021.exe, Darwin.WindowsForm/SearchResults.csLong String: Length: 34816
                      Source: 0.0.Inquiry - Specifications 002021.exe.70000.0.unpack, Darwin.WindowsForm/SearchResults.csLong String: Length: 34816
                      Source: 0.2.Inquiry - Specifications 002021.exe.70000.0.unpack, Darwin.WindowsForm/SearchResults.csLong String: Length: 34816
                      Source: 5.0.Inquiry - Specifications 002021.exe.a10000.0.unpack, Darwin.WindowsForm/SearchResults.csLong String: Length: 34816
                      Source: 5.2.Inquiry - Specifications 002021.exe.a10000.1.unpack, Darwin.WindowsForm/SearchResults.csLong String: Length: 34816
                      Source: Inquiry - Specifications 002021.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeCode function: 5_2_01210A70 KiUserExceptionDispatcher,GetClassInfoExA,KiUserExceptionDispatcher,CreateIconFromResourceEx,GetWindowWord,LdrInitializeThunk,DispatchMessageA,SetDeskWallpaper,EnumPropsA,GetDpiForMonitorInternal,GetMessageA,ExitWindowsEx,
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeCode function: 5_2_01210A70 KiUserExceptionDispatcher,GetClassInfoExA,KiUserExceptionDispatcher,CreateIconFromResourceEx,GetWindowWord,LdrInitializeThunk,DispatchMessageA,SetDeskWallpaper,EnumPropsA,GetDpiForMonitorInternal,GetMessageA,ExitWindowsEx,
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeCode function: 0_2_001193CF
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeCode function: 0_2_000793F1
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeCode function: 0_2_0087C194
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeCode function: 0_2_0087E5F0
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeCode function: 5_2_00A193F1
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeCode function: 5_2_00AB93CF
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeCode function: 5_2_00FD2090
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeCode function: 5_2_00FDB28F
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeCode function: 5_2_00FD6FD0
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeCode function: 5_2_00FD0690
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeCode function: 5_2_00FD9380
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeCode function: 5_2_01216510
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeCode function: 5_2_01215DD8
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeCode function: 5_2_012157A0
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeCode function: 5_2_0121EAE8
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeCode function: 5_2_014A4860
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeCode function: 5_2_014A4770
                      Source: Inquiry - Specifications 002021.exe, 00000000.00000002.322874820.000000000254D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameColladaLoader.dll4 vs Inquiry - Specifications 002021.exe
                      Source: Inquiry - Specifications 002021.exe, 00000000.00000002.329163786.00000000034D1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameqSvvtNEnodCAvWfjURpxZnu.exe4 vs Inquiry - Specifications 002021.exe
                      Source: Inquiry - Specifications 002021.exe, 00000000.00000002.329163786.00000000034D1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCF_Secretaria.dll< vs Inquiry - Specifications 002021.exe
                      Source: Inquiry - Specifications 002021.exe, 00000000.00000002.319293042.0000000000140000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTaskAwait.exe4 vs Inquiry - Specifications 002021.exe
                      Source: Inquiry - Specifications 002021.exe, 00000000.00000002.320291325.000000000089B000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Inquiry - Specifications 002021.exe
                      Source: Inquiry - Specifications 002021.exe, 00000005.00000000.317737287.0000000000AE0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTaskAwait.exe4 vs Inquiry - Specifications 002021.exe
                      Source: Inquiry - Specifications 002021.exe, 00000005.00000002.553693912.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameqSvvtNEnodCAvWfjURpxZnu.exe4 vs Inquiry - Specifications 002021.exe
                      Source: Inquiry - Specifications 002021.exe, 00000005.00000002.554538047.0000000000EF8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Inquiry - Specifications 002021.exe
                      Source: Inquiry - Specifications 002021.exeBinary or memory string: OriginalFilenameTaskAwait.exe4 vs Inquiry - Specifications 002021.exe
                      Source: Inquiry - Specifications 002021.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: Inquiry - Specifications 002021.exeVirustotal: Detection: 7%
                      Source: Inquiry - Specifications 002021.exeReversingLabs: Detection: 42%
                      Source: Inquiry - Specifications 002021.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Users\user\Desktop\Inquiry - Specifications 002021.exe 'C:\Users\user\Desktop\Inquiry - Specifications 002021.exe'
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess created: C:\Users\user\Desktop\Inquiry - Specifications 002021.exe C:\Users\user\Desktop\Inquiry - Specifications 002021.exe
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess created: C:\Users\user\Desktop\Inquiry - Specifications 002021.exe C:\Users\user\Desktop\Inquiry - Specifications 002021.exe
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Inquiry - Specifications 002021.exe.logJump to behavior
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/2@4/2
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: 5.2.Inquiry - Specifications 002021.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 5.2.Inquiry - Specifications 002021.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: Inquiry - Specifications 002021.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: Inquiry - Specifications 002021.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: Inquiry - Specifications 002021.exe, Darwin.WindowsForm/MainForm.cs.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.0.Inquiry - Specifications 002021.exe.70000.0.unpack, Darwin.WindowsForm/MainForm.cs.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.2.Inquiry - Specifications 002021.exe.70000.0.unpack, Darwin.WindowsForm/MainForm.cs.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 5.0.Inquiry - Specifications 002021.exe.a10000.0.unpack, Darwin.WindowsForm/MainForm.cs.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 5.2.Inquiry - Specifications 002021.exe.a10000.1.unpack, Darwin.WindowsForm/MainForm.cs.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeCode function: 5_2_0121B5FF push edi; retn 0000h
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeCode function: 5_2_0121D44C pushad ; retf
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeCode function: 5_2_0121D458 pushad ; retf
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.0705910139
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeFile created: \inquiry - specifications 002021.exe
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeFile created: \inquiry - specifications 002021.exe

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Moves itself to temp directoryShow sources
                      Source: c:\users\user\desktop\inquiry - specifications 002021.exeFile moved: C:\Users\user\AppData\Local\Temp\tmpG14.tmpJump to behavior
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 0.2.Inquiry - Specifications 002021.exe.2528614.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.322481518.00000000024D1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.322874820.000000000254D000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Inquiry - Specifications 002021.exe PID: 1360, type: MEMORYSTR
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: Inquiry - Specifications 002021.exe, 00000000.00000002.322874820.000000000254D000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: Inquiry - Specifications 002021.exe, 00000000.00000002.322874820.000000000254D000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exe TID: 2504Thread sleep time: -42868s >= -30000s
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exe TID: 6944Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exe TID: 7136Thread sleep time: -7378697629483816s >= -30000s
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exe TID: 6852Thread sleep count: 657 > 30
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exe TID: 6852Thread sleep count: 9187 > 30
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeWindow / User API: threadDelayed 657
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeWindow / User API: threadDelayed 9187
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeThread delayed: delay time: 42868
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeThread delayed: delay time: 922337203685477
                      Source: Inquiry - Specifications 002021.exe, 00000000.00000002.322874820.000000000254D000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: Inquiry - Specifications 002021.exe, 00000000.00000002.322874820.000000000254D000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: Inquiry - Specifications 002021.exe, 00000000.00000002.322874820.000000000254D000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                      Source: Inquiry - Specifications 002021.exe, 00000005.00000002.556634712.00000000011B7000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll@
                      Source: Inquiry - Specifications 002021.exe, 00000000.00000002.322874820.000000000254D000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeCode function: 5_2_00FD1A80 LdrInitializeThunk,
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeMemory allocated: page read and write | page guard
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeProcess created: C:\Users\user\Desktop\Inquiry - Specifications 002021.exe C:\Users\user\Desktop\Inquiry - Specifications 002021.exe
                      Source: Inquiry - Specifications 002021.exe, 00000005.00000002.557909116.0000000001890000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: Inquiry - Specifications 002021.exe, 00000005.00000002.557909116.0000000001890000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: Inquiry - Specifications 002021.exe, 00000005.00000002.557909116.0000000001890000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: Inquiry - Specifications 002021.exe, 00000005.00000002.557909116.0000000001890000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Users\user\Desktop\Inquiry - Specifications 002021.exe VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Entity\v4.0_4.0.0.0__b77a5c561934e089\System.Data.Entity.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Users\user\Desktop\Inquiry - Specifications 002021.exe VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 0.2.Inquiry - Specifications 002021.exe.35a8b58.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Inquiry - Specifications 002021.exe.36d73e0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.Inquiry - Specifications 002021.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Inquiry - Specifications 002021.exe.35a8b58.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000002.553693912.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.329163786.00000000034D1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.559497777.00000000030EF000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.558228658.0000000002E01000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Inquiry - Specifications 002021.exe PID: 1360, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Inquiry - Specifications 002021.exe PID: 6580, type: MEMORYSTR
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                      Tries to harvest and steal ftp login credentialsShow sources
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                      Tries to steal Mail credentials (via file access)Show sources
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
                      Source: C:\Users\user\Desktop\Inquiry - Specifications 002021.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: Yara matchFile source: 00000005.00000002.558228658.0000000002E01000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Inquiry - Specifications 002021.exe PID: 6580, type: MEMORYSTR

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 0.2.Inquiry - Specifications 002021.exe.35a8b58.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Inquiry - Specifications 002021.exe.36d73e0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.Inquiry - Specifications 002021.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Inquiry - Specifications 002021.exe.35a8b58.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000002.553693912.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.329163786.00000000034D1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.559497777.00000000030EF000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.558228658.0000000002E01000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Inquiry - Specifications 002021.exe PID: 1360, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Inquiry - Specifications 002021.exe PID: 6580, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection12Masquerading11OS Credential Dumping2Security Software Discovery211Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1Input Capture111Process Discovery2Remote Desktop ProtocolInput Capture111Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion131Credentials in Registry1Virtualization/Sandbox Evasion131SMB/Windows Admin SharesArchive Collected Data11Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection12NTDSApplication Window Discovery1Distributed Component Object ModelData from Local System2Scheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsRemote System Discovery1SSHClipboard Data1Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information2Cached Domain CredentialsSystem Information Discovery114VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing12DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      Inquiry - Specifications 002021.exe7%VirustotalBrowse
                      Inquiry - Specifications 002021.exe43%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      5.2.Inquiry - Specifications 002021.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      SourceDetectionScannerLabelLink
                      smtp.vern-group.com0%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      http://www.sajatypeworks.comus00%Avira URL Cloudsafe
                      http://www.typography.netI.TTFB50%Avira URL Cloudsafe
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://www.sajatypeworks.comiv0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.fonts.comwN0%Avira URL Cloudsafe
                      https://SAIitQOLdjJT1PWF4ciQ.net(00%Avira URL Cloudsafe
                      http://www.sajatypeworks.com=0%Avira URL Cloudsafe
                      https://SAIitQOLdjJT1PWF4ciQ.net0%Avira URL Cloudsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.sajatypeworks.comus0%Avira URL Cloudsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.sajatypeworks.comusJ0%Avira URL Cloudsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://www.typography.net0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.fontbureau.comttvc0%Avira URL Cloudsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      http://www.monotype.y0%Avira URL Cloudsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://www.typography.nete0%Avira URL Cloudsafe
                      http://tbdUKh.com0%Avira URL Cloudsafe
                      http://www.rspb.org.uk/wildlife/birdguide/name/0%Avira URL Cloudsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://www.monotype.ccN/0%Avira URL Cloudsafe
                      http://www.sajatypeworks.com-e0%Avira URL Cloudsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.fonts.comON0%Avira URL Cloudsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.sajatypeworks.comusW0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.agfamonotype.%AF0%Avira URL Cloudsafe
                      http://www.sajatypeworks.com#0%Avira URL Cloudsafe
                      http://www.typography.netl0%Avira URL Cloudsafe
                      http://www.fontbureau.com~0%Avira URL Cloudsafe
                      http://smtp.vern-group.com0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      us2.smtp.mailhostbox.com
                      		208.91.198.143
                      		truefalse
                        		high
                        smtp.vern-group.com
                        		unknown
                        		unknowntrueunknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://www.sajatypeworks.comus0Inquiry - Specifications 002021.exe, 00000000.00000003.292988250.00000000053CB000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.typography.netI.TTFB5Inquiry - Specifications 002021.exe, 00000000.00000003.293144259.00000000053CB000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://127.0.0.1:HTTP/1.1Inquiry - Specifications 002021.exe, 00000005.00000002.558228658.0000000002E01000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		low
                        http://www.fontbureau.com/designersGInquiry - Specifications 002021.exe, 00000000.00000002.331984585.00000000065C2000.00000004.00000001.sdmpfalse
                          		high
                          http://www.sajatypeworks.comivInquiry - Specifications 002021.exe, 00000000.00000003.292167827.00000000053D0000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers/?Inquiry - Specifications 002021.exe, 00000000.00000002.331984585.00000000065C2000.00000004.00000001.sdmpfalse
                            		high
                            http://www.founder.com.cn/cn/bTheInquiry - Specifications 002021.exe, 00000000.00000002.331984585.00000000065C2000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://us2.smtp.mailhostbox.comInquiry - Specifications 002021.exe, 00000005.00000002.559762309.0000000003180000.00000004.00000001.sdmpfalse
                              		high
                              http://www.fonts.comwNInquiry - Specifications 002021.exe, 00000000.00000003.292829166.00000000053EE000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fontbureau.com/designers?Inquiry - Specifications 002021.exe, 00000000.00000002.331984585.00000000065C2000.00000004.00000001.sdmpfalse
                                		high
                                https://SAIitQOLdjJT1PWF4ciQ.net(0Inquiry - Specifications 002021.exe, 00000005.00000002.559497777.00000000030EF000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		low
                                http://www.sajatypeworks.com=Inquiry - Specifications 002021.exe, 00000000.00000003.292790308.00000000053CB000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		low
                                https://SAIitQOLdjJT1PWF4ciQ.netInquiry - Specifications 002021.exe, 00000005.00000002.559497777.00000000030EF000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.tiro.comInquiry - Specifications 002021.exe, 00000000.00000002.331984585.00000000065C2000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.sajatypeworks.comusInquiry - Specifications 002021.exe, 00000000.00000003.292451686.00000000053D0000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.fontbureau.com/designersInquiry - Specifications 002021.exe, 00000000.00000002.331984585.00000000065C2000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.goodfont.co.krInquiry - Specifications 002021.exe, 00000000.00000002.331984585.00000000065C2000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.sajatypeworks.comusJInquiry - Specifications 002021.exe, 00000000.00000003.292790308.00000000053CB000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.sajatypeworks.comInquiry - Specifications 002021.exe, 00000000.00000003.293144259.00000000053CB000.00000004.00000001.sdmp, Inquiry - Specifications 002021.exe, 00000000.00000002.331984585.00000000065C2000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.typography.netDInquiry - Specifications 002021.exe, 00000000.00000002.331984585.00000000065C2000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.founder.com.cn/cn/cTheInquiry - Specifications 002021.exe, 00000000.00000002.331984585.00000000065C2000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.galapagosdesign.com/staff/dennis.htmInquiry - Specifications 002021.exe, 00000000.00000002.331984585.00000000065C2000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://fontfabrik.comInquiry - Specifications 002021.exe, 00000000.00000002.331984585.00000000065C2000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designerslInquiry - Specifications 002021.exe, 00000000.00000003.303059470.00000000053B9000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.typography.netInquiry - Specifications 002021.exe, 00000000.00000003.293144259.00000000053CB000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.galapagosdesign.com/DPleaseInquiry - Specifications 002021.exe, 00000000.00000002.331984585.00000000065C2000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fonts.comInquiry - Specifications 002021.exe, 00000000.00000003.292829166.00000000053EE000.00000004.00000001.sdmp, Inquiry - Specifications 002021.exe, 00000000.00000003.292750034.00000000053EE000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.sandoll.co.krInquiry - Specifications 002021.exe, 00000000.00000002.331984585.00000000065C2000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.urwpp.deDPleaseInquiry - Specifications 002021.exe, 00000000.00000002.331984585.00000000065C2000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.zhongyicts.com.cnInquiry - Specifications 002021.exe, 00000000.00000002.331984585.00000000065C2000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.sakkal.comInquiry - Specifications 002021.exe, 00000000.00000002.331984585.00000000065C2000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.comttvcInquiry - Specifications 002021.exe, 00000000.00000003.318162533.00000000053B0000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipInquiry - Specifications 002021.exe, 00000000.00000002.329163786.00000000034D1000.00000004.00000001.sdmp, Inquiry - Specifications 002021.exe, 00000005.00000002.553693912.0000000000402000.00000040.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.monotype.yInquiry - Specifications 002021.exe, 00000000.00000003.304499547.00000000053DC000.00000004.00000001.sdmp, Inquiry - Specifications 002021.exe, 00000000.00000003.304256608.00000000053DC000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.apache.org/licenses/LICENSE-2.0Inquiry - Specifications 002021.exe, 00000000.00000002.331984585.00000000065C2000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.fontbureau.comInquiry - Specifications 002021.exe, 00000000.00000002.331984585.00000000065C2000.00000004.00000001.sdmpfalse
                                          		high
                                          http://DynDns.comDynDNSInquiry - Specifications 002021.exe, 00000005.00000002.558228658.0000000002E01000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.typography.neteInquiry - Specifications 002021.exe, 00000000.00000003.293144259.00000000053CB000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://tbdUKh.comInquiry - Specifications 002021.exe, 00000005.00000002.558228658.0000000002E01000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.rspb.org.uk/wildlife/birdguide/name/Inquiry - Specifications 002021.exefalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haInquiry - Specifications 002021.exe, 00000005.00000002.558228658.0000000002E01000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.monotype.ccN/Inquiry - Specifications 002021.exe, 00000000.00000003.304395330.00000000053DC000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.sajatypeworks.com-eInquiry - Specifications 002021.exe, 00000000.00000003.292790308.00000000053CB000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.carterandcone.comlInquiry - Specifications 002021.exe, 00000000.00000002.331984585.00000000065C2000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.com/designers/cabarga.htmlNInquiry - Specifications 002021.exe, 00000000.00000002.331984585.00000000065C2000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.fonts.comONInquiry - Specifications 002021.exe, 00000000.00000003.292829166.00000000053EE000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.founder.com.cn/cnInquiry - Specifications 002021.exe, 00000000.00000002.331984585.00000000065C2000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designers/frere-jones.htmlInquiry - Specifications 002021.exe, 00000000.00000002.331984585.00000000065C2000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.fontbureau.com/designers/cabarga.htmlInquiry - Specifications 002021.exe, 00000000.00000003.304621163.00000000053DC000.00000004.00000001.sdmp, Inquiry - Specifications 002021.exe, 00000000.00000003.304589020.00000000053DC000.00000004.00000001.sdmpfalse
                                                		high
                                                http://www.sajatypeworks.comusWInquiry - Specifications 002021.exe, 00000000.00000003.292814955.00000000053CB000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.jiyu-kobo.co.jp/Inquiry - Specifications 002021.exe, 00000000.00000002.331984585.00000000065C2000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.agfamonotype.%AFInquiry - Specifications 002021.exe, 00000000.00000003.312590262.00000000053E0000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		low
                                                http://www.fontbureau.com/designers8Inquiry - Specifications 002021.exe, 00000000.00000002.331984585.00000000065C2000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://www.sajatypeworks.com#Inquiry - Specifications 002021.exe, 00000000.00000003.292167827.00000000053D0000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.typography.netlInquiry - Specifications 002021.exe, 00000000.00000003.293144259.00000000053CB000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.fontbureau.com/designers/Inquiry - Specifications 002021.exe, 00000000.00000003.303059470.00000000053B9000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://www.fontbureau.com~Inquiry - Specifications 002021.exe, 00000000.00000003.318162533.00000000053B0000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		low
                                                    http://smtp.vern-group.comInquiry - Specifications 002021.exe, 00000005.00000002.559762309.0000000003180000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown

                                                    Contacted IPs

                                                    • No. of IPs < 25%
                                                    • 25% < No. of IPs < 50%
                                                    • 50% < No. of IPs < 75%
                                                    • 75% < No. of IPs

                                                    Public

                                                    IPDomainCountryFlagASNASN NameMalicious
                                                    208.91.198.143
                                                    		us2.smtp.mailhostbox.comUnited States
                                                    		394695PUBLIC-DOMAIN-REGISTRYUSfalse
                                                    208.91.199.224
                                                    		unknownUnited States
                                                    		394695PUBLIC-DOMAIN-REGISTRYUStrue

                                                    General Information

                                                    Joe Sandbox Version:33.0.0 White Diamond
                                                    Analysis ID:491433
                                                    Start date:27.09.2021
                                                    Start time:15:29:07
                                                    Joe Sandbox Product:CloudBasic
                                                    Overall analysis duration:0h 11m 13s
                                                    Hypervisor based Inspection enabled:false
                                                    Report type:light
                                                    Sample file name:Inquiry - Specifications 002021.exe
                                                    Cookbook file name:default.jbs
                                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                    Number of analysed new started processes analysed:21
                                                    Number of new started drivers analysed:0
                                                    Number of existing processes analysed:0
                                                    Number of existing drivers analysed:0
                                                    Number of injected processes analysed:0
                                                    Technologies:
                                                    • HCA enabled
                                                    • EGA enabled
                                                    • HDC enabled
                                                    • AMSI enabled
                                                    Analysis Mode:default
                                                    Analysis stop reason:Timeout
                                                    Detection:MAL
                                                    Classification:mal100.troj.spyw.evad.winEXE@3/2@4/2
                                                    EGA Information:Failed
                                                    HDC Information:
                                                    • Successful, ratio: 0.8% (good quality ratio 0.7%)
                                                    • Quality average: 57%
                                                    • Quality standard deviation: 33.3%
                                                    HCA Information:
                                                    • Successful, ratio: 97%
                                                    • Number of executed functions: 0
                                                    • Number of non-executed functions: 0
                                                    Cookbook Comments:
                                                    • Adjust boot time
                                                    • Enable AMSI
                                                    • Found application associated with file extension: .exe
                                                    Warnings:
                                                    Show All
                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                    • Excluded IPs from analysis (whitelisted): 23.54.113.53, 20.82.209.183, 20.54.110.249, 40.112.88.60, 209.197.3.8, 20.199.120.151, 23.10.249.26, 23.10.249.43, 20.199.120.85, 20.199.120.182, 20.82.210.154
                                                    • Excluded domains from analysis (whitelisted): iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, client.wns.windows.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, wu-shim.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                    • Not all processes where analyzed, report is missing behavior information
                                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                                    Simulations

                                                    Behavior and APIs

                                                    TimeTypeDescription
                                                    15:30:15API Interceptor678x Sleep call for process: Inquiry - Specifications 002021.exe modified

                                                    Joe Sandbox View / Context

                                                    IPs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                    208.91.198.143#RFQ Medimpex International LLC.exeGet hashmaliciousBrowse
                                                      New Order.docGet hashmaliciousBrowse
                                                        LFC _ X#U00e1c nh#U1eadn #U0111#U01a1n h#U00e0ng _ Kh#U1ea9n c#U1ea5p,pdf.exeGet hashmaliciousBrowse
                                                          Curriculum Vitae Milani.exeGet hashmaliciousBrowse
                                                            Solicitud de cotizacion.exeGet hashmaliciousBrowse
                                                              KLC45E_92421_PI.exeGet hashmaliciousBrowse
                                                                Products prices request.xlsxGet hashmaliciousBrowse
                                                                  Payment Advice 09-22-2021 SKMBT03783930484080484904003TXT.exeGet hashmaliciousBrowse
                                                                    from-iso_PSC ___ - E41140,PDF.EXEGet hashmaliciousBrowse
                                                                      n267kM6LhuZHjzz.exeGet hashmaliciousBrowse
                                                                        Cv4ms60aUz.exeGet hashmaliciousBrowse
                                                                          iw2crzErP4mvr7r.exeGet hashmaliciousBrowse
                                                                            COMTAC LISTA URGENTE ORDEN 92121,pdf.exeGet hashmaliciousBrowse
                                                                              PRESUPUESTO.xlsxGet hashmaliciousBrowse
                                                                                k4QKSYxd03.exeGet hashmaliciousBrowse
                                                                                  Po#6672.pdf.exeGet hashmaliciousBrowse
                                                                                    Order Confirmation _ Urgent,pdf.exeGet hashmaliciousBrowse
                                                                                      Orde Baru #86-55113 ,pdf.exeGet hashmaliciousBrowse
                                                                                        RFQ_AP65425652_032421 segera.exeGet hashmaliciousBrowse
                                                                                          INTR_ORDER 5676-SEPT1521,pdf.exeGet hashmaliciousBrowse
                                                                                            208.91.199.224LFC _ X#U00e1c nh#U1eadn #U0111#U01a1n h#U00e0ng _ Kh#U1ea9n c#U1ea5p,pdf.exeGet hashmaliciousBrowse
                                                                                              #U0916#U0930#U0940#U0926 #U0906#U0926#U0947#U0936-34002174,pdf.exeGet hashmaliciousBrowse
                                                                                                #Uc7ac #Uc8fc#Ubb38 #Ud655#Uc778,pdf.exeGet hashmaliciousBrowse
                                                                                                  4f7K9bfgNr.exeGet hashmaliciousBrowse
                                                                                                    New Order.exeGet hashmaliciousBrowse
                                                                                                      KLC45E_92421_PI.exeGet hashmaliciousBrowse
                                                                                                        MONO Nueva orden - E41140,PDF.exeGet hashmaliciousBrowse
                                                                                                          SO230921.exeGet hashmaliciousBrowse
                                                                                                            Products prices request.xlsxGet hashmaliciousBrowse
                                                                                                              S7v33zELdY.exeGet hashmaliciousBrowse
                                                                                                                INVOICE AWB 9782166...exeGet hashmaliciousBrowse
                                                                                                                  iJjetWi3z5.exeGet hashmaliciousBrowse
                                                                                                                    COMTAC LISTA URGENTE ORDEN 92121,pdf.exeGet hashmaliciousBrowse
                                                                                                                      Po#6672.pdf.exeGet hashmaliciousBrowse
                                                                                                                        04142021_10RD0207S0N0000,pdf.exeGet hashmaliciousBrowse
                                                                                                                          Order Confirmation _ Urgent,pdf.exeGet hashmaliciousBrowse
                                                                                                                            Orde Baru #86-55113 ,pdf.exeGet hashmaliciousBrowse
                                                                                                                              PRESUPUESTO.xlsxGet hashmaliciousBrowse
                                                                                                                                Rvl6j5Uisf.exeGet hashmaliciousBrowse
                                                                                                                                  New ORDER.docGet hashmaliciousBrowse

                                                                                                                                    Domains

                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                    us2.smtp.mailhostbox.com#RFQ Medimpex International LLC.exeGet hashmaliciousBrowse
                                                                                                                                    • 208.91.199.223
                                                                                                                                    SHIPPING DOCUMENTS_PDF.exeGet hashmaliciousBrowse
                                                                                                                                    • 208.91.199.225
                                                                                                                                    New Order.docGet hashmaliciousBrowse
                                                                                                                                    • 208.91.198.143
                                                                                                                                    LFC _ X#U00e1c nh#U1eadn #U0111#U01a1n h#U00e0ng _ Kh#U1ea9n c#U1ea5p,pdf.exeGet hashmaliciousBrowse
                                                                                                                                    • 208.91.199.223
                                                                                                                                    #U0916#U0930#U0940#U0926 #U0906#U0926#U0947#U0936-34002174,pdf.exeGet hashmaliciousBrowse
                                                                                                                                    • 208.91.199.225
                                                                                                                                    #Uc7ac #Uc8fc#Ubb38 #Ud655#Uc778,pdf.exeGet hashmaliciousBrowse
                                                                                                                                    • 208.91.199.225
                                                                                                                                    4f7K9bfgNr.exeGet hashmaliciousBrowse
                                                                                                                                    • 208.91.199.224
                                                                                                                                    Curriculum Vitae Milani.exeGet hashmaliciousBrowse
                                                                                                                                    • 208.91.198.143
                                                                                                                                    Solicitud de cotizacion.exeGet hashmaliciousBrowse
                                                                                                                                    • 208.91.198.143
                                                                                                                                    New Order.exeGet hashmaliciousBrowse
                                                                                                                                    • 208.91.199.223
                                                                                                                                    KLC45E_92421_PI.exeGet hashmaliciousBrowse
                                                                                                                                    • 208.91.199.223
                                                                                                                                    PO-3242.xlsxGet hashmaliciousBrowse
                                                                                                                                    • 208.91.199.223
                                                                                                                                    MONO Nueva orden - E41140,PDF.exeGet hashmaliciousBrowse
                                                                                                                                    • 208.91.199.223
                                                                                                                                    SO230921.exeGet hashmaliciousBrowse
                                                                                                                                    • 208.91.199.223
                                                                                                                                    Products prices request.xlsxGet hashmaliciousBrowse
                                                                                                                                    • 208.91.198.143
                                                                                                                                    3qyhcUC9um.exeGet hashmaliciousBrowse
                                                                                                                                    • 208.91.198.143
                                                                                                                                    Payment Advice 09-22-2021 SKMBT03783930484080484904003TXT.exeGet hashmaliciousBrowse
                                                                                                                                    • 208.91.198.143
                                                                                                                                    from-iso_PSC ___ - E41140,PDF.EXEGet hashmaliciousBrowse
                                                                                                                                    • 208.91.198.143
                                                                                                                                    n267kM6LhuZHjzz.exeGet hashmaliciousBrowse
                                                                                                                                    • 208.91.198.143
                                                                                                                                    Payment copy.exeGet hashmaliciousBrowse
                                                                                                                                    • 208.91.199.225

                                                                                                                                    ASN

                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                    PUBLIC-DOMAIN-REGISTRYUSwaff.xlsGet hashmaliciousBrowse
                                                                                                                                    • 204.11.59.34
                                                                                                                                    #RFQ Medimpex International LLC.exeGet hashmaliciousBrowse
                                                                                                                                    • 208.91.199.223
                                                                                                                                    SHIPPING DOCUMENTS_PDF.exeGet hashmaliciousBrowse
                                                                                                                                    • 208.91.199.225
                                                                                                                                    New Order.docGet hashmaliciousBrowse
                                                                                                                                    • 208.91.199.225
                                                                                                                                    LFC _ X#U00e1c nh#U1eadn #U0111#U01a1n h#U00e0ng _ Kh#U1ea9n c#U1ea5p,pdf.exeGet hashmaliciousBrowse
                                                                                                                                    • 208.91.199.224
                                                                                                                                    #U0916#U0930#U0940#U0926 #U0906#U0926#U0947#U0936-34002174,pdf.exeGet hashmaliciousBrowse
                                                                                                                                    • 208.91.199.224
                                                                                                                                    #Uc7ac #Uc8fc#Ubb38 #Ud655#Uc778,pdf.exeGet hashmaliciousBrowse
                                                                                                                                    • 208.91.199.224
                                                                                                                                    4f7K9bfgNr.exeGet hashmaliciousBrowse
                                                                                                                                    • 208.91.199.224
                                                                                                                                    Curriculum Vitae Milani.exeGet hashmaliciousBrowse
                                                                                                                                    • 208.91.198.143
                                                                                                                                    Solicitud de cotizacion.exeGet hashmaliciousBrowse
                                                                                                                                    • 208.91.198.143
                                                                                                                                    New Order.exeGet hashmaliciousBrowse
                                                                                                                                    • 208.91.199.224
                                                                                                                                    KLC45E_92421_PI.exeGet hashmaliciousBrowse
                                                                                                                                    • 208.91.199.224
                                                                                                                                    Request_For_Quotation#234242_signed_copy_document_september_rfq.exeGet hashmaliciousBrowse
                                                                                                                                    • 162.215.240.160
                                                                                                                                    PO-3242.xlsxGet hashmaliciousBrowse
                                                                                                                                    • 208.91.199.223
                                                                                                                                    MONO Nueva orden - E41140,PDF.exeGet hashmaliciousBrowse
                                                                                                                                    • 208.91.199.224
                                                                                                                                    SO230921.exeGet hashmaliciousBrowse
                                                                                                                                    • 208.91.199.224
                                                                                                                                    Products prices request.xlsxGet hashmaliciousBrowse
                                                                                                                                    • 208.91.199.224
                                                                                                                                    Payment Advice 09-22-2021 SKMBT03783930484080484904003TXT.exeGet hashmaliciousBrowse
                                                                                                                                    • 208.91.198.143
                                                                                                                                    from-iso_PSC ___ - E41140,PDF.EXEGet hashmaliciousBrowse
                                                                                                                                    • 208.91.199.223
                                                                                                                                    n267kM6LhuZHjzz.exeGet hashmaliciousBrowse
                                                                                                                                    • 208.91.198.143
                                                                                                                                    PUBLIC-DOMAIN-REGISTRYUSwaff.xlsGet hashmaliciousBrowse
                                                                                                                                    • 204.11.59.34
                                                                                                                                    #RFQ Medimpex International LLC.exeGet hashmaliciousBrowse
                                                                                                                                    • 208.91.199.223
                                                                                                                                    SHIPPING DOCUMENTS_PDF.exeGet hashmaliciousBrowse
                                                                                                                                    • 208.91.199.225
                                                                                                                                    New Order.docGet hashmaliciousBrowse
                                                                                                                                    • 208.91.199.225
                                                                                                                                    LFC _ X#U00e1c nh#U1eadn #U0111#U01a1n h#U00e0ng _ Kh#U1ea9n c#U1ea5p,pdf.exeGet hashmaliciousBrowse
                                                                                                                                    • 208.91.199.224
                                                                                                                                    #U0916#U0930#U0940#U0926 #U0906#U0926#U0947#U0936-34002174,pdf.exeGet hashmaliciousBrowse
                                                                                                                                    • 208.91.199.224
                                                                                                                                    #Uc7ac #Uc8fc#Ubb38 #Ud655#Uc778,pdf.exeGet hashmaliciousBrowse
                                                                                                                                    • 208.91.199.224
                                                                                                                                    4f7K9bfgNr.exeGet hashmaliciousBrowse
                                                                                                                                    • 208.91.199.224
                                                                                                                                    Curriculum Vitae Milani.exeGet hashmaliciousBrowse
                                                                                                                                    • 208.91.198.143
                                                                                                                                    Solicitud de cotizacion.exeGet hashmaliciousBrowse
                                                                                                                                    • 208.91.198.143
                                                                                                                                    New Order.exeGet hashmaliciousBrowse
                                                                                                                                    • 208.91.199.224
                                                                                                                                    KLC45E_92421_PI.exeGet hashmaliciousBrowse
                                                                                                                                    • 208.91.199.224
                                                                                                                                    Request_For_Quotation#234242_signed_copy_document_september_rfq.exeGet hashmaliciousBrowse
                                                                                                                                    • 162.215.240.160
                                                                                                                                    PO-3242.xlsxGet hashmaliciousBrowse
                                                                                                                                    • 208.91.199.223
                                                                                                                                    MONO Nueva orden - E41140,PDF.exeGet hashmaliciousBrowse
                                                                                                                                    • 208.91.199.224
                                                                                                                                    SO230921.exeGet hashmaliciousBrowse
                                                                                                                                    • 208.91.199.224
                                                                                                                                    Products prices request.xlsxGet hashmaliciousBrowse
                                                                                                                                    • 208.91.199.224
                                                                                                                                    Payment Advice 09-22-2021 SKMBT03783930484080484904003TXT.exeGet hashmaliciousBrowse
                                                                                                                                    • 208.91.198.143
                                                                                                                                    from-iso_PSC ___ - E41140,PDF.EXEGet hashmaliciousBrowse
                                                                                                                                    • 208.91.199.223
                                                                                                                                    n267kM6LhuZHjzz.exeGet hashmaliciousBrowse
                                                                                                                                    • 208.91.198.143

                                                                                                                                    JA3 Fingerprints

                                                                                                                                    No context

                                                                                                                                    Dropped Files

                                                                                                                                    No context

                                                                                                                                    Created / dropped Files

                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Inquiry - Specifications 002021.exe.log
                                                                                                                                    Process:C:\Users\user\Desktop\Inquiry - Specifications 002021.exe
                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):1309
                                                                                                                                    Entropy (8bit):5.3528008810928345
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84aE4Ks:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzg
                                                                                                                                    MD5:542338C5A30B02E372089FECDC54D607
                                                                                                                                    SHA1:6FAD29FF14686FC847B160E876C1E078333F6DCB
                                                                                                                                    SHA-256:6CEA4E70947B962733754346CE49553BE3FB6E1FB3949C29EC22FA9CA4B7E7B6
                                                                                                                                    SHA-512:FE4431305A8958C4940EB4AC65723A38DA6057C3D30F789C6EDDEBA8962B62E9C0583254E74740855027CF3AE9315E3001A7EEB54168073ED0D2AB9B1F05503A
                                                                                                                                    Malicious:true
                                                                                                                                    Reputation:moderate, very likely benign file
                                                                                                                                    Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                                                                                                    C:\Users\user\AppData\Roaming\w04smpsc.51a\Chrome\Default\Cookies
                                                                                                                                    Process:C:\Users\user\Desktop\Inquiry - Specifications 002021.exe
                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):20480
                                                                                                                                    Entropy (8bit):0.6970840431455908
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBocLgAZOZD/0:T5LLOpEO5J/Kn7U1uBo8NOZ0
                                                                                                                                    MD5:00681D89EDDB6AD25E6F4BD2E66C61C6
                                                                                                                                    SHA1:14B2FBFB460816155190377BBC66AB5D2A15F7AB
                                                                                                                                    SHA-256:8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85
                                                                                                                                    SHA-512:159A9DE664091A3986042B2BE594E989FD514163094AC606DC3A6A7661A66A78C0D365B8CA2C94B8BC86D552E59D50407B4680EDADB894320125F0E9F48872D3
                                                                                                                                    Malicious:false
                                                                                                                                    Reputation:high, very likely benign file
                                                                                                                                    Preview: SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    Static File Info

                                                                                                                                    General

                                                                                                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                    Entropy (8bit):6.817961825290743
                                                                                                                                    TrID:
                                                                                                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                                                    • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                    • DOS Executable Generic (2002/1) 0.01%
                                                                                                                                    File name:Inquiry - Specifications 002021.exe
                                                                                                                                    File size:881152
                                                                                                                                    MD5:768a1127c119149f96a29c0d0c0b56ec
                                                                                                                                    SHA1:afe86ab8d4a8b5b092e95f1cb2ae563f5ea5867d
                                                                                                                                    SHA256:2442c3ecd04264f108429a954275ee27986e00b79cbce6d07843dfefdf4d24af
                                                                                                                                    SHA512:9288f45ef09172b28a4fa542b2ead2a2026b910eb229859125da6bfb735e0178e7e8dcd7c4eddc590646e409ccb6e180b24813f059e7f5f161983a3b7749c672
                                                                                                                                    SSDEEP:12288:goSLU8CqriiULSX7yUrMjgY6WDWzjXbdarHOsnoaLOAmQsaypSL+jQHmLDsBhvs8:3bIFJ9F9lPV3X2hM3akNQF+0F+2
                                                                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...|.Qa..............0.................. ........@.. ....................................@................................

                                                                                                                                    File Icon

                                                                                                                                    Icon Hash:138e8eccece8cccc

                                                                                                                                    Static PE Info

                                                                                                                                    General

                                                                                                                                    Entrypoint:0x4bf602
                                                                                                                                    Entrypoint Section:.text
                                                                                                                                    Digitally signed:false
                                                                                                                                    Imagebase:0x400000
                                                                                                                                    Subsystem:windows gui
                                                                                                                                    Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                                                                    DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                                                                    Time Stamp:0x61511F7C [Mon Sep 27 01:33:48 2021 UTC]
                                                                                                                                    TLS Callbacks:
                                                                                                                                    CLR (.Net) Version:v4.0.30319
                                                                                                                                    OS Version Major:4
                                                                                                                                    OS Version Minor:0
                                                                                                                                    File Version Major:4
                                                                                                                                    File Version Minor:0
                                                                                                                                    Subsystem Version Major:4
                                                                                                                                    Subsystem Version Minor:0
                                                                                                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                    Entrypoint Preview

                                                                                                                                    Instruction
                                                                                                                                    jmp dword ptr [00402000h]
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al

                                                                                                                                    Data Directories

                                                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xbf5b00x4f.text
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xc00000x19424.rsrc
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xda0000xc.reloc
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                    Sections

                                                                                                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                    .text0x20000xbd6080xbd800False0.686279941046data7.0705910139IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                                    .rsrc0xc00000x194240x19600False0.391692964901data4.29511012121IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                    .reloc0xda0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                    Resources

                                                                                                                                    NameRVASizeTypeLanguageCountry
                                                                                                                                    RT_ICON0xc01800x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
                                                                                                                                    RT_ICON0xd09b80x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 4294967295
                                                                                                                                    RT_ICON0xd4bf00x25a8data
                                                                                                                                    RT_ICON0xd71a80x10a8data
                                                                                                                                    RT_ICON0xd82600x468GLS_BINARY_LSB_FIRST
                                                                                                                                    RT_GROUP_ICON0xd86d80x4cdata
                                                                                                                                    RT_VERSION0xd87340x32cdata
                                                                                                                                    RT_MANIFEST0xd8a700x9b0XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF, LF line terminators

                                                                                                                                    Imports

                                                                                                                                    DLLImport
                                                                                                                                    mscoree.dll_CorExeMain

                                                                                                                                    Version Infos

                                                                                                                                    DescriptionData
                                                                                                                                    Translation0x0000 0x04b0
                                                                                                                                    LegalCopyrightCopyright F@Soft
                                                                                                                                    Assembly Version1.0.6.2
                                                                                                                                    InternalNameTaskAwait.exe
                                                                                                                                    FileVersion1.0.6.0
                                                                                                                                    CompanyNameF@Soft
                                                                                                                                    LegalTrademarks
                                                                                                                                    Comments
                                                                                                                                    ProductNameDarwin AW
                                                                                                                                    ProductVersion1.0.6.0
                                                                                                                                    FileDescriptionDarwin AW
                                                                                                                                    OriginalFilenameTaskAwait.exe

                                                                                                                                    Network Behavior

                                                                                                                                    Snort IDS Alerts

                                                                                                                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                    09/27/21-15:32:02.040982TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49849587192.168.2.3208.91.198.143
                                                                                                                                    09/27/21-15:32:06.598209TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49850587192.168.2.3208.91.199.224

                                                                                                                                    Network Port Distribution

                                                                                                                                    TCP Packets

                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                    Sep 27, 2021 15:32:00.600147009 CEST49849587192.168.2.3208.91.198.143
                                                                                                                                    Sep 27, 2021 15:32:00.738070011 CEST58749849208.91.198.143192.168.2.3
                                                                                                                                    Sep 27, 2021 15:32:00.738890886 CEST49849587192.168.2.3208.91.198.143
                                                                                                                                    Sep 27, 2021 15:32:01.146960974 CEST58749849208.91.198.143192.168.2.3
                                                                                                                                    Sep 27, 2021 15:32:01.147341967 CEST49849587192.168.2.3208.91.198.143
                                                                                                                                    Sep 27, 2021 15:32:01.286124945 CEST58749849208.91.198.143192.168.2.3
                                                                                                                                    Sep 27, 2021 15:32:01.289591074 CEST58749849208.91.198.143192.168.2.3
                                                                                                                                    Sep 27, 2021 15:32:01.292818069 CEST49849587192.168.2.3208.91.198.143
                                                                                                                                    Sep 27, 2021 15:32:01.431281090 CEST58749849208.91.198.143192.168.2.3
                                                                                                                                    Sep 27, 2021 15:32:01.432023048 CEST49849587192.168.2.3208.91.198.143
                                                                                                                                    Sep 27, 2021 15:32:01.574882984 CEST58749849208.91.198.143192.168.2.3
                                                                                                                                    Sep 27, 2021 15:32:01.577059984 CEST49849587192.168.2.3208.91.198.143
                                                                                                                                    Sep 27, 2021 15:32:01.719269991 CEST58749849208.91.198.143192.168.2.3
                                                                                                                                    Sep 27, 2021 15:32:01.719748974 CEST49849587192.168.2.3208.91.198.143
                                                                                                                                    Sep 27, 2021 15:32:01.898868084 CEST58749849208.91.198.143192.168.2.3
                                                                                                                                    Sep 27, 2021 15:32:01.898897886 CEST58749849208.91.198.143192.168.2.3
                                                                                                                                    Sep 27, 2021 15:32:01.899446964 CEST49849587192.168.2.3208.91.198.143
                                                                                                                                    Sep 27, 2021 15:32:02.037955999 CEST58749849208.91.198.143192.168.2.3
                                                                                                                                    Sep 27, 2021 15:32:02.039216042 CEST58749849208.91.198.143192.168.2.3
                                                                                                                                    Sep 27, 2021 15:32:02.040982008 CEST49849587192.168.2.3208.91.198.143
                                                                                                                                    Sep 27, 2021 15:32:02.041016102 CEST49849587192.168.2.3208.91.198.143
                                                                                                                                    Sep 27, 2021 15:32:02.044538021 CEST49849587192.168.2.3208.91.198.143
                                                                                                                                    Sep 27, 2021 15:32:02.044569016 CEST49849587192.168.2.3208.91.198.143
                                                                                                                                    Sep 27, 2021 15:32:02.178857088 CEST58749849208.91.198.143192.168.2.3
                                                                                                                                    Sep 27, 2021 15:32:02.188532114 CEST58749849208.91.198.143192.168.2.3
                                                                                                                                    Sep 27, 2021 15:32:02.286237955 CEST58749849208.91.198.143192.168.2.3
                                                                                                                                    Sep 27, 2021 15:32:02.337654114 CEST49849587192.168.2.3208.91.198.143
                                                                                                                                    Sep 27, 2021 15:32:04.643898964 CEST49849587192.168.2.3208.91.198.143
                                                                                                                                    Sep 27, 2021 15:32:04.785418987 CEST58749849208.91.198.143192.168.2.3
                                                                                                                                    Sep 27, 2021 15:32:04.785449982 CEST58749849208.91.198.143192.168.2.3
                                                                                                                                    Sep 27, 2021 15:32:04.786442041 CEST49849587192.168.2.3208.91.198.143
                                                                                                                                    Sep 27, 2021 15:32:04.794720888 CEST49849587192.168.2.3208.91.198.143
                                                                                                                                    Sep 27, 2021 15:32:04.928191900 CEST58749849208.91.198.143192.168.2.3
                                                                                                                                    Sep 27, 2021 15:32:05.087939978 CEST49850587192.168.2.3208.91.199.224
                                                                                                                                    Sep 27, 2021 15:32:05.238291025 CEST58749850208.91.199.224192.168.2.3
                                                                                                                                    Sep 27, 2021 15:32:05.238702059 CEST49850587192.168.2.3208.91.199.224
                                                                                                                                    Sep 27, 2021 15:32:05.667896032 CEST58749850208.91.199.224192.168.2.3
                                                                                                                                    Sep 27, 2021 15:32:05.668147087 CEST49850587192.168.2.3208.91.199.224
                                                                                                                                    Sep 27, 2021 15:32:05.817156076 CEST58749850208.91.199.224192.168.2.3
                                                                                                                                    Sep 27, 2021 15:32:05.817183971 CEST58749850208.91.199.224192.168.2.3
                                                                                                                                    Sep 27, 2021 15:32:05.819185019 CEST49850587192.168.2.3208.91.199.224
                                                                                                                                    Sep 27, 2021 15:32:05.966929913 CEST58749850208.91.199.224192.168.2.3
                                                                                                                                    Sep 27, 2021 15:32:05.967503071 CEST49850587192.168.2.3208.91.199.224
                                                                                                                                    Sep 27, 2021 15:32:06.116357088 CEST58749850208.91.199.224192.168.2.3
                                                                                                                                    Sep 27, 2021 15:32:06.116758108 CEST49850587192.168.2.3208.91.199.224
                                                                                                                                    Sep 27, 2021 15:32:06.265615940 CEST58749850208.91.199.224192.168.2.3
                                                                                                                                    Sep 27, 2021 15:32:06.266062021 CEST49850587192.168.2.3208.91.199.224
                                                                                                                                    Sep 27, 2021 15:32:06.437005997 CEST58749850208.91.199.224192.168.2.3
                                                                                                                                    Sep 27, 2021 15:32:06.439989090 CEST49850587192.168.2.3208.91.199.224
                                                                                                                                    Sep 27, 2021 15:32:06.586853981 CEST58749850208.91.199.224192.168.2.3
                                                                                                                                    Sep 27, 2021 15:32:06.598170042 CEST49850587192.168.2.3208.91.199.224
                                                                                                                                    Sep 27, 2021 15:32:06.598208904 CEST49850587192.168.2.3208.91.199.224
                                                                                                                                    Sep 27, 2021 15:32:06.598212957 CEST49850587192.168.2.3208.91.199.224
                                                                                                                                    Sep 27, 2021 15:32:06.598217010 CEST49850587192.168.2.3208.91.199.224
                                                                                                                                    Sep 27, 2021 15:32:06.598223925 CEST49850587192.168.2.3208.91.199.224
                                                                                                                                    Sep 27, 2021 15:32:06.598237991 CEST49850587192.168.2.3208.91.199.224
                                                                                                                                    Sep 27, 2021 15:32:06.598241091 CEST49850587192.168.2.3208.91.199.224
                                                                                                                                    Sep 27, 2021 15:32:06.598243952 CEST49850587192.168.2.3208.91.199.224
                                                                                                                                    Sep 27, 2021 15:32:06.746366978 CEST58749850208.91.199.224192.168.2.3
                                                                                                                                    Sep 27, 2021 15:32:06.746392012 CEST58749850208.91.199.224192.168.2.3
                                                                                                                                    Sep 27, 2021 15:32:06.747802019 CEST58749850208.91.199.224192.168.2.3
                                                                                                                                    Sep 27, 2021 15:32:06.786921978 CEST58749850208.91.199.224192.168.2.3
                                                                                                                                    Sep 27, 2021 15:32:06.850157976 CEST58749850208.91.199.224192.168.2.3
                                                                                                                                    Sep 27, 2021 15:32:06.906167030 CEST49850587192.168.2.3208.91.199.224

                                                                                                                                    UDP Packets

                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                    Sep 27, 2021 15:29:59.066555023 CEST5391053192.168.2.38.8.8.8
                                                                                                                                    Sep 27, 2021 15:29:59.086263895 CEST53539108.8.8.8192.168.2.3
                                                                                                                                    Sep 27, 2021 15:30:24.797724009 CEST6402153192.168.2.38.8.8.8
                                                                                                                                    Sep 27, 2021 15:30:24.813322067 CEST53640218.8.8.8192.168.2.3
                                                                                                                                    Sep 27, 2021 15:30:45.539756060 CEST6078453192.168.2.38.8.8.8
                                                                                                                                    Sep 27, 2021 15:30:45.616595030 CEST53607848.8.8.8192.168.2.3
                                                                                                                                    Sep 27, 2021 15:30:46.146661997 CEST5114353192.168.2.38.8.8.8
                                                                                                                                    Sep 27, 2021 15:30:46.159595966 CEST53511438.8.8.8192.168.2.3
                                                                                                                                    Sep 27, 2021 15:30:46.608809948 CEST5600953192.168.2.38.8.8.8
                                                                                                                                    Sep 27, 2021 15:30:46.621592999 CEST53560098.8.8.8192.168.2.3
                                                                                                                                    Sep 27, 2021 15:30:46.696436882 CEST5902653192.168.2.38.8.8.8
                                                                                                                                    Sep 27, 2021 15:30:46.733656883 CEST53590268.8.8.8192.168.2.3
                                                                                                                                    Sep 27, 2021 15:30:46.949829102 CEST4957253192.168.2.38.8.8.8
                                                                                                                                    Sep 27, 2021 15:30:47.031303883 CEST53495728.8.8.8192.168.2.3
                                                                                                                                    Sep 27, 2021 15:30:47.429641008 CEST6082353192.168.2.38.8.8.8
                                                                                                                                    Sep 27, 2021 15:30:47.442962885 CEST53608238.8.8.8192.168.2.3
                                                                                                                                    Sep 27, 2021 15:30:47.935688019 CEST5213053192.168.2.38.8.8.8
                                                                                                                                    Sep 27, 2021 15:30:47.950026989 CEST53521308.8.8.8192.168.2.3
                                                                                                                                    Sep 27, 2021 15:30:48.498720884 CEST5510253192.168.2.38.8.8.8
                                                                                                                                    Sep 27, 2021 15:30:48.568681002 CEST53551028.8.8.8192.168.2.3
                                                                                                                                    Sep 27, 2021 15:30:50.097127914 CEST5623653192.168.2.38.8.8.8
                                                                                                                                    Sep 27, 2021 15:30:50.110187054 CEST53562368.8.8.8192.168.2.3
                                                                                                                                    Sep 27, 2021 15:30:50.653748035 CEST5652753192.168.2.38.8.8.8
                                                                                                                                    Sep 27, 2021 15:30:50.667749882 CEST53565278.8.8.8192.168.2.3
                                                                                                                                    Sep 27, 2021 15:30:51.073754072 CEST4955953192.168.2.38.8.8.8
                                                                                                                                    Sep 27, 2021 15:30:51.087573051 CEST53495598.8.8.8192.168.2.3
                                                                                                                                    Sep 27, 2021 15:30:51.197684050 CEST5265053192.168.2.38.8.8.8
                                                                                                                                    Sep 27, 2021 15:30:51.210908890 CEST53526508.8.8.8192.168.2.3
                                                                                                                                    Sep 27, 2021 15:30:51.282577991 CEST6329753192.168.2.38.8.8.8
                                                                                                                                    Sep 27, 2021 15:30:51.296304941 CEST53632978.8.8.8192.168.2.3
                                                                                                                                    Sep 27, 2021 15:30:53.412252903 CEST5836153192.168.2.38.8.8.8
                                                                                                                                    Sep 27, 2021 15:30:53.425890923 CEST53583618.8.8.8192.168.2.3
                                                                                                                                    Sep 27, 2021 15:30:57.462338924 CEST5361553192.168.2.38.8.8.8
                                                                                                                                    Sep 27, 2021 15:30:57.476268053 CEST53536158.8.8.8192.168.2.3
                                                                                                                                    Sep 27, 2021 15:31:01.934562922 CEST5072853192.168.2.38.8.8.8
                                                                                                                                    Sep 27, 2021 15:31:01.964940071 CEST53507288.8.8.8192.168.2.3
                                                                                                                                    Sep 27, 2021 15:31:10.267343044 CEST5377753192.168.2.38.8.8.8
                                                                                                                                    Sep 27, 2021 15:31:10.281374931 CEST53537778.8.8.8192.168.2.3
                                                                                                                                    Sep 27, 2021 15:31:23.386717081 CEST5710653192.168.2.38.8.8.8
                                                                                                                                    Sep 27, 2021 15:31:23.400614977 CEST53571068.8.8.8192.168.2.3
                                                                                                                                    Sep 27, 2021 15:31:28.808886051 CEST6035253192.168.2.38.8.8.8
                                                                                                                                    Sep 27, 2021 15:31:28.847312927 CEST53603528.8.8.8192.168.2.3
                                                                                                                                    Sep 27, 2021 15:31:29.736537933 CEST5677353192.168.2.38.8.8.8
                                                                                                                                    Sep 27, 2021 15:31:29.753379107 CEST53567738.8.8.8192.168.2.3
                                                                                                                                    Sep 27, 2021 15:31:40.345299006 CEST6098253192.168.2.38.8.8.8
                                                                                                                                    Sep 27, 2021 15:31:40.359057903 CEST53609828.8.8.8192.168.2.3
                                                                                                                                    Sep 27, 2021 15:31:55.565011024 CEST5805853192.168.2.38.8.8.8
                                                                                                                                    Sep 27, 2021 15:31:55.592345953 CEST53580588.8.8.8192.168.2.3
                                                                                                                                    Sep 27, 2021 15:31:58.194183111 CEST6436753192.168.2.38.8.8.8
                                                                                                                                    Sep 27, 2021 15:31:58.207998037 CEST53643678.8.8.8192.168.2.3
                                                                                                                                    Sep 27, 2021 15:32:00.163115025 CEST5153953192.168.2.38.8.8.8
                                                                                                                                    Sep 27, 2021 15:32:00.319247007 CEST53515398.8.8.8192.168.2.3
                                                                                                                                    Sep 27, 2021 15:32:00.396828890 CEST5539353192.168.2.38.8.8.8
                                                                                                                                    Sep 27, 2021 15:32:00.585047960 CEST53553938.8.8.8192.168.2.3
                                                                                                                                    Sep 27, 2021 15:32:04.844149113 CEST5058553192.168.2.38.8.8.8
                                                                                                                                    Sep 27, 2021 15:32:05.005784988 CEST53505858.8.8.8192.168.2.3
                                                                                                                                    Sep 27, 2021 15:32:05.071542978 CEST6345653192.168.2.38.8.8.8
                                                                                                                                    Sep 27, 2021 15:32:05.086332083 CEST53634568.8.8.8192.168.2.3

                                                                                                                                    DNS Queries

                                                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                    Sep 27, 2021 15:32:00.163115025 CEST192.168.2.38.8.8.80xd9f2Standard query (0)smtp.vern-group.comA (IP address)IN (0x0001)
                                                                                                                                    Sep 27, 2021 15:32:00.396828890 CEST192.168.2.38.8.8.80x69b6Standard query (0)smtp.vern-group.comA (IP address)IN (0x0001)
                                                                                                                                    Sep 27, 2021 15:32:04.844149113 CEST192.168.2.38.8.8.80xe910Standard query (0)smtp.vern-group.comA (IP address)IN (0x0001)
                                                                                                                                    Sep 27, 2021 15:32:05.071542978 CEST192.168.2.38.8.8.80x574dStandard query (0)smtp.vern-group.comA (IP address)IN (0x0001)

                                                                                                                                    DNS Answers

                                                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                    Sep 27, 2021 15:32:00.319247007 CEST8.8.8.8192.168.2.30xd9f2No error (0)smtp.vern-group.comus2.smtp.mailhostbox.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                    Sep 27, 2021 15:32:00.319247007 CEST8.8.8.8192.168.2.30xd9f2No error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)
                                                                                                                                    Sep 27, 2021 15:32:00.319247007 CEST8.8.8.8192.168.2.30xd9f2No error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)
                                                                                                                                    Sep 27, 2021 15:32:00.319247007 CEST8.8.8.8192.168.2.30xd9f2No error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)
                                                                                                                                    Sep 27, 2021 15:32:00.319247007 CEST8.8.8.8192.168.2.30xd9f2No error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)
                                                                                                                                    Sep 27, 2021 15:32:00.585047960 CEST8.8.8.8192.168.2.30x69b6No error (0)smtp.vern-group.comus2.smtp.mailhostbox.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                    Sep 27, 2021 15:32:00.585047960 CEST8.8.8.8192.168.2.30x69b6No error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)
                                                                                                                                    Sep 27, 2021 15:32:00.585047960 CEST8.8.8.8192.168.2.30x69b6No error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)
                                                                                                                                    Sep 27, 2021 15:32:00.585047960 CEST8.8.8.8192.168.2.30x69b6No error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)
                                                                                                                                    Sep 27, 2021 15:32:00.585047960 CEST8.8.8.8192.168.2.30x69b6No error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)
                                                                                                                                    Sep 27, 2021 15:32:05.005784988 CEST8.8.8.8192.168.2.30xe910No error (0)smtp.vern-group.comus2.smtp.mailhostbox.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                    Sep 27, 2021 15:32:05.005784988 CEST8.8.8.8192.168.2.30xe910No error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)
                                                                                                                                    Sep 27, 2021 15:32:05.005784988 CEST8.8.8.8192.168.2.30xe910No error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)
                                                                                                                                    Sep 27, 2021 15:32:05.005784988 CEST8.8.8.8192.168.2.30xe910No error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)
                                                                                                                                    Sep 27, 2021 15:32:05.005784988 CEST8.8.8.8192.168.2.30xe910No error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)
                                                                                                                                    Sep 27, 2021 15:32:05.086332083 CEST8.8.8.8192.168.2.30x574dNo error (0)smtp.vern-group.comus2.smtp.mailhostbox.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                    Sep 27, 2021 15:32:05.086332083 CEST8.8.8.8192.168.2.30x574dNo error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)
                                                                                                                                    Sep 27, 2021 15:32:05.086332083 CEST8.8.8.8192.168.2.30x574dNo error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)
                                                                                                                                    Sep 27, 2021 15:32:05.086332083 CEST8.8.8.8192.168.2.30x574dNo error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)
                                                                                                                                    Sep 27, 2021 15:32:05.086332083 CEST8.8.8.8192.168.2.30x574dNo error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)

                                                                                                                                    SMTP Packets

                                                                                                                                    TimestampSource PortDest PortSource IPDest IPCommands
                                                                                                                                    Sep 27, 2021 15:32:01.146960974 CEST58749849208.91.198.143192.168.2.3220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                                                                                                    Sep 27, 2021 15:32:01.147341967 CEST49849587192.168.2.3208.91.198.143EHLO 364339
                                                                                                                                    Sep 27, 2021 15:32:01.289591074 CEST58749849208.91.198.143192.168.2.3250-us2.outbound.mailhostbox.com
                                                                                                                                    250-PIPELINING
                                                                                                                                    250-SIZE 41648128
                                                                                                                                    250-VRFY
                                                                                                                                    250-ETRN
                                                                                                                                    250-STARTTLS
                                                                                                                                    250-AUTH PLAIN LOGIN
                                                                                                                                    250-AUTH=PLAIN LOGIN
                                                                                                                                    250-ENHANCEDSTATUSCODES
                                                                                                                                    250-8BITMIME
                                                                                                                                    250 DSN
                                                                                                                                    Sep 27, 2021 15:32:01.292818069 CEST49849587192.168.2.3208.91.198.143AUTH login YW5uZXR0LmphbG93aUB2ZXJuLWdyb3VwLmNvbQ==
                                                                                                                                    Sep 27, 2021 15:32:01.431281090 CEST58749849208.91.198.143192.168.2.3334 UGFzc3dvcmQ6
                                                                                                                                    Sep 27, 2021 15:32:01.574882984 CEST58749849208.91.198.143192.168.2.3235 2.7.0 Authentication successful
                                                                                                                                    Sep 27, 2021 15:32:01.577059984 CEST49849587192.168.2.3208.91.198.143MAIL FROM:<annett.jalowi@vern-group.com>
                                                                                                                                    Sep 27, 2021 15:32:01.719269991 CEST58749849208.91.198.143192.168.2.3250 2.1.0 Ok
                                                                                                                                    Sep 27, 2021 15:32:01.719748974 CEST49849587192.168.2.3208.91.198.143RCPT TO:<annett.jalowi@vern-group.com>
                                                                                                                                    Sep 27, 2021 15:32:01.898897886 CEST58749849208.91.198.143192.168.2.3250 2.1.5 Ok
                                                                                                                                    Sep 27, 2021 15:32:01.899446964 CEST49849587192.168.2.3208.91.198.143DATA
                                                                                                                                    Sep 27, 2021 15:32:02.039216042 CEST58749849208.91.198.143192.168.2.3354 End data with <CR><LF>.<CR><LF>
                                                                                                                                    Sep 27, 2021 15:32:02.044569016 CEST49849587192.168.2.3208.91.198.143.
                                                                                                                                    Sep 27, 2021 15:32:02.286237955 CEST58749849208.91.198.143192.168.2.3250 2.0.0 Ok: queued as CB0C4192B3B
                                                                                                                                    Sep 27, 2021 15:32:04.643898964 CEST49849587192.168.2.3208.91.198.143QUIT
                                                                                                                                    Sep 27, 2021 15:32:04.785418987 CEST58749849208.91.198.143192.168.2.3221 2.0.0 Bye
                                                                                                                                    Sep 27, 2021 15:32:05.667896032 CEST58749850208.91.199.224192.168.2.3220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                                                                                                    Sep 27, 2021 15:32:05.668147087 CEST49850587192.168.2.3208.91.199.224EHLO 364339
                                                                                                                                    Sep 27, 2021 15:32:05.817183971 CEST58749850208.91.199.224192.168.2.3250-us2.outbound.mailhostbox.com
                                                                                                                                    250-PIPELINING
                                                                                                                                    250-SIZE 41648128
                                                                                                                                    250-VRFY
                                                                                                                                    250-ETRN
                                                                                                                                    250-STARTTLS
                                                                                                                                    250-AUTH PLAIN LOGIN
                                                                                                                                    250-AUTH=PLAIN LOGIN
                                                                                                                                    250-ENHANCEDSTATUSCODES
                                                                                                                                    250-8BITMIME
                                                                                                                                    250 DSN
                                                                                                                                    Sep 27, 2021 15:32:05.819185019 CEST49850587192.168.2.3208.91.199.224AUTH login YW5uZXR0LmphbG93aUB2ZXJuLWdyb3VwLmNvbQ==
                                                                                                                                    Sep 27, 2021 15:32:05.966929913 CEST58749850208.91.199.224192.168.2.3334 UGFzc3dvcmQ6
                                                                                                                                    Sep 27, 2021 15:32:06.116357088 CEST58749850208.91.199.224192.168.2.3235 2.7.0 Authentication successful
                                                                                                                                    Sep 27, 2021 15:32:06.116758108 CEST49850587192.168.2.3208.91.199.224MAIL FROM:<annett.jalowi@vern-group.com>
                                                                                                                                    Sep 27, 2021 15:32:06.265615940 CEST58749850208.91.199.224192.168.2.3250 2.1.0 Ok
                                                                                                                                    Sep 27, 2021 15:32:06.266062021 CEST49850587192.168.2.3208.91.199.224RCPT TO:<annett.jalowi@vern-group.com>
                                                                                                                                    Sep 27, 2021 15:32:06.437005997 CEST58749850208.91.199.224192.168.2.3250 2.1.5 Ok
                                                                                                                                    Sep 27, 2021 15:32:06.439989090 CEST49850587192.168.2.3208.91.199.224DATA
                                                                                                                                    Sep 27, 2021 15:32:06.586853981 CEST58749850208.91.199.224192.168.2.3354 End data with <CR><LF>.<CR><LF>
                                                                                                                                    Sep 27, 2021 15:32:06.598243952 CEST49850587192.168.2.3208.91.199.224.
                                                                                                                                    Sep 27, 2021 15:32:06.850157976 CEST58749850208.91.199.224192.168.2.3250 2.0.0 Ok: queued as 5920E1CACDC

                                                                                                                                    Code Manipulations

                                                                                                                                    Statistics

                                                                                                                                    Behavior

                                                                                                                                    Click to jump to process

                                                                                                                                    System Behavior

                                                                                                                                    Analysis Process: Inquiry - Specifications 002021.exe PID: 1360 Parent PID: 1664

                                                                                                                                    General

                                                                                                                                    Start time:15:30:03
                                                                                                                                    Start date:27/09/2021
                                                                                                                                    Path:C:\Users\user\Desktop\Inquiry - Specifications 002021.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:'C:\Users\user\Desktop\Inquiry - Specifications 002021.exe'
                                                                                                                                    Imagebase:0x70000
                                                                                                                                    File size:881152 bytes
                                                                                                                                    MD5 hash:768A1127C119149F96A29C0D0C0B56EC
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                                                    Yara matches:
                                                                                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.329163786.00000000034D1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.329163786.00000000034D1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.322481518.00000000024D1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.322874820.000000000254D000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                    Reputation:low

                                                                                                                                    Analysis Process: Inquiry - Specifications 002021.exe PID: 6580 Parent PID: 1360

                                                                                                                                    General

                                                                                                                                    Start time:15:30:16
                                                                                                                                    Start date:27/09/2021
                                                                                                                                    Path:C:\Users\user\Desktop\Inquiry - Specifications 002021.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:C:\Users\user\Desktop\Inquiry - Specifications 002021.exe
                                                                                                                                    Imagebase:0xa10000
                                                                                                                                    File size:881152 bytes
                                                                                                                                    MD5 hash:768A1127C119149F96A29C0D0C0B56EC
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                                                    Yara matches:
                                                                                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.559497777.00000000030EF000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.553693912.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000002.553693912.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.558228658.0000000002E01000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.558228658.0000000002E01000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                    Reputation:low

                                                                                                                                    Disassembly

                                                                                                                                    Code Analysis

                                                                                                                                    Reset < >