Windows Analysis Report
FW URGENT RFQ-400098211.exe

Overview

General Information

Sample name: FW URGENT RFQ-400098211.exe
Analysis ID: 1436367
MD5: eb22df9e911f644327e4417b7e170727
SHA1: fc4be943bdd75bea11402dafd25eac549662adfd
SHA256: 2b45e61ed11c6c785371e18c12018cc5ffbe85e5caa889b3101312f80677dd80
Tags: exeHUN
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: MSBuild connects to smtp port
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected UAC Bypass using CMSTP
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Silenttrinity Stager Msbuild Activity
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file does not import any functions
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

AV Detection
barindex
Found malware configuration
Source: 0.2.FW URGENT RFQ-400098211.exe.23649e79740.3.raw.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "terminal4.veeblehosting.com", "Username": "appo@kailmaticarbon.com", "Password": "Ifeanyi1987@"}
Multi AV Scanner detection for submitted file
Source: FW URGENT RFQ-400098211.exe ReversingLabs: Detection: 37%
Source: FW URGENT RFQ-400098211.exe Virustotal: Detection: 30% Perma Link
Machine Learning detection for sample
Source: FW URGENT RFQ-400098211.exe Joe Sandbox ML: detected

Exploits
barindex
Yara detected UAC Bypass using CMSTP
Source: Yara match File source: 00000000.00000002.1873031135.0000023639E38000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: FW URGENT RFQ-400098211.exe PID: 5728, type: MEMORYSTR
Source: https://ogs.google.com/widget/app/so?awwd=1&gm3=1&origin=chrome-untrusted%3A%2F%2Fnew-tab-page&origin=chrome%3A%2F%2Fnew-tab-page&cn=app&pid=1&spid=243&hl=en HTTP Parser: No favicon
Source: https://ogs.google.com/widget/app/so?awwd=1&gm3=1&origin=chrome-untrusted%3A%2F%2Fnew-tab-page&origin=chrome%3A%2F%2Fnew-tab-page&cn=app&pid=1&spid=243&hl=en HTTP Parser: No favicon
Source: FW URGENT RFQ-400098211.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: FW URGENT RFQ-400098211.exe, 00000000.00000002.1876550874.0000023652520000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WERBD0B.tmp.dmp.8.dr
Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdbr source: FW URGENT RFQ-400098211.exe, 00000000.00000002.1872410845.0000023638156000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: FW URGENT RFQ-400098211.exe, 00000000.00000002.1876550874.0000023652520000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: FW URGENT RFQ-400098211.PDB source: FW URGENT RFQ-400098211.exe, 00000000.00000002.1872137618.0000003E14EF3000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.ni.pdbRSDS source: WERBD0B.tmp.dmp.8.dr
Source: Binary string: )"Ayib.pdb source: FW URGENT RFQ-400098211.exe, 00000000.00000002.1872410845.0000023638156000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Windows.Forms.ni.pdb source: WERBD0B.tmp.dmp.8.dr
Source: Binary string: System.Drawing.ni.pdb source: WERBD0B.tmp.dmp.8.dr
Source: Binary string: System.Windows.Forms.pdb(8 source: WERBD0B.tmp.dmp.8.dr
Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERBD0B.tmp.dmp.8.dr
Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: FW URGENT RFQ-400098211.exe, 00000000.00000002.1872410845.0000023638156000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdbSys source: FW URGENT RFQ-400098211.exe, 00000000.00000002.1876550874.0000023652520000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERBD0B.tmp.dmp.8.dr
Source: Binary string: System.Drawing.ni.pdbRSDS source: WERBD0B.tmp.dmp.8.dr
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbtrinT source: FW URGENT RFQ-400098211.exe, 00000000.00000002.1876550874.0000023652520000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.VisualBasic.pdb0<c source: WERBD0B.tmp.dmp.8.dr
Source: Binary string: System.pdb source: WERBD0B.tmp.dmp.8.dr
Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: FW URGENT RFQ-400098211.exe, 00000000.00000002.1872410845.00000236380EC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.ni.pdb source: WERBD0B.tmp.dmp.8.dr
Source: Binary string: Microsoft.VisualBasic.pdb source: WERBD0B.tmp.dmp.8.dr
Source: Binary string: C:\Users\user\Desktop\FW URGENT RFQ-400098211.PDBl source: FW URGENT RFQ-400098211.exe, 00000000.00000002.1872137618.0000003E14EF3000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Windows.Forms.pdb source: WERBD0B.tmp.dmp.8.dr
Source: Binary string: \??\C:\Users\user\Desktop\FW URGENT RFQ-400098211.PDBn). source: FW URGENT RFQ-400098211.exe, 00000000.00000002.1872410845.0000023638156000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: FW URGENT RFQ-400098211.exe, 00000000.00000002.1872410845.0000023638156000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: WERBD0B.tmp.dmp.8.dr
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbf, S source: FW URGENT RFQ-400098211.exe, 00000000.00000002.1876550874.0000023652520000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WERBD0B.tmp.dmp.8.dr
Source: Binary string: System.Drawing.pdb source: WERBD0B.tmp.dmp.8.dr
Source: Binary string: mscorlib.ni.pdb source: WERBD0B.tmp.dmp.8.dr
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: FW URGENT RFQ-400098211.exe, 00000000.00000002.1876550874.0000023652520000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdb source: WERBD0B.tmp.dmp.8.dr
Source: Binary string: mscorlib.pdbP source: FW URGENT RFQ-400098211.exe, 00000000.00000002.1876550874.0000023652520000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: >pC:\Users\user\Desktop\FW URGENT RFQ-400098211.PDB` source: FW URGENT RFQ-400098211.exe, 00000000.00000002.1872137618.0000003E14EF3000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdbpx source: FW URGENT RFQ-400098211.exe, 00000000.00000002.1876550874.0000023652520000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdbolean)ll source: FW URGENT RFQ-400098211.exe, 00000000.00000002.1872410845.0000023638156000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.ni.pdb source: WERBD0B.tmp.dmp.8.dr
Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVE source: FW URGENT RFQ-400098211.exe, 00000000.00000002.1876550874.0000023652520000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.ni.pdbRSDS source: WERBD0B.tmp.dmp.8.dr

Networking
barindex
Yara detected Generic Downloader
Source: Yara match File source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.FW URGENT RFQ-400098211.exe.23649e79740.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.FW URGENT RFQ-400098211.exe.23649e3dcf8.2.raw.unpack, type: UNPACKEDPE
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49747 -> 108.170.55.203:587
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View IP Address: 239.255.255.250 239.255.255.250
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.4:49747 -> 108.170.55.203:587
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown TCP traffic detected without corresponding DNS query: 104.46.162.224
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown TCP traffic detected without corresponding DNS query: 23.206.229.80
Source: unknown TCP traffic detected without corresponding DNS query: 23.206.229.80
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiWocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiWocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /_/scs/abc-static/_/js/k=gapi.gapi.en.SCWmpDDGjPk.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/am=AAAC/rs=AHpOoo_Pl64J0IIHlj2zBtEJ3ZwdaJC3HA/cb=gapi.loaded_0 HTTP/1.1Host: apis.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiWocsBCJz+zAEIhaDNAQi5ys0BCIrTzQEY9snNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /widget/app/so?awwd=1&gm3=1&origin=chrome-untrusted%3A%2F%2Fnew-tab-page&origin=chrome%3A%2F%2Fnew-tab-page&cn=app&pid=1&spid=243&hl=en HTTP/1.1Host: ogs.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiWocsBCJz+zAEIhaDNAQi5ys0BCIrTzQEY9snNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: global traffic DNS traffic detected: DNS query: ip-api.com
Source: global traffic DNS traffic detected: DNS query: terminal4.veeblehosting.com
Source: global traffic DNS traffic detected: DNS query: apis.google.com
Source: global traffic DNS traffic detected: DNS query: ogs.google.com
Source: MSBuild.exe, 00000003.00000002.2877198135.00000000067C4000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2877198135.0000000006740000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2871576036.0000000001460000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2873047771.0000000003444000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: MSBuild.exe, 00000003.00000002.2877198135.0000000006740000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: MSBuild.exe, 00000003.00000002.2877198135.00000000067C4000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2877198135.0000000006740000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2871982802.0000000001557000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2873047771.0000000003444000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: MSBuild.exe, 00000003.00000002.2877198135.00000000067C4000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2871982802.0000000001557000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2873047771.0000000003444000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2871576036.0000000001498000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
Source: MSBuild.exe, 00000003.00000002.2873047771.00000000033E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ip-api.com
Source: FW URGENT RFQ-400098211.exe, 00000000.00000002.1874267788.0000023649E02000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2873047771.00000000033E1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2871237151.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: MSBuild.exe, 00000003.00000002.2877198135.00000000067C4000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2877198135.0000000006740000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2871576036.0000000001460000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2871982802.0000000001557000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2873047771.0000000003444000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2871576036.0000000001498000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: MSBuild.exe, 00000003.00000002.2873047771.00000000033E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: MSBuild.exe, 00000003.00000002.2873047771.0000000003444000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://terminal4.veeblehosting.com
Source: Amcache.hve.8.dr String found in binary or memory: http://upx.sf.net
Source: chromecache_107.7.dr String found in binary or memory: http://www.broofa.com
Source: FW URGENT RFQ-400098211.exe, 00000000.00000002.1874267788.0000023649E02000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2871237151.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://account.dyn.com/
Source: chromecache_120.7.dr String found in binary or memory: https://accounts.google.com/o/oauth2/auth
Source: chromecache_120.7.dr String found in binary or memory: https://accounts.google.com/o/oauth2/postmessageRelay
Source: chromecache_120.7.dr, chromecache_107.7.dr String found in binary or memory: https://apis.google.com
Source: chromecache_111.7.dr String found in binary or memory: https://apis.google.com/js/api.js
Source: chromecache_120.7.dr String found in binary or memory: https://clients6.google.com
Source: chromecache_120.7.dr String found in binary or memory: https://content.googleapis.com
Source: chromecache_120.7.dr String found in binary or memory: https://csp.withgoogle.com/csp/lcreport/
Source: chromecache_120.7.dr String found in binary or memory: https://domains.google.com/suggest/flow
Source: chromecache_107.7.dr String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey200-36dp/2x/gm_alert_gm_grey200_3
Source: chromecache_107.7.dr String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey600-36dp/2x/gm_alert_gm_grey600_3
Source: chromecache_107.7.dr String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey200-24dp/1x/gm_close_gm_grey200_2
Source: chromecache_107.7.dr String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey600-24dp/1x/gm_close_gm_grey600_2
Source: chromecache_121.7.dr String found in binary or memory: https://ogs.google.com/
Source: chromecache_121.7.dr String found in binary or memory: https://ogs.google.com/widget/app/so
Source: chromecache_106.7.dr String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: chromecache_120.7.dr String found in binary or memory: https://plus.google.com
Source: chromecache_120.7.dr String found in binary or memory: https://plus.googleapis.com
Source: MSBuild.exe, 00000003.00000002.2877198135.00000000067C4000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2871982802.0000000001557000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2873047771.0000000003444000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2871576036.0000000001498000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sectigo.com/CPS0
Source: chromecache_121.7.dr String found in binary or memory: https://ssl.gstatic.com
Source: chromecache_111.7.dr String found in binary or memory: https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=
Source: chromecache_120.7.dr String found in binary or memory: https://workspace.google.com/:session_prefix:marketplace/appfinder?usegapi=1
Source: chromecache_111.7.dr String found in binary or memory: https://www.google.com/log?format=json&hasfast=true
Source: chromecache_120.7.dr String found in binary or memory: https://www.googleapis.com/auth/plus.me
Source: chromecache_120.7.dr String found in binary or memory: https://www.googleapis.com/auth/plus.people.recommended
Source: chromecache_121.7.dr String found in binary or memory: https://www.gstatic.com
Source: chromecache_121.7.dr String found in binary or memory: https://www.gstatic.com/_/mss/boq-one-google/_/js/k=boq-one-google.OneGoogleWidgetUi.en.atEDuNh539g.
Source: chromecache_107.7.dr String found in binary or memory: https://www.gstatic.com/gb/html/afbp.html
Source: chromecache_107.7.dr String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_medium.css
Source: chromecache_107.7.dr String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_small.css
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to log keystrokes (.Net Source)
Source: 0.2.FW URGENT RFQ-400098211.exe.23649e79740.3.raw.unpack, 8WWn.cs .Net Code: UpF
Source: 0.2.FW URGENT RFQ-400098211.exe.23649e3dcf8.2.raw.unpack, 8WWn.cs .Net Code: UpF

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.FW URGENT RFQ-400098211.exe.23649e3dcf8.2.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.FW URGENT RFQ-400098211.exe.23649e79740.3.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.FW URGENT RFQ-400098211.exe.23649e79740.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.FW URGENT RFQ-400098211.exe.23649e3dcf8.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: FW URGENT RFQ-400098211.exe
Detected potential crypto function
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Code function: 0_2_00007FFD9BA27268 0_2_00007FFD9BA27268
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Code function: 0_2_00007FFD9BA14258 0_2_00007FFD9BA14258
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Code function: 0_2_00007FFD9BA1EA21 0_2_00007FFD9BA1EA21
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Code function: 0_2_00007FFD9BA2774B 0_2_00007FFD9BA2774B
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Code function: 0_2_00007FFD9BA1FEBA 0_2_00007FFD9BA1FEBA
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Code function: 0_2_00007FFD9BA1E599 0_2_00007FFD9BA1E599
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Code function: 0_2_00007FFD9BA215A9 0_2_00007FFD9BA215A9
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Code function: 0_2_00007FFD9BA16C8C 0_2_00007FFD9BA16C8C
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Code function: 0_2_00007FFD9BA22C5A 0_2_00007FFD9BA22C5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_01894AC0 3_2_01894AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_0189CE88 3_2_0189CE88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_01893EA8 3_2_01893EA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_018941F0 3_2_018941F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_0189F6D0 3_2_0189F6D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_06D287C8 3_2_06D287C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_06D232D0 3_2_06D232D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_06D20040 3_2_06D20040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_06D29C00 3_2_06D29C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_06D2E840 3_2_06D2E840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_06D259B0 3_2_06D259B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_06D28F00 3_2_06D28F00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_06D2ACA8 3_2_06D2ACA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_06D20007 3_2_06D20007
One or more processes crash
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5728 -s 1104
PE file does not import any functions
Source: FW URGENT RFQ-400098211.exe Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: FW URGENT RFQ-400098211.exe, 00000000.00000000.1592013291.0000023638032000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameIpiwuvijepoyadujupoxuH vs FW URGENT RFQ-400098211.exe
Source: FW URGENT RFQ-400098211.exe, 00000000.00000002.1874267788.0000023649E02000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename42955ef0-2c7b-4b6e-b09e-4c0df0e3b688.exe@ vs FW URGENT RFQ-400098211.exe
Source: FW URGENT RFQ-400098211.exe, 00000000.00000002.1874267788.0000023649E02000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameIsarilesapipaB vs FW URGENT RFQ-400098211.exe
Source: FW URGENT RFQ-400098211.exe Binary or memory string: OriginalFilenameIpiwuvijepoyadujupoxuH vs FW URGENT RFQ-400098211.exe
Yara signature match
Source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.FW URGENT RFQ-400098211.exe.23649e3dcf8.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.FW URGENT RFQ-400098211.exe.23649e79740.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.FW URGENT RFQ-400098211.exe.23649e79740.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.FW URGENT RFQ-400098211.exe.23649e3dcf8.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: FW URGENT RFQ-400098211.exe, -----.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 0.2.FW URGENT RFQ-400098211.exe.23649e79740.3.raw.unpack, G39cBQ.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.FW URGENT RFQ-400098211.exe.23649e79740.3.raw.unpack, G39cBQ.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.FW URGENT RFQ-400098211.exe.23649e79740.3.raw.unpack, sDtvQjPGfa.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.FW URGENT RFQ-400098211.exe.23649e79740.3.raw.unpack, sDtvQjPGfa.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.FW URGENT RFQ-400098211.exe.23649e79740.3.raw.unpack, sDtvQjPGfa.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.FW URGENT RFQ-400098211.exe.23649e79740.3.raw.unpack, sDtvQjPGfa.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.FW URGENT RFQ-400098211.exe.23649e79740.3.raw.unpack, b1PPCKov2KZ.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.FW URGENT RFQ-400098211.exe.23649e79740.3.raw.unpack, b1PPCKov2KZ.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: FW URGENT RFQ-400098211.exe, -------.cs Suspicious URL: 'https://yandex.ru/search/?text=%D0%BF%D1%80%D0%B8%D0%BC%D0%B5%D1%80'
Source: FW URGENT RFQ-400098211.exe, 00000000.00000002.1872410845.00000236380EC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb
Source: FW URGENT RFQ-400098211.exe, 00000000.00000002.1876550874.0000023652520000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVE
Source: classification engine Classification label: mal100.spre.troj.spyw.expl.evad.winEXE@24/38@8/7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Mutant created: NULL
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5728
Source: C:\Windows\System32\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\eb6fc833-e31f-4af3-8eb1-9965d6b98dc1 Jump to behavior
Source: FW URGENT RFQ-400098211.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: FW URGENT RFQ-400098211.exe Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: FW URGENT RFQ-400098211.exe ReversingLabs: Detection: 37%
Source: FW URGENT RFQ-400098211.exe Virustotal: Detection: 30%
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe File read: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe "C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe"
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: unknown Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://%3cfnc1%3e(%08)192207080962112986271363245700090061668218406782359533476819003707/
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2424 --field-trial-handle=2392,i,10964861050037891216,14656894280507300521,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5728 -s 1104
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe" Jump to behavior
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe" Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2424 --field-trial-handle=2392,i,10964861050037891216,14656894280507300521,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles Jump to behavior
Source: FW URGENT RFQ-400098211.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: FW URGENT RFQ-400098211.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: FW URGENT RFQ-400098211.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: FW URGENT RFQ-400098211.exe, 00000000.00000002.1876550874.0000023652520000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WERBD0B.tmp.dmp.8.dr
Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdbr source: FW URGENT RFQ-400098211.exe, 00000000.00000002.1872410845.0000023638156000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: FW URGENT RFQ-400098211.exe, 00000000.00000002.1876550874.0000023652520000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: FW URGENT RFQ-400098211.PDB source: FW URGENT RFQ-400098211.exe, 00000000.00000002.1872137618.0000003E14EF3000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.ni.pdbRSDS source: WERBD0B.tmp.dmp.8.dr
Source: Binary string: )"Ayib.pdb source: FW URGENT RFQ-400098211.exe, 00000000.00000002.1872410845.0000023638156000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Windows.Forms.ni.pdb source: WERBD0B.tmp.dmp.8.dr
Source: Binary string: System.Drawing.ni.pdb source: WERBD0B.tmp.dmp.8.dr
Source: Binary string: System.Windows.Forms.pdb(8 source: WERBD0B.tmp.dmp.8.dr
Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERBD0B.tmp.dmp.8.dr
Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: FW URGENT RFQ-400098211.exe, 00000000.00000002.1872410845.0000023638156000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdbSys source: FW URGENT RFQ-400098211.exe, 00000000.00000002.1876550874.0000023652520000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERBD0B.tmp.dmp.8.dr
Source: Binary string: System.Drawing.ni.pdbRSDS source: WERBD0B.tmp.dmp.8.dr
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbtrinT source: FW URGENT RFQ-400098211.exe, 00000000.00000002.1876550874.0000023652520000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.VisualBasic.pdb0<c source: WERBD0B.tmp.dmp.8.dr
Source: Binary string: System.pdb source: WERBD0B.tmp.dmp.8.dr
Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: FW URGENT RFQ-400098211.exe, 00000000.00000002.1872410845.00000236380EC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.ni.pdb source: WERBD0B.tmp.dmp.8.dr
Source: Binary string: Microsoft.VisualBasic.pdb source: WERBD0B.tmp.dmp.8.dr
Source: Binary string: C:\Users\user\Desktop\FW URGENT RFQ-400098211.PDBl source: FW URGENT RFQ-400098211.exe, 00000000.00000002.1872137618.0000003E14EF3000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Windows.Forms.pdb source: WERBD0B.tmp.dmp.8.dr
Source: Binary string: \??\C:\Users\user\Desktop\FW URGENT RFQ-400098211.PDBn). source: FW URGENT RFQ-400098211.exe, 00000000.00000002.1872410845.0000023638156000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: FW URGENT RFQ-400098211.exe, 00000000.00000002.1872410845.0000023638156000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: WERBD0B.tmp.dmp.8.dr
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbf, S source: FW URGENT RFQ-400098211.exe, 00000000.00000002.1876550874.0000023652520000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WERBD0B.tmp.dmp.8.dr
Source: Binary string: System.Drawing.pdb source: WERBD0B.tmp.dmp.8.dr
Source: Binary string: mscorlib.ni.pdb source: WERBD0B.tmp.dmp.8.dr
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: FW URGENT RFQ-400098211.exe, 00000000.00000002.1876550874.0000023652520000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdb source: WERBD0B.tmp.dmp.8.dr
Source: Binary string: mscorlib.pdbP source: FW URGENT RFQ-400098211.exe, 00000000.00000002.1876550874.0000023652520000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: >pC:\Users\user\Desktop\FW URGENT RFQ-400098211.PDB` source: FW URGENT RFQ-400098211.exe, 00000000.00000002.1872137618.0000003E14EF3000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdbpx source: FW URGENT RFQ-400098211.exe, 00000000.00000002.1876550874.0000023652520000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdbolean)ll source: FW URGENT RFQ-400098211.exe, 00000000.00000002.1872410845.0000023638156000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.ni.pdb source: WERBD0B.tmp.dmp.8.dr
Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVE source: FW URGENT RFQ-400098211.exe, 00000000.00000002.1876550874.0000023652520000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.ni.pdbRSDS source: WERBD0B.tmp.dmp.8.dr
Binary contains a suspicious time stamp
Source: FW URGENT RFQ-400098211.exe Static PE information: 0x8E923614 [Wed Oct 18 13:39:32 2045 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Code function: 0_2_00007FFD9BA25996 push ebp; retf 0_2_00007FFD9BA259D8
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Code function: 0_2_00007FFD9BA100BD pushad ; iretd 0_2_00007FFD9BA100C1
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Code function: 0_2_00007FFD9BA1BD90 push ebp; retf 0_2_00007FFD9BA259D8
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Code function: 0_2_00007FFD9BA25570 push edx; iretd 0_2_00007FFD9BA255DB
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Code function: 0_2_00007FFD9BA25555 push edx; iretd 0_2_00007FFD9BA255DB
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Code function: 0_2_00007FFD9BAF026B push esp; retf 4810h 0_2_00007FFD9BAF0312
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_06D2B9D0 push eax; ret 3_2_06D2B9DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_072C27CD push dword ptr [ecx+ecx-75h]; iretd 3_2_072C27D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_072C11B3 push es; ret 3_2_072C11C0
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: FW URGENT RFQ-400098211.exe PID: 5728, type: MEMORYSTR
Check if machine is in data center or colocation facility
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: FW URGENT RFQ-400098211.exe, 00000000.00000002.1873031135.0000023639E38000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: FW URGENT RFQ-400098211.exe, 00000000.00000002.1873031135.0000023639E38000.00000004.00000800.00020000.00000000.sdmp, FW URGENT RFQ-400098211.exe, 00000000.00000002.1874267788.0000023649E02000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2871237151.0000000000402000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Memory allocated: 23638350000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Memory allocated: 23651DF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 1890000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 33E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 3160000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window / User API: threadDelayed 572 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window / User API: threadDelayed 2856 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8280 Thread sleep time: -11068046444225724s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8280 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8292 Thread sleep count: 572 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8280 Thread sleep time: -99878s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8292 Thread sleep count: 2856 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8280 Thread sleep time: -99746s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8280 Thread sleep time: -99639s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8280 Thread sleep time: -99530s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8280 Thread sleep time: -99367s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8280 Thread sleep time: -98229s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8280 Thread sleep time: -98071s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8280 Thread sleep time: -97847s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8280 Thread sleep time: -97717s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8280 Thread sleep time: -97601s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8280 Thread sleep time: -97492s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8280 Thread sleep time: -97383s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8280 Thread sleep time: -97274s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8280 Thread sleep time: -97165s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8280 Thread sleep time: -97062s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8280 Thread sleep time: -96952s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8280 Thread sleep time: -96843s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8280 Thread sleep time: -96733s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8280 Thread sleep time: -96622s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8280 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 99878 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 99746 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 99639 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 99530 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 99367 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 98229 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 98071 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 97847 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 97717 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 97601 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 97492 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 97383 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 97274 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 97165 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 97062 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 96952 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 96843 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 96733 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 96622 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: Amcache.hve.8.dr Binary or memory string: VMware
Source: Amcache.hve.8.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.8.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.8.dr Binary or memory string: VMware, Inc.
Source: FW URGENT RFQ-400098211.exe, 00000000.00000002.1873031135.0000023639E38000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Amcache.hve.8.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.8.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.8.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: FW URGENT RFQ-400098211.exe, 00000000.00000002.1873031135.0000023639E38000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWARE
Source: FW URGENT RFQ-400098211.exe, 00000000.00000002.1873031135.0000023639E38000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: Amcache.hve.8.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: FW URGENT RFQ-400098211.exe, 00000000.00000002.1873031135.0000023639E38000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: FW URGENT RFQ-400098211.exe, 00000000.00000002.1873031135.0000023639E38000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA II
Source: Amcache.hve.8.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: MSBuild.exe, 00000003.00000002.2877198135.0000000006740000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.8.dr Binary or memory string: vmci.sys
Source: Amcache.hve.8.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: FW URGENT RFQ-400098211.exe, 00000000.00000002.1873031135.0000023639E38000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
Source: Amcache.hve.8.dr Binary or memory string: vmci.syshbin`
Source: MSBuild.exe, 00000003.00000002.2871237151.0000000000402000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: vmware
Source: Amcache.hve.8.dr Binary or memory string: \driver\vmci,\driver\pci
Source: FW URGENT RFQ-400098211.exe, 00000000.00000002.1873031135.0000023639E38000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: FW URGENT RFQ-400098211.exe, 00000000.00000002.1873031135.0000023639E38000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: Amcache.hve.8.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.dr Binary or memory string: VMware20,1
Source: Amcache.hve.8.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.8.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.8.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.8.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.8.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.8.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.8.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: FW URGENT RFQ-400098211.exe, 00000000.00000002.1873031135.0000023639E38000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: FW URGENT RFQ-400098211.exe, 00000000.00000002.1873031135.0000023639E38000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: Amcache.hve.8.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.8.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.8.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: MSBuild.exe, 00000003.00000002.2871237151.0000000000402000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: VMwareVBox
Source: Amcache.hve.8.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 3_2_018970B0 CheckRemoteDebuggerPresent, 3_2_018970B0
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process queried: DebugPort Jump to behavior
Enables debug privileges
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
.NET source code references suspicious native API functions
Source: FW URGENT RFQ-400098211.exe, -----.cs Reference to suspicious API methods: GetProcAddress(_322E_31DD_31D6_31E8_31DA_319D, _3196_320A_A9B5_321D(_A9B9_319B))
Source: FW URGENT RFQ-400098211.exe, -----.cs Reference to suspicious API methods: VirtualProtect(procAddress, (uint)_319F_31CC_31C2_3211_A9BD_31E7_3205.Length, 64u, out var _31D9_A9B7_322A)
Source: 0.2.FW URGENT RFQ-400098211.exe.23649e79740.3.raw.unpack, uRcQkDeJoO4.cs Reference to suspicious API methods: zHSk.OpenProcess(C6Nh1Wz8.DuplicateHandle, bInheritHandle: true, (uint)_4aIajlwkXEt2.ProcessID)
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000 Jump to behavior
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 43E000 Jump to behavior
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 440000 Jump to behavior
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1235008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe" Jump to behavior
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Queries volume information: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FW URGENT RFQ-400098211.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.8.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.8.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.8.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.8.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.FW URGENT RFQ-400098211.exe.23649e3dcf8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.FW URGENT RFQ-400098211.exe.23649e79740.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.FW URGENT RFQ-400098211.exe.23649e79740.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.FW URGENT RFQ-400098211.exe.23649e3dcf8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.2873047771.0000000003462000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2873047771.000000000343E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2871237151.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2873047771.0000000003412000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1874267788.0000023649E02000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: FW URGENT RFQ-400098211.exe PID: 5728, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 7288, type: MEMORYSTR
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\FTP Navigator\Ftplist.txt Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.FW URGENT RFQ-400098211.exe.23649e3dcf8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.FW URGENT RFQ-400098211.exe.23649e79740.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.FW URGENT RFQ-400098211.exe.23649e79740.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.FW URGENT RFQ-400098211.exe.23649e3dcf8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.2871237151.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2873047771.0000000003412000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1874267788.0000023649E02000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: FW URGENT RFQ-400098211.exe PID: 5728, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 7288, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.FW URGENT RFQ-400098211.exe.23649e3dcf8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.FW URGENT RFQ-400098211.exe.23649e79740.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.FW URGENT RFQ-400098211.exe.23649e79740.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.FW URGENT RFQ-400098211.exe.23649e3dcf8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.2873047771.0000000003462000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2873047771.000000000343E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2871237151.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2873047771.0000000003412000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1874267788.0000023649E02000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: FW URGENT RFQ-400098211.exe PID: 5728, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 7288, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1436367 Sample: FW URGENT RFQ-400098211.exe Startdate: 04/05/2024 Architecture: WINDOWS Score: 100 23 terminal4.veeblehosting.com 2->23 25 ip-api.com 2->25 27 3 other IPs or domains 2->27 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 11 other signatures 2->49 7 FW URGENT RFQ-400098211.exe 2 2->7         started        10 chrome.exe 1 2->10         started        signatures3 process4 dnsIp5 51 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->51 53 Writes to foreign memory regions 7->53 55 Allocates memory in foreign processes 7->55 57 Injects a PE file into a foreign processes 7->57 13 MSBuild.exe 15 2 7->13         started        17 WerFault.exe 19 16 7->17         started        19 InstallUtil.exe 7->19         started        29 192.168.2.4, 138, 443, 49723 unknown unknown 10->29 31 239.255.255.250 unknown Reserved 10->31 21 chrome.exe 10->21         started        signatures6 process7 dnsIp8 33 ip-api.com 208.95.112.1, 49742, 80 TUT-ASUS United States 13->33 35 terminal4.veeblehosting.com 108.170.55.203, 49747, 587 SSASN2US United States 13->35 59 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->59 61 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 13->61 63 Tries to steal Mail credentials (via file / registry access) 13->63 65 3 other signatures 13->65 37 www.google.com 142.250.68.4, 443, 49731, 49732 GOOGLEUS United States 21->37 39 www3.l.google.com 142.250.72.142, 443, 49768 GOOGLEUS United States 21->39 41 3 other IPs or domains 21->41 signatures9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
142.250.68.4
 www.google.com United States
15169 GOOGLEUS false
108.170.55.203
 terminal4.veeblehosting.com United States
20454 SSASN2US false
208.95.112.1
 ip-api.com United States
53334 TUT-ASUS false
172.217.12.142
 plus.l.google.com United States
15169 GOOGLEUS false
239.255.255.250
 unknown Reserved
unknown unknown false
142.250.72.142
 www3.l.google.com United States
15169 GOOGLEUS false

Private

IP
192.168.2.4

Contacted Domains

Name IP Active
bg.microsoft.map.fastly.net 199.232.210.172 true
plus.l.google.com 172.217.12.142 true
www3.l.google.com 142.250.72.142 true
www.google.com 142.250.68.4 true
ip-api.com 208.95.112.1 true
terminal4.veeblehosting.com 108.170.55.203 true
fp2e7a.wpc.phicdn.net 192.229.211.108 true
ogs.google.com unknown unknown
apis.google.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://www.google.com/async/newtab_promos false
    		high
    https://www.google.com/async/ddljson?async=ntp:2 false
      		high
      https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw false
        		high
        https://ogs.google.com/widget/app/so?awwd=1&gm3=1&origin=chrome-untrusted%3A%2F%2Fnew-tab-page&origin=chrome%3A%2F%2Fnew-tab-page&cn=app&pid=1&spid=243&hl=en false
          		high
          https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.SCWmpDDGjPk.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/am=AAAC/rs=AHpOoo_Pl64J0IIHlj2zBtEJ3ZwdaJC3HA/cb=gapi.loaded_0 false
            		high
            https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0 false
              		high
              http://ip-api.com/line/?fields=hosting false
                		high