Analysis Report INQUIRY.exe

Overview

General Information

Sample Name:	INQUIRY.exe
Analysis ID:	319686
MD5:	0b940145d7d02e5b1b975c99dd5197a4
SHA1:	53ae0b576f7b362b90a25ace1470d33068db4490
SHA256:	bf487ff7cdbbd998b633b1858a939d8c808bcce65ab9937695475b39deea70a8
Tags:	exeHawkEye
Most interesting Screenshot:

Detection

HawkEye MailPassView

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected HawkEye Rat

Detected unpacking (changes PE section rights)

Detected unpacking (creates a PE file in dynamic memory)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected HawkEye Keylogger

Yara detected MailPassView

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Allocates memory in foreign processes

Changes the view of files in windows explorer (hidden files and folders)

Contains functionality to detect sleep reduction / modifications

Contains functionality to log keystrokes (.Net Source)

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for sample

Maps a DLL or memory area into another process

May check the online IP address of the machine

Sample uses process hollowing technique

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file access)

Tries to steal Mail credentials (via file registry)

Writes to foreign memory regions

Yara detected WebBrowserPassView password recovery tool

AV process strings found (often used to terminate AV products)

Antivirus or Machine Learning detection for unpacked file

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to detect sandboxes (mouse cursor move detection)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality to retrieve information about pressed keystrokes

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May check if the current machine is a sandbox (GetTickCount - Sleep)

May infect USB drives

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE file contains strange resources

Queries disk information (often used to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Stores large binary data to the registry

Tries to load missing DLLs

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Yara signature match

Classification

Signatures

AV Detection:

Found malware configuration

Source: vbc.exe.6700.6.memstr	Malware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView"], "Version": ""}
Source: vbc.exe.6700.6.memstr	Malware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView"], "Version": ""}

Multi AV Scanner detection for submitted file

Source: INQUIRY.exe	Virustotal: Detection: 43%	Perma Link
Source: INQUIRY.exe	ReversingLabs: Detection: 41%
Source: INQUIRY.exe	Virustotal: Detection: 43%	Perma Link
Source: INQUIRY.exe	ReversingLabs: Detection: 41%

Machine Learning detection for sample

Source: INQUIRY.exe	Joe Sandbox ML: detected
Source: INQUIRY.exe	Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 16.2.INQUIRY.exe.22e0000.1.unpack	Avira: Label: TR/Inject.vcoldi
Source: 32.2.INQUIRY.exe.2680000.3.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 32.2.INQUIRY.exe.2680000.3.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 1.2.INQUIRY.exe.21e0000.1.unpack	Avira: Label: TR/Inject.vcoldi
Source: 1.2.INQUIRY.exe.2270000.2.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 1.2.INQUIRY.exe.2270000.2.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 16.2.INQUIRY.exe.2370000.2.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 16.2.INQUIRY.exe.2370000.2.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 0.2.INQUIRY.exe.2640000.3.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 0.2.INQUIRY.exe.2640000.3.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 27.2.INQUIRY.exe.2640000.3.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 27.2.INQUIRY.exe.2640000.3.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 33.2.INQUIRY.exe.400000.0.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 33.2.INQUIRY.exe.400000.0.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 0.2.INQUIRY.exe.25f0000.2.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 28.2.INQUIRY.exe.22f0000.3.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 28.2.INQUIRY.exe.22f0000.3.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 33.2.INQUIRY.exe.22f0000.2.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 33.2.INQUIRY.exe.22f0000.2.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 1.2.INQUIRY.exe.2300000.3.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 1.2.INQUIRY.exe.2300000.3.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 16.2.INQUIRY.exe.2490000.3.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 16.2.INQUIRY.exe.2490000.3.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 33.2.INQUIRY.exe.2210000.1.unpack	Avira: Label: TR/Inject.vcoldi
Source: 28.2.INQUIRY.exe.400000.0.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 28.2.INQUIRY.exe.400000.0.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 13.2.INQUIRY.exe.2660000.3.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 13.2.INQUIRY.exe.2660000.3.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 33.2.INQUIRY.exe.2380000.3.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 33.2.INQUIRY.exe.2380000.3.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 32.2.INQUIRY.exe.2630000.2.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 28.2.INQUIRY.exe.7a0000.1.unpack	Avira: Label: TR/Inject.vcoldi
Source: 16.2.INQUIRY.exe.400000.0.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 16.2.INQUIRY.exe.400000.0.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 27.2.INQUIRY.exe.25e0000.2.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 28.2.INQUIRY.exe.2240000.2.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 28.2.INQUIRY.exe.2240000.2.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 1.2.INQUIRY.exe.400000.0.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 1.2.INQUIRY.exe.400000.0.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 16.2.INQUIRY.exe.22e0000.1.unpack	Avira: Label: TR/Inject.vcoldi
Source: 32.2.INQUIRY.exe.2680000.3.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 32.2.INQUIRY.exe.2680000.3.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 1.2.INQUIRY.exe.21e0000.1.unpack	Avira: Label: TR/Inject.vcoldi
Source: 1.2.INQUIRY.exe.2270000.2.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 1.2.INQUIRY.exe.2270000.2.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 16.2.INQUIRY.exe.2370000.2.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 16.2.INQUIRY.exe.2370000.2.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 0.2.INQUIRY.exe.2640000.3.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 0.2.INQUIRY.exe.2640000.3.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 27.2.INQUIRY.exe.2640000.3.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 27.2.INQUIRY.exe.2640000.3.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 33.2.INQUIRY.exe.400000.0.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 33.2.INQUIRY.exe.400000.0.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 0.2.INQUIRY.exe.25f0000.2.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 28.2.INQUIRY.exe.22f0000.3.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 28.2.INQUIRY.exe.22f0000.3.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 33.2.INQUIRY.exe.22f0000.2.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 33.2.INQUIRY.exe.22f0000.2.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 1.2.INQUIRY.exe.2300000.3.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 1.2.INQUIRY.exe.2300000.3.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 16.2.INQUIRY.exe.2490000.3.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 16.2.INQUIRY.exe.2490000.3.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 33.2.INQUIRY.exe.2210000.1.unpack	Avira: Label: TR/Inject.vcoldi
Source: 28.2.INQUIRY.exe.400000.0.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 28.2.INQUIRY.exe.400000.0.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 13.2.INQUIRY.exe.2660000.3.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 13.2.INQUIRY.exe.2660000.3.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 33.2.INQUIRY.exe.2380000.3.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 33.2.INQUIRY.exe.2380000.3.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 32.2.INQUIRY.exe.2630000.2.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 28.2.INQUIRY.exe.7a0000.1.unpack	Avira: Label: TR/Inject.vcoldi
Source: 16.2.INQUIRY.exe.400000.0.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 16.2.INQUIRY.exe.400000.0.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 27.2.INQUIRY.exe.25e0000.2.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 28.2.INQUIRY.exe.2240000.2.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 28.2.INQUIRY.exe.2240000.2.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 1.2.INQUIRY.exe.400000.0.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 1.2.INQUIRY.exe.400000.0.unpack	Avira: Label: SPR/Tool.MailPassView.473

Spreading:

May infect USB drives

Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp	Binary or memory string: autorun.inf
Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp	Binary or memory string: [autorun]
Source: INQUIRY.exe	Binary or memory string: [autorun]
Source: INQUIRY.exe	Binary or memory string: autorun.inf
Source: WerFault.exe, 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp	Binary or memory string: autorun.inf
Source: WerFault.exe, 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp	Binary or memory string: [autorun]
Source: INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp	Binary or memory string: autorun.inf
Source: INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp	Binary or memory string: [autorun]
Source: INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp	Binary or memory string: autorun.inf
Source: INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp	Binary or memory string: [autorun]
Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp	Binary or memory string: autorun.inf
Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp	Binary or memory string: [autorun]
Source: INQUIRY.exe	Binary or memory string: [autorun]
Source: INQUIRY.exe	Binary or memory string: autorun.inf
Source: WerFault.exe, 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp	Binary or memory string: autorun.inf
Source: WerFault.exe, 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp	Binary or memory string: [autorun]
Source: INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp	Binary or memory string: autorun.inf
Source: INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp	Binary or memory string: [autorun]
Source: INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp	Binary or memory string: autorun.inf
Source: INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp	Binary or memory string: [autorun]

Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_004089B8 FindFirstFileA,GetLastError,	0_2_004089B8
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00405AE8 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	0_2_00405AE8
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_004089B8 FindFirstFileA,GetLastError,	0_2_004089B8
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00405AE8 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	0_2_00405AE8
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_2_004089B8 FindFirstFileA,GetLastError,	2_2_004089B8
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_2_00405AE8 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	2_2_00405AE8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 5_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,	5_2_00406EC3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,	6_2_00408441
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,	6_2_00407E0E

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2019926 ET TROJAN HawkEye Keylogger Report SMTP 192.168.2.4:49750 -> 166.62.27.57:587
Source: Traffic	Snort IDS: 2019926 ET TROJAN HawkEye Keylogger Report SMTP 192.168.2.4:49774 -> 166.62.27.57:587
Source: Traffic	Snort IDS: 2019926 ET TROJAN HawkEye Keylogger Report SMTP 192.168.2.4:49750 -> 166.62.27.57:587
Source: Traffic	Snort IDS: 2019926 ET TROJAN HawkEye Keylogger Report SMTP 192.168.2.4:49774 -> 166.62.27.57:587

May check the online IP address of the machine

Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.4:49750 -> 166.62.27.57:587
Source: global traffic	TCP traffic: 192.168.2.4:49750 -> 166.62.27.57:587

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 104.16.154.36 104.16.154.36
Source: Joe Sandbox View	IP Address: 104.16.154.36 104.16.154.36

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
Source: Joe Sandbox View	ASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS

Uses SMTP (mail sending)

Source: global traffic	TCP traffic: 192.168.2.4:49750 -> 166.62.27.57:587
Source: global traffic	TCP traffic: 192.168.2.4:49750 -> 166.62.27.57:587

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive

Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, INQUIRY.exe, 00000001.00000002.741822453.0000000003A41000.00000004.00000001.sdmp, vbc.exe, 00000006.00000002.695692485.0000000000400000.00000040.00000001.sdmp, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, INQUIRY.exe, 00000001.00000002.741822453.0000000003A41000.00000004.00000001.sdmp, vbc.exe, 00000006.00000002.695692485.0000000000400000.00000040.00000001.sdmp, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: INQUIRY.exe, vbc.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: vbc.exe, 00000006.00000002.696465332.000000000084E000.00000004.00000040.sdmp, vbc.exe, 00000014.00000002.775214194.0000000000A2E000.00000004.00000040.sdmp	String found in binary or memory: ttps://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4421591https://consent.google.com/about:blankhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591 equals www.facebook.com (Facebook)
Source: vbc.exe, 00000006.00000002.696465332.000000000084E000.00000004.00000040.sdmp, vbc.exe, 00000014.00000002.775214194.0000000000A2E000.00000004.00000040.sdmp	String found in binary or memory: ttps://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4421591https://consent.google.com/about:blankhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591 equals www.yahoo.com (Yahoo)
Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, INQUIRY.exe, 00000001.00000002.741822453.0000000003A41000.00000004.00000001.sdmp, vbc.exe, 00000006.00000002.695692485.0000000000400000.00000040.00000001.sdmp, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, INQUIRY.exe, 00000001.00000002.741822453.0000000003A41000.00000004.00000001.sdmp, vbc.exe, 00000006.00000002.695692485.0000000000400000.00000040.00000001.sdmp, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: INQUIRY.exe, vbc.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: vbc.exe, 00000006.00000002.696465332.000000000084E000.00000004.00000040.sdmp, vbc.exe, 00000014.00000002.775214194.0000000000A2E000.00000004.00000040.sdmp	String found in binary or memory: ttps://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4421591https://consent.google.com/about:blankhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591 equals www.facebook.com (Facebook)
Source: vbc.exe, 00000006.00000002.696465332.000000000084E000.00000004.00000040.sdmp, vbc.exe, 00000014.00000002.775214194.0000000000A2E000.00000004.00000040.sdmp	String found in binary or memory: ttps://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4421591https://consent.google.com/about:blankhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591 equals www.yahoo.com (Yahoo)

Source: unknown	DNS traffic detected: queries for: 121.205.6.0.in-addr.arpa
Source: unknown	DNS traffic detected: queries for: 121.205.6.0.in-addr.arpa

Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, INQUIRY.exe, 00000001.00000002.741822453.0000000003A41000.00000004.00000001.sdmp, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: INQUIRY.exe, 00000001.00000003.656578776.0000000004FED000.00000004.00000001.sdmp	String found in binary or memory: http://en.w
Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: INQUIRY.exe, 00000010.00000002.825594692.0000000000852000.00000004.00000020.sdmp	String found in binary or memory: http://go.microsoft.
Source: INQUIRY.exe, 00000010.00000002.825594692.0000000000852000.00000004.00000020.sdmp	String found in binary or memory: http://go.microsoft.LinkId=42127
Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, INQUIRY.exe, 00000001.00000002.741822453.0000000003A41000.00000004.00000001.sdmp, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: INQUIRY.exe, 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp, INQUIRY.exe, 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmp	String found in binary or memory: http://whatismyipaddress.com
Source: INQUIRY.exe, INQUIRY.exe, 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmp	String found in binary or memory: http://whatismyipaddress.com/
Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, INQUIRY.exe, 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp	String found in binary or memory: http://whatismyipaddress.com/-
Source: INQUIRY.exe, 00000001.00000003.659052456.0000000005013000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.659667033.0000000005016000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.660235609.0000000005016000.00000004.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: INQUIRY.exe, 00000001.00000003.659667033.0000000005016000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.661195055.0000000005011000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.660235609.0000000005016000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: INQUIRY.exe, 00000001.00000003.659571445.0000000005016000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com$p
Source: INQUIRY.exe, 00000001.00000003.660235609.0000000005016000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com0p
Source: INQUIRY.exe, 00000001.00000003.660235609.0000000005016000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comMic
Source: INQUIRY.exe, 00000001.00000003.661005611.0000000004FEB000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comTC
Source: INQUIRY.exe, 00000001.00000003.660146058.0000000004FEC000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comTC(
Source: INQUIRY.exe, 00000001.00000003.660146058.0000000004FEC000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comTCE
Source: INQUIRY.exe, 00000001.00000003.660352640.0000000005011000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comandh
Source: INQUIRY.exe, 00000001.00000003.659772843.0000000005016000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comits
Source: INQUIRY.exe, 00000001.00000003.659772843.0000000005016000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: INQUIRY.exe, 00000001.00000003.660352640.0000000005011000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comle
Source: INQUIRY.exe, 00000001.00000003.660235609.0000000005016000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.660006267.0000000004FF6000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comn
Source: INQUIRY.exe, 00000001.00000003.660146058.0000000004FEC000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.como.
Source: INQUIRY.exe, 00000001.00000003.660235609.0000000005016000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comsm
Source: INQUIRY.exe, 00000001.00000003.660235609.0000000005016000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comtig
Source: INQUIRY.exe, 00000001.00000003.665416380.0000000004FEF000.00000004.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: INQUIRY.exe, 00000001.00000003.664630621.000000000501B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: INQUIRY.exe, 00000001.00000003.664546236.0000000005011000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlu
Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: INQUIRY.exe, 00000001.00000003.662998950.0000000005011000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersd
Source: INQUIRY.exe, 00000001.00000003.663957016.0000000005016000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designershq
Source: INQUIRY.exe, 00000001.00000003.664066811.0000000005016000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designerslb
Source: INQUIRY.exe, 00000001.00000003.664511180.0000000004FEF000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com=
Source: INQUIRY.exe, 00000001.00000003.665416380.0000000004FEF000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comTTFF
Source: INQUIRY.exe, 00000001.00000003.665416380.0000000004FEF000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comalsd=
Source: INQUIRY.exe, 00000001.00000003.670995336.0000000004FEF000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comepko
Source: INQUIRY.exe, 00000001.00000003.664511180.0000000004FEF000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comessed
Source: INQUIRY.exe, 00000001.00000003.665416380.0000000004FEF000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comgrito
Source: INQUIRY.exe, 00000001.00000003.664511180.0000000004FEF000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comk
Source: INQUIRY.exe, 00000001.00000003.670995336.0000000004FEF000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comlvfet
Source: INQUIRY.exe, 00000001.00000003.670995336.0000000004FEF000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comm=
Source: INQUIRY.exe, 00000001.00000003.665416380.0000000004FEF000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comnc.
Source: INQUIRY.exe, 00000001.00000003.665416380.0000000004FEF000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.coms
Source: INQUIRY.exe, 00000001.00000003.665416380.0000000004FEF000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comsiv&
Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: INQUIRY.exe, 00000001.00000003.659052456.0000000005013000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.657519748.0000000005012000.00000004.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: INQUIRY.exe, 00000001.00000003.666565645.0000000004FEF000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/
Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: INQUIRY.exe, 00000001.00000003.661599639.0000000004FEB000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.661257796.0000000004FEB000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.660714589.0000000004FE4000.00000004.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: INQUIRY.exe, 00000001.00000003.661005611.0000000004FEB000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/://w
Source: INQUIRY.exe, 00000001.00000003.661599639.0000000004FEB000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Treb
Source: INQUIRY.exe, 00000001.00000003.661599639.0000000004FEB000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/_
Source: INQUIRY.exe, 00000001.00000003.661599639.0000000004FEB000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/cheV
Source: INQUIRY.exe, 00000001.00000003.661599639.0000000004FEB000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: INQUIRY.exe, 00000001.00000003.661599639.0000000004FEB000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp//
Source: INQUIRY.exe, 00000001.00000003.661005611.0000000004FEB000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/=
Source: INQUIRY.exe, 00000001.00000003.661599639.0000000004FEB000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/s
Source: INQUIRY.exe, 00000001.00000003.660714589.0000000004FE4000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/s/
Source: INQUIRY.exe, 00000001.00000003.661005611.0000000004FEB000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/typo
Source: vbc.exe, 00000013.00000002.770041777.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: INQUIRY.exe, 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp, INQUIRY.exe, 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmp	String found in binary or memory: http://www.site.com/logs.php
Source: INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: INQUIRY.exe, 00000001.00000003.660146058.0000000004FEC000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comic
Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: INQUIRY.exe, vbc.exe	String found in binary or memory: https://login.yahoo.com/config/login
Source: INQUIRY.exe, 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp, INQUIRY.exe, 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmp	String found in binary or memory: https://whatismyipaddress.com
Source: INQUIRY.exe, 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmp	String found in binary or memory: https://whatismyipaddress.com/
Source: vbc.exe, 00000006.00000002.696465332.000000000084E000.00000004.00000040.sdmp, vbc.exe, 00000014.00000002.775214194.0000000000A2E000.00000004.00000040.sdmp	String found in binary or memory: https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4
Source: INQUIRY.exe, vbc.exe	String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, INQUIRY.exe, 00000001.00000002.741822453.0000000003A41000.00000004.00000001.sdmp, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: INQUIRY.exe, 00000001.00000003.656578776.0000000004FED000.00000004.00000001.sdmp	String found in binary or memory: http://en.w
Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: INQUIRY.exe, 00000010.00000002.825594692.0000000000852000.00000004.00000020.sdmp	String found in binary or memory: http://go.microsoft.
Source: INQUIRY.exe, 00000010.00000002.825594692.0000000000852000.00000004.00000020.sdmp	String found in binary or memory: http://go.microsoft.LinkId=42127
Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, INQUIRY.exe, 00000001.00000002.741822453.0000000003A41000.00000004.00000001.sdmp, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: INQUIRY.exe, 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp, INQUIRY.exe, 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmp	String found in binary or memory: http://whatismyipaddress.com
Source: INQUIRY.exe, INQUIRY.exe, 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmp	String found in binary or memory: http://whatismyipaddress.com/
Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, INQUIRY.exe, 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp	String found in binary or memory: http://whatismyipaddress.com/-
Source: INQUIRY.exe, 00000001.00000003.659052456.0000000005013000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.659667033.0000000005016000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.660235609.0000000005016000.00000004.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: INQUIRY.exe, 00000001.00000003.659667033.0000000005016000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.661195055.0000000005011000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.660235609.0000000005016000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: INQUIRY.exe, 00000001.00000003.659571445.0000000005016000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com$p
Source: INQUIRY.exe, 00000001.00000003.660235609.0000000005016000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com0p
Source: INQUIRY.exe, 00000001.00000003.660235609.0000000005016000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comMic
Source: INQUIRY.exe, 00000001.00000003.661005611.0000000004FEB000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comTC
Source: INQUIRY.exe, 00000001.00000003.660146058.0000000004FEC000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comTC(
Source: INQUIRY.exe, 00000001.00000003.660146058.0000000004FEC000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comTCE
Source: INQUIRY.exe, 00000001.00000003.660352640.0000000005011000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comandh
Source: INQUIRY.exe, 00000001.00000003.659772843.0000000005016000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comits
Source: INQUIRY.exe, 00000001.00000003.659772843.0000000005016000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: INQUIRY.exe, 00000001.00000003.660352640.0000000005011000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comle
Source: INQUIRY.exe, 00000001.00000003.660235609.0000000005016000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.660006267.0000000004FF6000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comn
Source: INQUIRY.exe, 00000001.00000003.660146058.0000000004FEC000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.como.
Source: INQUIRY.exe, 00000001.00000003.660235609.0000000005016000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comsm
Source: INQUIRY.exe, 00000001.00000003.660235609.0000000005016000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comtig
Source: INQUIRY.exe, 00000001.00000003.665416380.0000000004FEF000.00000004.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: INQUIRY.exe, 00000001.00000003.664630621.000000000501B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: INQUIRY.exe, 00000001.00000003.664546236.0000000005011000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlu
Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: INQUIRY.exe, 00000001.00000003.662998950.0000000005011000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersd
Source: INQUIRY.exe, 00000001.00000003.663957016.0000000005016000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designershq
Source: INQUIRY.exe, 00000001.00000003.664066811.0000000005016000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designerslb
Source: INQUIRY.exe, 00000001.00000003.664511180.0000000004FEF000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com=
Source: INQUIRY.exe, 00000001.00000003.665416380.0000000004FEF000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comTTFF
Source: INQUIRY.exe, 00000001.00000003.665416380.0000000004FEF000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comalsd=
Source: INQUIRY.exe, 00000001.00000003.670995336.0000000004FEF000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comepko
Source: INQUIRY.exe, 00000001.00000003.664511180.0000000004FEF000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comessed
Source: INQUIRY.exe, 00000001.00000003.665416380.0000000004FEF000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comgrito
Source: INQUIRY.exe, 00000001.00000003.664511180.0000000004FEF000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comk
Source: INQUIRY.exe, 00000001.00000003.670995336.0000000004FEF000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comlvfet
Source: INQUIRY.exe, 00000001.00000003.670995336.0000000004FEF000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comm=
Source: INQUIRY.exe, 00000001.00000003.665416380.0000000004FEF000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comnc.
Source: INQUIRY.exe, 00000001.00000003.665416380.0000000004FEF000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.coms
Source: INQUIRY.exe, 00000001.00000003.665416380.0000000004FEF000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comsiv&
Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: INQUIRY.exe, 00000001.00000003.659052456.0000000005013000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.657519748.0000000005012000.00000004.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: INQUIRY.exe, 00000001.00000003.666565645.0000000004FEF000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/
Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: INQUIRY.exe, 00000001.00000003.661599639.0000000004FEB000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.661257796.0000000004FEB000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.660714589.0000000004FE4000.00000004.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: INQUIRY.exe, 00000001.00000003.661005611.0000000004FEB000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/://w
Source: INQUIRY.exe, 00000001.00000003.661599639.0000000004FEB000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Treb
Source: INQUIRY.exe, 00000001.00000003.661599639.0000000004FEB000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/_
Source: INQUIRY.exe, 00000001.00000003.661599639.0000000004FEB000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/cheV
Source: INQUIRY.exe, 00000001.00000003.661599639.0000000004FEB000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: INQUIRY.exe, 00000001.00000003.661599639.0000000004FEB000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp//
Source: INQUIRY.exe, 00000001.00000003.661005611.0000000004FEB000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/=
Source: INQUIRY.exe, 00000001.00000003.661599639.0000000004FEB000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/s
Source: INQUIRY.exe, 00000001.00000003.660714589.0000000004FE4000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/s/
Source: INQUIRY.exe, 00000001.00000003.661005611.0000000004FEB000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/typo
Source: vbc.exe, 00000013.00000002.770041777.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: INQUIRY.exe, 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp, INQUIRY.exe, 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmp	String found in binary or memory: http://www.site.com/logs.php
Source: INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: INQUIRY.exe, 00000001.00000003.660146058.0000000004FEC000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comic
Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: INQUIRY.exe, vbc.exe	String found in binary or memory: https://login.yahoo.com/config/login
Source: INQUIRY.exe, 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp, INQUIRY.exe, 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmp	String found in binary or memory: https://whatismyipaddress.com
Source: INQUIRY.exe, 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmp	String found in binary or memory: https://whatismyipaddress.com/
Source: vbc.exe, 00000006.00000002.696465332.000000000084E000.00000004.00000040.sdmp, vbc.exe, 00000014.00000002.775214194.0000000000A2E000.00000004.00000040.sdmp	String found in binary or memory: https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4
Source: INQUIRY.exe, vbc.exe	String found in binary or memory: https://www.google.com/accounts/servicelogin

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected HawkEye Keylogger

Source: Yara match	File source: 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.923851920.0000000002210000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000001.752146287.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.875783315.0000000002717000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.859116925.00000000007A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.735055042.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.858712668.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.849214765.00000000026D7000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.919336144.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.875508614.0000000002682000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.735183511.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000001.871375197.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.736771009.00000000021E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000001.839775376.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.858806395.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.863200098.0000000002DDA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.826009202.0000000002372000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.927425340.0000000002382000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.757155287.00000000026F7000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.924535204.00000000022F2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.849044012.0000000002642000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.863232173.0000000002DE0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.824784026.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.737371268.0000000002302000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.859836497.0000000002242000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.919755783.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.656369760.00000000026D7000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.826605147.0000000002492000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.860072694.00000000022F2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.824923724.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.928494489.0000000002A21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.820474176.0000000005470000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: WerFault.exe PID: 6776, type: MEMORY
Source: Yara match	File source: Process Memory Space: INQUIRY.exe PID: 6808, type: MEMORY
Source: Yara match	File source: Process Memory Space: INQUIRY.exe PID: 5896, type: MEMORY
Source: Yara match	File source: Process Memory Space: INQUIRY.exe PID: 6076, type: MEMORY
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB44.tmp.mdmp, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B59.tmp.mdmp, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER7CAE.tmp.mdmp, type: DROPPED
Source: Yara match	File source: 16.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INQUIRY.exe.21e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.INQUIRY.exe.7a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.INQUIRY.exe.22e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INQUIRY.exe.2270000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.INQUIRY.exe.2680000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.INQUIRY.exe.2370000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.INQUIRY.exe.22f0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.INQUIRY.exe.2210000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.INQUIRY.exe.2210000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INQUIRY.exe.21e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INQUIRY.exe.2300000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.INQUIRY.exe.2380000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.INQUIRY.exe.2490000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INQUIRY.exe.25f0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.INQUIRY.exe.7a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.INQUIRY.exe.2630000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.INQUIRY.exe.22e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.INQUIRY.exe.25e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.INQUIRY.exe.22f0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.INQUIRY.exe.2240000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.INQUIRY.exe.2660000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 1.2.INQUIRY.exe.2300000.3.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 1.2.INQUIRY.exe.400000.0.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 13.2.INQUIRY.exe.2660000.3.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 16.2.INQUIRY.exe.2370000.2.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 16.2.INQUIRY.exe.2490000.3.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 16.2.INQUIRY.exe.400000.0.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 27.2.INQUIRY.exe.2640000.3.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 28.2.INQUIRY.exe.22f0000.3.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 28.2.INQUIRY.exe.400000.0.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 28.2.INQUIRY.exe.2240000.2.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 1.2.INQUIRY.exe.2300000.3.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 1.2.INQUIRY.exe.400000.0.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 13.2.INQUIRY.exe.2660000.3.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 16.2.INQUIRY.exe.2370000.2.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 16.2.INQUIRY.exe.2490000.3.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 16.2.INQUIRY.exe.400000.0.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 27.2.INQUIRY.exe.2640000.3.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 28.2.INQUIRY.exe.22f0000.3.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 28.2.INQUIRY.exe.400000.0.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 28.2.INQUIRY.exe.2240000.2.unpack, Form1.cs	.Net Code: HookKeyboard

Installs a global keyboard hook

Source: C:\Users\user\Desktop\INQUIRY.exe	Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\INQUIRY.exe	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\INQUIRY.exe
Source: C:\Users\user\Desktop\INQUIRY.exe	Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\INQUIRY.exe
Source: C:\Users\user\Desktop\INQUIRY.exe	Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\INQUIRY.exe
Source: C:\Users\user\Desktop\INQUIRY.exe	Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\INQUIRY.exe	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\INQUIRY.exe
Source: C:\Users\user\Desktop\INQUIRY.exe	Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\INQUIRY.exe
Source: C:\Users\user\Desktop\INQUIRY.exe	Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\INQUIRY.exe

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_004070D2 OpenClipboard,		0_2_004070D2
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_004070D2 OpenClipboard,		0_2_004070D2

Contains functionality to read the clipboard data

Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_004233B4 GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader,		0_2_004233B4
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_004233B4 GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader,		0_2_004233B4

Contains functionality to record screenshots

Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_2_004239F8 GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,		2_2_004239F8
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_2_004239F8 GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,		2_2_004239F8

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00459724 GetKeyboardState,SetKeyboardState,SendMessageA,SendMessageA,		0_2_00459724
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00459724 GetKeyboardState,SetKeyboardState,SendMessageA,SendMessageA,		0_2_00459724

Creates a window with clipboard capturing capabilities

Source: C:\Users\user\Desktop\INQUIRY.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\user\Desktop\INQUIRY.exe	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\user\Desktop\INQUIRY.exe	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\user\Desktop\INQUIRY.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\user\Desktop\INQUIRY.exe	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\user\Desktop\INQUIRY.exe	Window created: window name: CLIPBRDWNDCLASS

Yara detected Keylogger Generic

Source: Yara match	File source: Process Memory Space: INQUIRY.exe PID: 6808, type: MEMORY
Source: Yara match	File source: Process Memory Space: INQUIRY.exe PID: 5896, type: MEMORY
Source: Yara match	File source: Process Memory Space: INQUIRY.exe PID: 6076, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000021.00000002.923851920.0000000002210000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000021.00000002.923851920.0000000002210000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000001.752146287.00000000004D2000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000001.752146287.00000000004D2000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000020.00000002.875783315.0000000002717000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000020.00000002.875783315.0000000002717000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000001C.00000002.859116925.00000000007A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001C.00000002.859116925.00000000007A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.735055042.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.735055042.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000001C.00000002.858712668.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001C.00000002.858712668.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000001B.00000002.849214765.00000000026D7000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001B.00000002.849214765.00000000026D7000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000021.00000002.919336144.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000021.00000002.919336144.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000020.00000002.875508614.0000000002682000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000020.00000002.875508614.0000000002682000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.735183511.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.735183511.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000021.00000001.871375197.00000000004D2000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000021.00000001.871375197.00000000004D2000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.736771009.00000000021E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.736771009.00000000021E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000001C.00000001.839775376.00000000004D2000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001C.00000001.839775376.00000000004D2000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000001C.00000002.858806395.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001C.00000002.858806395.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000001C.00000002.863200098.0000000002DDA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.826009202.0000000002372000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.826009202.0000000002372000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000021.00000002.927425340.0000000002382000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000021.00000002.927425340.0000000002382000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.757155287.00000000026F7000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.757155287.00000000026F7000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000021.00000002.924535204.00000000022F2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000021.00000002.924535204.00000000022F2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000001B.00000002.849044012.0000000002642000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001B.00000002.849044012.0000000002642000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.824784026.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.824784026.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.737371268.0000000002302000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.737371268.0000000002302000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000001C.00000002.859836497.0000000002242000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001C.00000002.859836497.0000000002242000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000021.00000002.919755783.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000021.00000002.919755783.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.656369760.00000000026D7000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.656369760.00000000026D7000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.826605147.0000000002492000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.826605147.0000000002492000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000001C.00000002.860072694.00000000022F2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001C.00000002.860072694.00000000022F2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.824923724.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.824923724.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000021.00000002.928494489.0000000002A21000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000021.00000002.928494489.0000000002A21000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000016.00000002.820474176.0000000005470000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000016.00000002.820474176.0000000005470000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB44.tmp.mdmp, type: DROPPED	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB44.tmp.mdmp, type: DROPPED	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B59.tmp.mdmp, type: DROPPED	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B59.tmp.mdmp, type: DROPPED	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER7CAE.tmp.mdmp, type: DROPPED	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER7CAE.tmp.mdmp, type: DROPPED	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.INQUIRY.exe.21e0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.INQUIRY.exe.21e0000.1.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 33.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 33.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 28.2.INQUIRY.exe.7a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 28.2.INQUIRY.exe.7a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.2.INQUIRY.exe.22e0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.INQUIRY.exe.22e0000.1.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 28.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 28.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.INQUIRY.exe.2270000.2.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.INQUIRY.exe.2270000.2.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 32.2.INQUIRY.exe.2680000.3.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 32.2.INQUIRY.exe.2680000.3.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.2.INQUIRY.exe.2370000.2.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.INQUIRY.exe.2370000.2.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 33.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 33.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 28.2.INQUIRY.exe.22f0000.3.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 28.2.INQUIRY.exe.22f0000.3.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 33.2.INQUIRY.exe.2210000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 33.2.INQUIRY.exe.2210000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 33.2.INQUIRY.exe.2210000.1.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 33.2.INQUIRY.exe.2210000.1.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 27.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 27.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.INQUIRY.exe.21e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.INQUIRY.exe.21e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.INQUIRY.exe.2300000.3.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.INQUIRY.exe.2300000.3.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 33.2.INQUIRY.exe.2380000.3.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 33.2.INQUIRY.exe.2380000.3.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.2.INQUIRY.exe.2490000.3.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.INQUIRY.exe.2490000.3.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.INQUIRY.exe.25f0000.2.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.INQUIRY.exe.25f0000.2.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 28.2.INQUIRY.exe.7a0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 28.2.INQUIRY.exe.7a0000.1.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 32.2.INQUIRY.exe.2630000.2.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 32.2.INQUIRY.exe.2630000.2.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.2.INQUIRY.exe.22e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.INQUIRY.exe.22e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 27.2.INQUIRY.exe.25e0000.2.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 27.2.INQUIRY.exe.25e0000.2.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 33.2.INQUIRY.exe.22f0000.2.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 33.2.INQUIRY.exe.22f0000.2.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 28.2.INQUIRY.exe.2240000.2.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 28.2.INQUIRY.exe.2240000.2.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 28.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 28.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.INQUIRY.exe.2660000.3.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.INQUIRY.exe.2660000.3.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000021.00000002.923851920.0000000002210000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000021.00000002.923851920.0000000002210000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000001.752146287.00000000004D2000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000001.752146287.00000000004D2000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000020.00000002.875783315.0000000002717000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000020.00000002.875783315.0000000002717000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000001C.00000002.859116925.00000000007A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001C.00000002.859116925.00000000007A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.735055042.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.735055042.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000001C.00000002.858712668.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001C.00000002.858712668.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000001B.00000002.849214765.00000000026D7000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001B.00000002.849214765.00000000026D7000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000021.00000002.919336144.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000021.00000002.919336144.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000020.00000002.875508614.0000000002682000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000020.00000002.875508614.0000000002682000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.735183511.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.735183511.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000021.00000001.871375197.00000000004D2000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000021.00000001.871375197.00000000004D2000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.736771009.00000000021E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.736771009.00000000021E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000001C.00000001.839775376.00000000004D2000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001C.00000001.839775376.00000000004D2000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000001C.00000002.858806395.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001C.00000002.858806395.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000001C.00000002.863200098.0000000002DDA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.826009202.0000000002372000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.826009202.0000000002372000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000021.00000002.927425340.0000000002382000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000021.00000002.927425340.0000000002382000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.757155287.00000000026F7000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.757155287.00000000026F7000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000021.00000002.924535204.00000000022F2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000021.00000002.924535204.00000000022F2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000001B.00000002.849044012.0000000002642000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001B.00000002.849044012.0000000002642000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.824784026.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.824784026.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.737371268.0000000002302000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.737371268.0000000002302000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000001C.00000002.859836497.0000000002242000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001C.00000002.859836497.0000000002242000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000021.00000002.919755783.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000021.00000002.919755783.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.656369760.00000000026D7000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.656369760.00000000026D7000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.826605147.0000000002492000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.826605147.0000000002492000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000001C.00000002.860072694.00000000022F2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001C.00000002.860072694.00000000022F2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.824923724.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.824923724.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000021.00000002.928494489.0000000002A21000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000021.00000002.928494489.0000000002A21000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000016.00000002.820474176.0000000005470000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000016.00000002.820474176.0000000005470000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB44.tmp.mdmp, type: DROPPED	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB44.tmp.mdmp, type: DROPPED	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B59.tmp.mdmp, type: DROPPED	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B59.tmp.mdmp, type: DROPPED	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER7CAE.tmp.mdmp, type: DROPPED	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER7CAE.tmp.mdmp, type: DROPPED	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.INQUIRY.exe.21e0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.INQUIRY.exe.21e0000.1.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 33.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 33.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 28.2.INQUIRY.exe.7a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 28.2.INQUIRY.exe.7a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.2.INQUIRY.exe.22e0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.INQUIRY.exe.22e0000.1.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 28.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 28.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.INQUIRY.exe.2270000.2.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.INQUIRY.exe.2270000.2.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 32.2.INQUIRY.exe.2680000.3.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 32.2.INQUIRY.exe.2680000.3.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.2.INQUIRY.exe.2370000.2.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.INQUIRY.exe.2370000.2.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 33.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 33.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 28.2.INQUIRY.exe.22f0000.3.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 28.2.INQUIRY.exe.22f0000.3.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 33.2.INQUIRY.exe.2210000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 33.2.INQUIRY.exe.2210000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 33.2.INQUIRY.exe.2210000.1.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 33.2.INQUIRY.exe.2210000.1.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 27.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 27.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.INQUIRY.exe.21e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.INQUIRY.exe.21e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.INQUIRY.exe.2300000.3.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.INQUIRY.exe.2300000.3.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 33.2.INQUIRY.exe.2380000.3.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 33.2.INQUIRY.exe.2380000.3.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.2.INQUIRY.exe.2490000.3.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.INQUIRY.exe.2490000.3.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.INQUIRY.exe.25f0000.2.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.INQUIRY.exe.25f0000.2.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 28.2.INQUIRY.exe.7a0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 28.2.INQUIRY.exe.7a0000.1.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 32.2.INQUIRY.exe.2630000.2.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 32.2.INQUIRY.exe.2630000.2.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.2.INQUIRY.exe.22e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.INQUIRY.exe.22e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 27.2.INQUIRY.exe.25e0000.2.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 27.2.INQUIRY.exe.25e0000.2.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 33.2.INQUIRY.exe.22f0000.2.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 33.2.INQUIRY.exe.22f0000.2.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 28.2.INQUIRY.exe.2240000.2.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 28.2.INQUIRY.exe.2240000.2.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 28.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 28.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.INQUIRY.exe.2660000.3.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.INQUIRY.exe.2660000.3.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group

Contains functionality to call native functions

Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_004557F8 NtdllDefWindowProc_A,	0_2_004557F8
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00456024 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,	0_2_00456024
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0044A3C8 GetSubMenu,SaveDC,RestoreDC,72E7B080,SaveDC,RestoreDC,NtdllDefWindowProc_A,	0_2_0044A3C8
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0043A6DC NtdllDefWindowProc_A,GetCapture,	0_2_0043A6DC
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0042E904 NtdllDefWindowProc_A,	0_2_0042E904
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00455F74 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,	0_2_00455F74
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_004557F8 NtdllDefWindowProc_A,	0_2_004557F8
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00456024 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,	0_2_00456024
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0044A3C8 GetSubMenu,SaveDC,RestoreDC,72E7B080,SaveDC,RestoreDC,NtdllDefWindowProc_A,	0_2_0044A3C8
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0043A6DC NtdllDefWindowProc_A,GetCapture,	0_2_0043A6DC
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0042E904 NtdllDefWindowProc_A,	0_2_0042E904
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00455F74 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,	0_2_00455F74
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_00490159 NtCreateSection,	1_2_00490159
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_2_004557F8 NtdllDefWindowProc_A,	2_2_004557F8
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_2_00456024 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,	2_2_00456024
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_2_0044A3C8 GetSubMenu,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,NtdllDefWindowProc_A,	2_2_0044A3C8
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_2_0043A6DC NtdllDefWindowProc_A,GetCapture,	2_2_0043A6DC
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_2_0042E904 NtdllDefWindowProc_A,	2_2_0042E904
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_2_00455F74 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,	2_2_00455F74
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,	6_2_00408836

Detected potential crypto function

Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0044A3C8	0_2_0044A3C8
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0046F74C	0_2_0046F74C
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_004759E0	0_2_004759E0
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0044FECC	0_2_0044FECC
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0044A3C8	0_2_0044A3C8
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0046F74C	0_2_0046F74C
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_004759E0	0_2_004759E0
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0044FECC	0_2_0044FECC
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_0040D426	1_2_0040D426
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_0040D523	1_2_0040D523
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_0041D5AE	1_2_0041D5AE
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_00417646	1_2_00417646
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_0040D6C4	1_2_0040D6C4
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_004429BE	1_2_004429BE
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_00446AF4	1_2_00446AF4
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_0046ABFC	1_2_0046ABFC
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_00463C4D	1_2_00463C4D
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_00463CBE	1_2_00463CBE
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_0040ED03	1_2_0040ED03
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_00463D2F	1_2_00463D2F
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_00463DC0	1_2_00463DC0
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_0040CF92	1_2_0040CF92
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_0041AFA6	1_2_0041AFA6
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_0048F13D	1_2_0048F13D
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_00489976	1_2_00489976
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_004F9017	1_2_004F9017
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_004F90A8	1_2_004F90A8
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_004A227A	1_2_004A227A
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_004B028E	1_2_004B028E
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_0043C7BC	1_2_0043C7BC
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_2_0044A3C8	2_2_0044A3C8
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_2_0046F74C	2_2_0046F74C
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_2_004759E0	2_2_004759E0
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_2_0044FECC	2_2_0044FECC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 5_2_00404DDB	5_2_00404DDB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 5_2_0040BD8A	5_2_0040BD8A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 5_2_00404E4C	5_2_00404E4C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 5_2_00404EBD	5_2_00404EBD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 5_2_00404F4E	5_2_00404F4E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00404419	6_2_00404419
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00404516	6_2_00404516
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00413538	6_2_00413538
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_004145A1	6_2_004145A1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_0040E639	6_2_0040E639
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_004337AF	6_2_004337AF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_004399B1	6_2_004399B1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_0043DAE7	6_2_0043DAE7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00405CF6	6_2_00405CF6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00403F85	6_2_00403F85
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00411F99	6_2_00411F99

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: String function: 004035DC appears 35 times
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: String function: 00404348 appears 78 times
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: String function: 004039A8 appears 40 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 00413F8E appears 66 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 00413E2D appears 34 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 00442A90 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 004141D6 appears 88 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 00411538 appears 35 times
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: String function: 004035DC appears 70 times
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: String function: 0040436C appears 36 times
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: String function: 004066E0 appears 32 times
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: String function: 0044BA9D appears 36 times
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: String function: 00403E24 appears 34 times
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: String function: 0040C2F0 appears 36 times
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: String function: 00404348 appears 156 times
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: String function: 004039A8 appears 80 times

One or more processes crash

Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2308
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2308

PE file contains strange resources

Source: INQUIRY.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: INQUIRY.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs INQUIRY.exe
Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs INQUIRY.exe
Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamemailpv.exe< vs INQUIRY.exe
Source: INQUIRY.exe, 00000000.00000002.656350929.00000000026C2000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamePhulli.exe0 vs INQUIRY.exe
Source: INQUIRY.exe, 00000000.00000002.655979253.0000000002270000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs INQUIRY.exe
Source: INQUIRY.exe	Binary or memory string: OriginalFilename vs INQUIRY.exe
Source: INQUIRY.exe	Binary or memory string: OriginalFileName vs INQUIRY.exe
Source: INQUIRY.exe, 00000001.00000002.741822453.0000000003A41000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamemailpv.exe< vs INQUIRY.exe
Source: INQUIRY.exe, 00000001.00000002.741822453.0000000003A41000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs INQUIRY.exe
Source: INQUIRY.exe, 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs INQUIRY.exe
Source: INQUIRY.exe, 00000001.00000002.737328211.00000000022F2000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamePhulli.exe0 vs INQUIRY.exe
Source: INQUIRY.exe, 00000001.00000002.745763676.0000000007230000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs INQUIRY.exe
Source: INQUIRY.exe, 00000002.00000002.750595289.0000000002270000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs INQUIRY.exe
Source: INQUIRY.exe, 0000000D.00000002.757044777.00000000026E2000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamePhulli.exe0 vs INQUIRY.exe
Source: INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs INQUIRY.exe
Source: INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs INQUIRY.exe
Source: INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamemailpv.exe< vs INQUIRY.exe
Source: INQUIRY.exe, 0000000D.00000002.756074232.0000000002160000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs INQUIRY.exe
Source: INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs INQUIRY.exe
Source: INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs INQUIRY.exe
Source: INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamemailpv.exe< vs INQUIRY.exe
Source: INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamePhulli.exe0 vs INQUIRY.exe
Source: INQUIRY.exe, 00000010.00000002.832980202.0000000006970000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs INQUIRY.exe
Source: INQUIRY.exe, 00000010.00000002.825594692.0000000000852000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenamemscorwks.dllT vs INQUIRY.exe
Source: INQUIRY.exe, 00000011.00000002.836765666.0000000002160000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs INQUIRY.exe
Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs INQUIRY.exe
Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs INQUIRY.exe
Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamemailpv.exe< vs INQUIRY.exe
Source: INQUIRY.exe, 00000000.00000002.656350929.00000000026C2000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamePhulli.exe0 vs INQUIRY.exe
Source: INQUIRY.exe, 00000000.00000002.655979253.0000000002270000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs INQUIRY.exe
Source: INQUIRY.exe	Binary or memory string: OriginalFilename vs INQUIRY.exe
Source: INQUIRY.exe	Binary or memory string: OriginalFileName vs INQUIRY.exe
Source: INQUIRY.exe, 00000001.00000002.741822453.0000000003A41000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamemailpv.exe< vs INQUIRY.exe
Source: INQUIRY.exe, 00000001.00000002.741822453.0000000003A41000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs INQUIRY.exe
Source: INQUIRY.exe, 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs INQUIRY.exe
Source: INQUIRY.exe, 00000001.00000002.737328211.00000000022F2000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamePhulli.exe0 vs INQUIRY.exe
Source: INQUIRY.exe, 00000001.00000002.745763676.0000000007230000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs INQUIRY.exe
Source: INQUIRY.exe, 00000002.00000002.750595289.0000000002270000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs INQUIRY.exe
Source: INQUIRY.exe, 0000000D.00000002.757044777.00000000026E2000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamePhulli.exe0 vs INQUIRY.exe
Source: INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs INQUIRY.exe
Source: INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs INQUIRY.exe
Source: INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamemailpv.exe< vs INQUIRY.exe
Source: INQUIRY.exe, 0000000D.00000002.756074232.0000000002160000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs INQUIRY.exe
Source: INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs INQUIRY.exe
Source: INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs INQUIRY.exe
Source: INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamemailpv.exe< vs INQUIRY.exe
Source: INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamePhulli.exe0 vs INQUIRY.exe
Source: INQUIRY.exe, 00000010.00000002.832980202.0000000006970000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs INQUIRY.exe
Source: INQUIRY.exe, 00000010.00000002.825594692.0000000000852000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenamemscorwks.dllT vs INQUIRY.exe
Source: INQUIRY.exe, 00000011.00000002.836765666.0000000002160000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs INQUIRY.exe

Tries to load missing DLLs

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Section loaded: phoneinfo.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: phoneinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Section loaded: phoneinfo.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: phoneinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll

Yara signature match

Source: 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000021.00000002.923851920.0000000002210000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000021.00000002.923851920.0000000002210000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000001.752146287.00000000004D2000.00000040.00020000.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000010.00000001.752146287.00000000004D2000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000020.00000002.875783315.0000000002717000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000020.00000002.875783315.0000000002717000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000001C.00000002.859116925.00000000007A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000001C.00000002.859116925.00000000007A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.735055042.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000001.00000002.735055042.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000001C.00000002.858712668.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000001C.00000002.858712668.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000001B.00000002.849214765.00000000026D7000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000001B.00000002.849214765.00000000026D7000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000021.00000002.919336144.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000021.00000002.919336144.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000020.00000002.875508614.0000000002682000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000020.00000002.875508614.0000000002682000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.735183511.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000001.00000002.735183511.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000021.00000001.871375197.00000000004D2000.00000040.00020000.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000021.00000001.871375197.00000000004D2000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.736771009.00000000021E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000001.00000002.736771009.00000000021E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000001C.00000001.839775376.00000000004D2000.00000040.00020000.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000001C.00000001.839775376.00000000004D2000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000001C.00000002.858806395.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000001C.00000002.858806395.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000001C.00000002.863200098.0000000002DDA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.826009202.0000000002372000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000010.00000002.826009202.0000000002372000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000021.00000002.927425340.0000000002382000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000021.00000002.927425340.0000000002382000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.757155287.00000000026F7000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000D.00000002.757155287.00000000026F7000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000021.00000002.924535204.00000000022F2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000021.00000002.924535204.00000000022F2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000001B.00000002.849044012.0000000002642000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000001B.00000002.849044012.0000000002642000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.824784026.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000010.00000002.824784026.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.737371268.0000000002302000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000001.00000002.737371268.0000000002302000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000001C.00000002.859836497.0000000002242000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000001C.00000002.859836497.0000000002242000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000021.00000002.919755783.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000021.00000002.919755783.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.656369760.00000000026D7000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000000.00000002.656369760.00000000026D7000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.826605147.0000000002492000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000010.00000002.826605147.0000000002492000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000001C.00000002.860072694.00000000022F2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000001C.00000002.860072694.00000000022F2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.824923724.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000010.00000002.824923724.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000021.00000002.928494489.0000000002A21000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000021.00000002.928494489.0000000002A21000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000016.00000002.820474176.0000000005470000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000016.00000002.820474176.0000000005470000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB44.tmp.mdmp, type: DROPPED	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB44.tmp.mdmp, type: DROPPED	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B59.tmp.mdmp, type: DROPPED	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B59.tmp.mdmp, type: DROPPED	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER7CAE.tmp.mdmp, type: DROPPED	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER7CAE.tmp.mdmp, type: DROPPED	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.INQUIRY.exe.21e0000.1.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 1.2.INQUIRY.exe.21e0000.1.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 33.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 33.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 28.2.INQUIRY.exe.7a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 28.2.INQUIRY.exe.7a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.2.INQUIRY.exe.22e0000.1.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.2.INQUIRY.exe.22e0000.1.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 28.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 28.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.INQUIRY.exe.2270000.2.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 1.2.INQUIRY.exe.2270000.2.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 32.2.INQUIRY.exe.2680000.3.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 32.2.INQUIRY.exe.2680000.3.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.2.INQUIRY.exe.2370000.2.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.2.INQUIRY.exe.2370000.2.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 33.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 33.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 28.2.INQUIRY.exe.22f0000.3.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 28.2.INQUIRY.exe.22f0000.3.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 33.2.INQUIRY.exe.2210000.1.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 33.2.INQUIRY.exe.2210000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 33.2.INQUIRY.exe.2210000.1.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 33.2.INQUIRY.exe.2210000.1.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 27.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 27.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.INQUIRY.exe.21e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 1.2.INQUIRY.exe.21e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.INQUIRY.exe.2300000.3.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 1.2.INQUIRY.exe.2300000.3.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 33.2.INQUIRY.exe.2380000.3.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 33.2.INQUIRY.exe.2380000.3.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.2.INQUIRY.exe.2490000.3.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.2.INQUIRY.exe.2490000.3.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.INQUIRY.exe.25f0000.2.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.INQUIRY.exe.25f0000.2.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 28.2.INQUIRY.exe.7a0000.1.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 28.2.INQUIRY.exe.7a0000.1.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 32.2.INQUIRY.exe.2630000.2.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 32.2.INQUIRY.exe.2630000.2.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.2.INQUIRY.exe.22e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.2.INQUIRY.exe.22e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 27.2.INQUIRY.exe.25e0000.2.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 27.2.INQUIRY.exe.25e0000.2.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 33.2.INQUIRY.exe.22f0000.2.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 33.2.INQUIRY.exe.22f0000.2.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 28.2.INQUIRY.exe.2240000.2.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 28.2.INQUIRY.exe.2240000.2.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 28.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 28.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.2.INQUIRY.exe.2660000.3.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.2.INQUIRY.exe.2660000.3.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 1.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000021.00000002.923851920.0000000002210000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000021.00000002.923851920.0000000002210000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000001.752146287.00000000004D2000.00000040.00020000.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000010.00000001.752146287.00000000004D2000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000020.00000002.875783315.0000000002717000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000020.00000002.875783315.0000000002717000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000001C.00000002.859116925.00000000007A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000001C.00000002.859116925.00000000007A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.735055042.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000001.00000002.735055042.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000001C.00000002.858712668.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000001C.00000002.858712668.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000001B.00000002.849214765.00000000026D7000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000001B.00000002.849214765.00000000026D7000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000021.00000002.919336144.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000021.00000002.919336144.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000020.00000002.875508614.0000000002682000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000020.00000002.875508614.0000000002682000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.735183511.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000001.00000002.735183511.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000021.00000001.871375197.00000000004D2000.00000040.00020000.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000021.00000001.871375197.00000000004D2000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.736771009.00000000021E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000001.00000002.736771009.00000000021E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000001C.00000001.839775376.00000000004D2000.00000040.00020000.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000001C.00000001.839775376.00000000004D2000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000001C.00000002.858806395.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000001C.00000002.858806395.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000001C.00000002.863200098.0000000002DDA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.826009202.0000000002372000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000010.00000002.826009202.0000000002372000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000021.00000002.927425340.0000000002382000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000021.00000002.927425340.0000000002382000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.757155287.00000000026F7000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000D.00000002.757155287.00000000026F7000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000021.00000002.924535204.00000000022F2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000021.00000002.924535204.00000000022F2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000001B.00000002.849044012.0000000002642000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000001B.00000002.849044012.0000000002642000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.824784026.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000010.00000002.824784026.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.737371268.0000000002302000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000001.00000002.737371268.0000000002302000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000001C.00000002.859836497.0000000002242000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000001C.00000002.859836497.0000000002242000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000021.00000002.919755783.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000021.00000002.919755783.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.656369760.00000000026D7000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000000.00000002.656369760.00000000026D7000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.826605147.0000000002492000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000010.00000002.826605147.0000000002492000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000001C.00000002.860072694.00000000022F2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000001C.00000002.860072694.00000000022F2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.824923724.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000010.00000002.824923724.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000021.00000002.928494489.0000000002A21000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000021.00000002.928494489.0000000002A21000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000016.00000002.820474176.0000000005470000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000016.00000002.820474176.0000000005470000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB44.tmp.mdmp, type: DROPPED	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB44.tmp.mdmp, type: DROPPED	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B59.tmp.mdmp, type: DROPPED	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B59.tmp.mdmp, type: DROPPED	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER7CAE.tmp.mdmp, type: DROPPED	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER7CAE.tmp.mdmp, type: DROPPED	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.INQUIRY.exe.21e0000.1.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 1.2.INQUIRY.exe.21e0000.1.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 33.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 33.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 28.2.INQUIRY.exe.7a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 28.2.INQUIRY.exe.7a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.2.INQUIRY.exe.22e0000.1.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.2.INQUIRY.exe.22e0000.1.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 28.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 28.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.INQUIRY.exe.2270000.2.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 1.2.INQUIRY.exe.2270000.2.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 32.2.INQUIRY.exe.2680000.3.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 32.2.INQUIRY.exe.2680000.3.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.2.INQUIRY.exe.2370000.2.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.2.INQUIRY.exe.2370000.2.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 33.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 33.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 28.2.INQUIRY.exe.22f0000.3.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 28.2.INQUIRY.exe.22f0000.3.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 33.2.INQUIRY.exe.2210000.1.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 33.2.INQUIRY.exe.2210000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 33.2.INQUIRY.exe.2210000.1.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 33.2.INQUIRY.exe.2210000.1.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 27.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 27.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.INQUIRY.exe.21e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 1.2.INQUIRY.exe.21e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.INQUIRY.exe.2300000.3.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 1.2.INQUIRY.exe.2300000.3.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 33.2.INQUIRY.exe.2380000.3.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 33.2.INQUIRY.exe.2380000.3.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.2.INQUIRY.exe.2490000.3.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.2.INQUIRY.exe.2490000.3.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.INQUIRY.exe.25f0000.2.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.INQUIRY.exe.25f0000.2.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 28.2.INQUIRY.exe.7a0000.1.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 28.2.INQUIRY.exe.7a0000.1.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 32.2.INQUIRY.exe.2630000.2.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 32.2.INQUIRY.exe.2630000.2.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.2.INQUIRY.exe.22e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.2.INQUIRY.exe.22e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 27.2.INQUIRY.exe.25e0000.2.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 27.2.INQUIRY.exe.25e0000.2.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 33.2.INQUIRY.exe.22f0000.2.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 33.2.INQUIRY.exe.22f0000.2.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 28.2.INQUIRY.exe.2240000.2.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 28.2.INQUIRY.exe.2240000.2.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 28.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 28.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.2.INQUIRY.exe.2660000.3.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.2.INQUIRY.exe.2660000.3.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 1.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research

Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.cs	Base64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.cs	Base64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 1.2.INQUIRY.exe.2300000.3.unpack, Form1.cs	Base64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 1.2.INQUIRY.exe.400000.0.unpack, Form1.cs	Base64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 13.2.INQUIRY.exe.2660000.3.unpack, Form1.cs	Base64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 16.2.INQUIRY.exe.2370000.2.unpack, Form1.cs	Base64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 16.2.INQUIRY.exe.2490000.3.unpack, Form1.cs	Base64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 16.2.INQUIRY.exe.400000.0.unpack, Form1.cs	Base64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 27.2.INQUIRY.exe.2640000.3.unpack, Form1.cs	Base64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 28.2.INQUIRY.exe.22f0000.3.unpack, Form1.cs	Base64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 28.2.INQUIRY.exe.400000.0.unpack, Form1.cs	Base64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 28.2.INQUIRY.exe.2240000.2.unpack, Form1.cs	Base64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.cs	Base64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.cs	Base64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 1.2.INQUIRY.exe.2300000.3.unpack, Form1.cs	Base64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 1.2.INQUIRY.exe.400000.0.unpack, Form1.cs	Base64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 13.2.INQUIRY.exe.2660000.3.unpack, Form1.cs	Base64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 16.2.INQUIRY.exe.2370000.2.unpack, Form1.cs	Base64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 16.2.INQUIRY.exe.2490000.3.unpack, Form1.cs	Base64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 16.2.INQUIRY.exe.400000.0.unpack, Form1.cs	Base64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 27.2.INQUIRY.exe.2640000.3.unpack, Form1.cs	Base64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 28.2.INQUIRY.exe.22f0000.3.unpack, Form1.cs	Base64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 28.2.INQUIRY.exe.400000.0.unpack, Form1.cs	Base64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 28.2.INQUIRY.exe.2240000.2.unpack, Form1.cs	Base64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='

Source: 13.2.INQUIRY.exe.2660000.3.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.2.INQUIRY.exe.2300000.3.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 28.2.INQUIRY.exe.2240000.2.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.2.INQUIRY.exe.400000.0.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 28.2.INQUIRY.exe.22f0000.3.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 28.2.INQUIRY.exe.400000.0.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 16.2.INQUIRY.exe.2370000.2.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 16.2.INQUIRY.exe.400000.0.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 27.2.INQUIRY.exe.2640000.3.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 16.2.INQUIRY.exe.2490000.3.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 13.2.INQUIRY.exe.2660000.3.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.2.INQUIRY.exe.2300000.3.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 28.2.INQUIRY.exe.2240000.2.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.2.INQUIRY.exe.400000.0.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 28.2.INQUIRY.exe.22f0000.3.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 28.2.INQUIRY.exe.400000.0.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 16.2.INQUIRY.exe.2370000.2.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 16.2.INQUIRY.exe.400000.0.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 27.2.INQUIRY.exe.2640000.3.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 16.2.INQUIRY.exe.2490000.3.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()

Source: classification engine

Classification label: mal100.phis.troj.spyw.evad.winEXE@46/34@17/4

Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00420A80 GetLastError,FormatMessageA,		0_2_00420A80
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00420A80 GetLastError,FormatMessageA,		0_2_00420A80

Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00408B82 GetDiskFreeSpaceA,		0_2_00408B82
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00408B82 GetDiskFreeSpaceA,		0_2_00408B82

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00411196 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,CloseHandle,free,Process32NextW,CloseHandle,		6_2_00411196
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00411196 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,CloseHandle,free,Process32NextW,CloseHandle,		6_2_00411196

Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00417214 FindResourceA,LoadResource,SizeofResource,LockResource,		0_2_00417214
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00417214 FindResourceA,LoadResource,SizeofResource,LockResource,		0_2_00417214

Source: C:\Users\user\Desktop\INQUIRY.exe	File created: C:\Users\user\AppData\Roaming\pid.txt			Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	File created: C:\Users\user\AppData\Roaming\pid.txt			Jump to behavior

Source: C:\Users\user\Desktop\INQUIRY.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6808
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5896
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1364
Source: C:\Users\user\Desktop\INQUIRY.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6808
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5896
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1364

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WEREF38.tmp			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WEREF38.tmp			Jump to behavior

Source: C:\Users\user\Desktop\INQUIRY.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\INQUIRY.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\INQUIRY.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\INQUIRY.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\INQUIRY.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\INQUIRY.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\INQUIRY.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\INQUIRY.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\INQUIRY.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\INQUIRY.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Users\user\Desktop\INQUIRY.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\Desktop\INQUIRY.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\Desktop\INQUIRY.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\Desktop\INQUIRY.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\Desktop\INQUIRY.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\Desktop\INQUIRY.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\Desktop\INQUIRY.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\Desktop\INQUIRY.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\Desktop\INQUIRY.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\Desktop\INQUIRY.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\Desktop\INQUIRY.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\Desktop\INQUIRY.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\Desktop\INQUIRY.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\Desktop\INQUIRY.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\Desktop\INQUIRY.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\Desktop\INQUIRY.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\Desktop\INQUIRY.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\Desktop\INQUIRY.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	System information queried: HandleInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	System information queried: HandleInformation			Jump to behavior

Source: C:\Users\user\Desktop\INQUIRY.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\INQUIRY.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\INQUIRY.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\INQUIRY.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\INQUIRY.exe	Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers			Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers			Jump to behavior

Source: C:\Users\user\Desktop\INQUIRY.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\INQUIRY.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\INQUIRY.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\INQUIRY.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\INQUIRY.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\INQUIRY.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\INQUIRY.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\INQUIRY.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\INQUIRY.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\INQUIRY.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\INQUIRY.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\INQUIRY.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\INQUIRY.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\INQUIRY.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: INQUIRY.exe, vbc.exe, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: INQUIRY.exe, vbc.exe, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, INQUIRY.exe, 00000001.00000002.741822453.0000000003A41000.00000004.00000001.sdmp, vbc.exe, 00000006.00000002.695692485.0000000000400000.00000040.00000001.sdmp, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: INQUIRY.exe, vbc.exe, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: INQUIRY.exe, vbc.exe, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: INQUIRY.exe, vbc.exe, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: INQUIRY.exe, vbc.exe, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: INQUIRY.exe, vbc.exe, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: INQUIRY.exe, vbc.exe, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, INQUIRY.exe, 00000001.00000002.741822453.0000000003A41000.00000004.00000001.sdmp, vbc.exe, 00000006.00000002.695692485.0000000000400000.00000040.00000001.sdmp, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: INQUIRY.exe, vbc.exe, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: INQUIRY.exe, vbc.exe, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: INQUIRY.exe, vbc.exe, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: INQUIRY.exe, vbc.exe, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: INQUIRY.exe	Virustotal: Detection: 43%
Source: INQUIRY.exe	ReversingLabs: Detection: 41%
Source: INQUIRY.exe	Virustotal: Detection: 43%
Source: INQUIRY.exe	ReversingLabs: Detection: 41%

Source: C:\Users\user\Desktop\INQUIRY.exe	File read: C:\Users\user\Desktop\INQUIRY.exe			Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	File read: C:\Users\user\Desktop\INQUIRY.exe			Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe'
Source: unknown	Process created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe'
Source: unknown	Process created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe' 2 5896 5358953
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2308
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5896 -s 2216
Source: unknown	Process created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
Source: unknown	Process created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
Source: unknown	Process created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe' 2 6808 5404546
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2272
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6808 -s 2324
Source: unknown	Process created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
Source: unknown	Process created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
Source: unknown	Process created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe' 2 240 5445406
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2100
Source: unknown	Process created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
Source: unknown	Process created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
Source: unknown	Process created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe' 2 1364 5460187
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2284
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 2096
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe'	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe' 2 5896 5358953	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2308	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe' 2 6808 5404546	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2272
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe' 2 240 5445406
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2100
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe' 2 1364 5460187
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2284
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: unknown	Process created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe'
Source: unknown	Process created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe'
Source: unknown	Process created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe' 2 5896 5358953
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2308
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5896 -s 2216
Source: unknown	Process created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
Source: unknown	Process created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
Source: unknown	Process created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe' 2 6808 5404546
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2272
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6808 -s 2324
Source: unknown	Process created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
Source: unknown	Process created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
Source: unknown	Process created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe' 2 240 5445406
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2100
Source: unknown	Process created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
Source: unknown	Process created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
Source: unknown	Process created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe' 2 1364 5460187
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2284
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 2096
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe'	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe' 2 5896 5358953	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2308	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe' 2 6808 5404546	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2272
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe' 2 240 5445406
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2100
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe' 2 1364 5460187
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2284
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'

Source: C:\Users\user\Desktop\INQUIRY.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32			Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32			Jump to behavior

Source: Window Recorder	Window detected: More than 3 window changes detected
Source: Window Recorder	Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\INQUIRY.exe	File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll			Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts			Jump to behavior

Source: C:\Users\user\Desktop\INQUIRY.exe	File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll			Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll			Jump to behavior

Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdbE source: INQUIRY.exe, 00000010.00000002.833872332.00000000078DA000.00000004.00000010.sdmp
Source:	Binary string: rsaenh.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.pdbi source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb1 source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: wbemprox.pdbee source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000009.00000003.698848743.00000000049D4000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.777673272.0000000002E84000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: NapiNSP.pdbJhgiX source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: rasapi32.pdb$hAi source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wbemcomn.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: NapiNSP.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000009.00000003.711844278.0000000004EE0000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793745442.0000000005270000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb/ source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000009.00000003.698202871.0000000002BC1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.776011928.0000000002E7E000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdbkRi source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: cryptsp.pdb6hSi source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: winnsi.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: secur32.pdb] source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: cryptsp.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbd source: INQUIRY.exe, 00000001.00000002.738613444.00000000026F5000.00000004.00000040.sdmp, INQUIRY.exe, 00000010.00000002.826344655.0000000002455000.00000004.00000040.sdmp
Source:	Binary string: winrnr.pdbo source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000009.00000003.711844278.0000000004EE0000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793745442.0000000005270000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: cordacwks.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: CLBCatQ.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: schannel.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdbqa{ source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000009.00000003.699952597.0000000002BCD000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.776039564.0000000002E8A000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: INQUIRY.exe, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp
Source:	Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: INQUIRY.exe, vbc.exe, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000013.00000002.770041777.0000000000400000.00000040.00000001.sdmp
Source:	Binary string: sxs.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: rtutils.pdb? source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: mscoree.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: psapi.pdbk source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wbemcomn.pdbxi source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: Z[zTs5.pdb6 source: INQUIRY.exe, 00000010.00000001.752146287.00000000004D2000.00000040.00020000.sdmp
Source:	Binary string: cordacwks.pdb^hkiY source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.pdb@hmi source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: schannel.pdbG source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdbk source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: f:\binaries.x86ret\bin\i386\bbt\opt\bin\i386\diasymreader.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: nsi.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdbk source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb) source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: security.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: rlib.pdb source: INQUIRY.exe, 00000001.00000002.738613444.00000000026F5000.00000004.00000040.sdmp, INQUIRY.exe, 00000010.00000002.826344655.0000000002455000.00000004.00000040.sdmp
Source:	Binary string: dnsapi.pdb{ source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: nlaapi.pdbLhYiL source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdb source: INQUIRY.exe, 00000001.00000002.746818566.0000000007C7A000.00000004.00000010.sdmp, WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, INQUIRY.exe, 00000010.00000002.826344655.0000000002455000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: comctl32v582.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdbo source: INQUIRY.exe, 00000001.00000002.746818566.0000000007C7A000.00000004.00000010.sdmp
Source:	Binary string: sechost.pdbk source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: DWrite.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: System.Drawing.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: System.Management.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: version.pdb7 source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000009.00000003.698225687.0000000002BC7000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.777673272.0000000002E84000.00000004.00000001.sdmp
Source:	Binary string: indows\mscorlib.pdbpdblib.pdb source: INQUIRY.exe, 00000001.00000002.738613444.00000000026F5000.00000004.00000040.sdmp, INQUIRY.exe, 00000010.00000002.826344655.0000000002455000.00000004.00000040.sdmp
Source:	Binary string: secur32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: rasadhlp.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: System.pdb9 source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb&kpir source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: INQUIRY.exe, 00000001.00000002.738613444.00000000026F5000.00000004.00000040.sdmp, INQUIRY.exe, 00000010.00000002.826344655.0000000002455000.00000004.00000040.sdmp
Source:	Binary string: mscoreei.pdb(kji source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: pnrpnsp.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\mscorlib.pdb source: INQUIRY.exe, 00000001.00000002.738613444.00000000026F5000.00000004.00000040.sdmp, INQUIRY.exe, 00000010.00000002.826344655.0000000002455000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: cordacwks.pdb# source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: .pdb* source: INQUIRY.exe, 00000001.00000002.746818566.0000000007C7A000.00000004.00000010.sdmp, INQUIRY.exe, 00000010.00000002.833872332.00000000078DA000.00000004.00000010.sdmp
Source:	Binary string: secur32.pdbvi source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: nlaapi.pdb5 source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdb! source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdbe source: INQUIRY.exe, 00000001.00000002.738613444.00000000026F5000.00000004.00000040.sdmp, INQUIRY.exe, 00000010.00000002.826344655.0000000002455000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: msvcr80.i386.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: DWrite.pdbq source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb.h;i source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: rasadhlp.pdb"hOi source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdbk source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: dnsapi.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: rasapi32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: nlaapi.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: winhttp.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: mscorsec.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wmiutils.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: gdiplus.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: mscorwks.pdb% source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdbH source: INQUIRY.exe, 00000001.00000002.746818566.0000000007C7A000.00000004.00000010.sdmp, INQUIRY.exe, 00000010.00000002.833872332.00000000078DA000.00000004.00000010.sdmp
Source:	Binary string: rtutils.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000009.00000003.698202871.0000000002BC1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.776011928.0000000002E7E000.00000004.00000001.sdmp
Source:	Binary string: mscorwks.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb8hUi source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: f:\binaries.x86ret\bin\i386\Microsoft.VisualBasic.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: mscorjit.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: shfolder.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: culture.pdbe source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: WMINet_Utils.pdb_ source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: rasman.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: fastprox.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wbemsvc.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: winrnr.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: INQUIRY.exe, vbc.exe, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmp
Source:	Binary string: System.Runtime.Remoting.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wmswsock.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: version.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wintrust.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: System.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb- source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wmiutils.pdbbi source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: psapi.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: WMINet_Utils.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: fwpuclnt.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wbemcomn.pdbS source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: wbemprox.pdbee-c source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: mscoreei.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000009.00000003.699952597.0000000002BCD000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.776039564.0000000002E8A000.00000004.00000001.sdmp
Source:	Binary string: tsymbols\dll\mscorlib.pdb source: INQUIRY.exe, 00000001.00000002.746818566.0000000007C7A000.00000004.00000010.sdmp, INQUIRY.exe, 00000010.00000002.833872332.00000000078DA000.00000004.00000010.sdmp
Source:	Binary string: C:\Windows\assembly\GA.pdbmscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll source: INQUIRY.exe, 00000001.00000002.746818566.0000000007C7A000.00000004.00000010.sdmp, INQUIRY.exe, 00000010.00000002.833872332.00000000078DA000.00000004.00000010.sdmp
Source:	Binary string: combase.pdbk source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc.pdbThqia source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: 1_oC:\Windows\mscorlib.pdb source: INQUIRY.exe, 00000001.00000002.746818566.0000000007C7A000.00000004.00000010.sdmp, INQUIRY.exe, 00000010.00000002.833872332.00000000078DA000.00000004.00000010.sdmp
Source:	Binary string: bcryptprimitives.pdbk source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wbemprox.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: INQUIRY.exe, 00000001.00000002.738613444.00000000026F5000.00000004.00000040.sdmp, INQUIRY.exe, 00000010.00000002.826344655.0000000002455000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdbk source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: culture.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: crypt32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb; source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: edputil.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdbE source: INQUIRY.exe, 00000010.00000002.833872332.00000000078DA000.00000004.00000010.sdmp
Source:	Binary string: rsaenh.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.pdbi source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb1 source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: wbemprox.pdbee source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000009.00000003.698848743.00000000049D4000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.777673272.0000000002E84000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: NapiNSP.pdbJhgiX source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: rasapi32.pdb$hAi source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wbemcomn.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: NapiNSP.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000009.00000003.711844278.0000000004EE0000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793745442.0000000005270000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb/ source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000009.00000003.698202871.0000000002BC1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.776011928.0000000002E7E000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdbkRi source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: cryptsp.pdb6hSi source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: winnsi.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: secur32.pdb] source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: cryptsp.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbd source: INQUIRY.exe, 00000001.00000002.738613444.00000000026F5000.00000004.00000040.sdmp, INQUIRY.exe, 00000010.00000002.826344655.0000000002455000.00000004.00000040.sdmp
Source:	Binary string: winrnr.pdbo source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000009.00000003.711844278.0000000004EE0000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793745442.0000000005270000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: cordacwks.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: CLBCatQ.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: schannel.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdbqa{ source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000009.00000003.699952597.0000000002BCD000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.776039564.0000000002E8A000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: INQUIRY.exe, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp
Source:	Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: INQUIRY.exe, vbc.exe, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000013.00000002.770041777.0000000000400000.00000040.00000001.sdmp
Source:	Binary string: sxs.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: rtutils.pdb? source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: mscoree.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: psapi.pdbk source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wbemcomn.pdbxi source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: Z[zTs5.pdb6 source: INQUIRY.exe, 00000010.00000001.752146287.00000000004D2000.00000040.00020000.sdmp
Source:	Binary string: cordacwks.pdb^hkiY source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.pdb@hmi source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: schannel.pdbG source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdbk source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: f:\binaries.x86ret\bin\i386\bbt\opt\bin\i386\diasymreader.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: nsi.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdbk source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb) source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: security.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: rlib.pdb source: INQUIRY.exe, 00000001.00000002.738613444.00000000026F5000.00000004.00000040.sdmp, INQUIRY.exe, 00000010.00000002.826344655.0000000002455000.00000004.00000040.sdmp
Source:	Binary string: dnsapi.pdb{ source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: nlaapi.pdbLhYiL source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdb source: INQUIRY.exe, 00000001.00000002.746818566.0000000007C7A000.00000004.00000010.sdmp, WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, INQUIRY.exe, 00000010.00000002.826344655.0000000002455000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: comctl32v582.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdbo source: INQUIRY.exe, 00000001.00000002.746818566.0000000007C7A000.00000004.00000010.sdmp
Source:	Binary string: sechost.pdbk source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: DWrite.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: System.Drawing.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: System.Management.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: version.pdb7 source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000009.00000003.698225687.0000000002BC7000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.777673272.0000000002E84000.00000004.00000001.sdmp
Source:	Binary string: indows\mscorlib.pdbpdblib.pdb source: INQUIRY.exe, 00000001.00000002.738613444.00000000026F5000.00000004.00000040.sdmp, INQUIRY.exe, 00000010.00000002.826344655.0000000002455000.00000004.00000040.sdmp
Source:	Binary string: secur32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: rasadhlp.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: System.pdb9 source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb&kpir source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: INQUIRY.exe, 00000001.00000002.738613444.00000000026F5000.00000004.00000040.sdmp, INQUIRY.exe, 00000010.00000002.826344655.0000000002455000.00000004.00000040.sdmp
Source:	Binary string: mscoreei.pdb(kji source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: pnrpnsp.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\mscorlib.pdb source: INQUIRY.exe, 00000001.00000002.738613444.00000000026F5000.00000004.00000040.sdmp, INQUIRY.exe, 00000010.00000002.826344655.0000000002455000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: cordacwks.pdb# source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: .pdb* source: INQUIRY.exe, 00000001.00000002.746818566.0000000007C7A000.00000004.00000010.sdmp, INQUIRY.exe, 00000010.00000002.833872332.00000000078DA000.00000004.00000010.sdmp
Source:	Binary string: secur32.pdbvi source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: nlaapi.pdb5 source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdb! source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdbe source: INQUIRY.exe, 00000001.00000002.738613444.00000000026F5000.00000004.00000040.sdmp, INQUIRY.exe, 00000010.00000002.826344655.0000000002455000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: msvcr80.i386.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: DWrite.pdbq source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb.h;i source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: rasadhlp.pdb"hOi source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdbk source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: dnsapi.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: rasapi32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: nlaapi.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: winhttp.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: mscorsec.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wmiutils.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: gdiplus.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: mscorwks.pdb% source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdbH source: INQUIRY.exe, 00000001.00000002.746818566.0000000007C7A000.00000004.00000010.sdmp, INQUIRY.exe, 00000010.00000002.833872332.00000000078DA000.00000004.00000010.sdmp
Source:	Binary string: rtutils.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000009.00000003.698202871.0000000002BC1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.776011928.0000000002E7E000.00000004.00000001.sdmp
Source:	Binary string: mscorwks.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb8hUi source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: f:\binaries.x86ret\bin\i386\Microsoft.VisualBasic.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: mscorjit.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: shfolder.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: culture.pdbe source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: WMINet_Utils.pdb_ source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: rasman.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: fastprox.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wbemsvc.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: winrnr.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: INQUIRY.exe, vbc.exe, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmp
Source:	Binary string: System.Runtime.Remoting.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wmswsock.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: version.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wintrust.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: System.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb- source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wmiutils.pdbbi source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: psapi.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: WMINet_Utils.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: fwpuclnt.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wbemcomn.pdbS source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: wbemprox.pdbee-c source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: mscoreei.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000009.00000003.699952597.0000000002BCD000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.776039564.0000000002E8A000.00000004.00000001.sdmp
Source:	Binary string: tsymbols\dll\mscorlib.pdb source: INQUIRY.exe, 00000001.00000002.746818566.0000000007C7A000.00000004.00000010.sdmp, INQUIRY.exe, 00000010.00000002.833872332.00000000078DA000.00000004.00000010.sdmp
Source:	Binary string: C:\Windows\assembly\GA.pdbmscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll source: INQUIRY.exe, 00000001.00000002.746818566.0000000007C7A000.00000004.00000010.sdmp, INQUIRY.exe, 00000010.00000002.833872332.00000000078DA000.00000004.00000010.sdmp
Source:	Binary string: combase.pdbk source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc.pdbThqia source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: 1_oC:\Windows\mscorlib.pdb source: INQUIRY.exe, 00000001.00000002.746818566.0000000007C7A000.00000004.00000010.sdmp, INQUIRY.exe, 00000010.00000002.833872332.00000000078DA000.00000004.00000010.sdmp
Source:	Binary string: bcryptprimitives.pdbk source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wbemprox.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: INQUIRY.exe, 00000001.00000002.738613444.00000000026F5000.00000004.00000040.sdmp, INQUIRY.exe, 00000010.00000002.826344655.0000000002455000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdbk source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: culture.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: crypt32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb; source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: edputil.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp

Data Obfuscation:

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\INQUIRY.exe	Unpacked PE file: 1.2.INQUIRY.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
Source: C:\Users\user\Desktop\INQUIRY.exe	Unpacked PE file: 16.2.INQUIRY.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
Source: C:\Users\user\Desktop\INQUIRY.exe	Unpacked PE file: 28.2.INQUIRY.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
Source: C:\Users\user\Desktop\INQUIRY.exe	Unpacked PE file: 33.2.INQUIRY.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
Source: C:\Users\user\Desktop\INQUIRY.exe	Unpacked PE file: 1.2.INQUIRY.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
Source: C:\Users\user\Desktop\INQUIRY.exe	Unpacked PE file: 16.2.INQUIRY.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
Source: C:\Users\user\Desktop\INQUIRY.exe	Unpacked PE file: 28.2.INQUIRY.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
Source: C:\Users\user\Desktop\INQUIRY.exe	Unpacked PE file: 33.2.INQUIRY.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\INQUIRY.exe	Unpacked PE file: 1.2.INQUIRY.exe.2300000.3.unpack
Source: C:\Users\user\Desktop\INQUIRY.exe	Unpacked PE file: 16.2.INQUIRY.exe.2490000.3.unpack
Source: C:\Users\user\Desktop\INQUIRY.exe	Unpacked PE file: 33.2.INQUIRY.exe.2380000.3.unpack
Source: C:\Users\user\Desktop\INQUIRY.exe	Unpacked PE file: 1.2.INQUIRY.exe.2300000.3.unpack
Source: C:\Users\user\Desktop\INQUIRY.exe	Unpacked PE file: 16.2.INQUIRY.exe.2490000.3.unpack
Source: C:\Users\user\Desktop\INQUIRY.exe	Unpacked PE file: 33.2.INQUIRY.exe.2380000.3.unpack

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\INQUIRY.exe	Unpacked PE file: 1.2.INQUIRY.exe.400000.0.unpack
Source: C:\Users\user\Desktop\INQUIRY.exe	Unpacked PE file: 16.2.INQUIRY.exe.400000.0.unpack
Source: C:\Users\user\Desktop\INQUIRY.exe	Unpacked PE file: 28.2.INQUIRY.exe.400000.0.unpack
Source: C:\Users\user\Desktop\INQUIRY.exe	Unpacked PE file: 33.2.INQUIRY.exe.400000.0.unpack
Source: C:\Users\user\Desktop\INQUIRY.exe	Unpacked PE file: 1.2.INQUIRY.exe.400000.0.unpack
Source: C:\Users\user\Desktop\INQUIRY.exe	Unpacked PE file: 16.2.INQUIRY.exe.400000.0.unpack
Source: C:\Users\user\Desktop\INQUIRY.exe	Unpacked PE file: 28.2.INQUIRY.exe.400000.0.unpack
Source: C:\Users\user\Desktop\INQUIRY.exe	Unpacked PE file: 33.2.INQUIRY.exe.400000.0.unpack

.NET source code contains potential unpacker

Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.INQUIRY.exe.2300000.3.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.INQUIRY.exe.2300000.3.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.INQUIRY.exe.2300000.3.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.INQUIRY.exe.2300000.3.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.INQUIRY.exe.400000.0.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.INQUIRY.exe.400000.0.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.INQUIRY.exe.400000.0.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.INQUIRY.exe.400000.0.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.2.INQUIRY.exe.2660000.3.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.2.INQUIRY.exe.2660000.3.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.2.INQUIRY.exe.2660000.3.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.2.INQUIRY.exe.2660000.3.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.INQUIRY.exe.2370000.2.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.INQUIRY.exe.2370000.2.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.INQUIRY.exe.2370000.2.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.INQUIRY.exe.2370000.2.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.INQUIRY.exe.2490000.3.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.INQUIRY.exe.2490000.3.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.INQUIRY.exe.2490000.3.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.INQUIRY.exe.2490000.3.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.INQUIRY.exe.400000.0.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.INQUIRY.exe.400000.0.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.INQUIRY.exe.400000.0.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.INQUIRY.exe.400000.0.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 27.2.INQUIRY.exe.2640000.3.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 27.2.INQUIRY.exe.2640000.3.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 27.2.INQUIRY.exe.2640000.3.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 27.2.INQUIRY.exe.2640000.3.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 28.2.INQUIRY.exe.22f0000.3.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 28.2.INQUIRY.exe.22f0000.3.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 28.2.INQUIRY.exe.22f0000.3.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 28.2.INQUIRY.exe.22f0000.3.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 28.2.INQUIRY.exe.400000.0.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 28.2.INQUIRY.exe.400000.0.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 28.2.INQUIRY.exe.400000.0.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 28.2.INQUIRY.exe.400000.0.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 28.2.INQUIRY.exe.2240000.2.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 28.2.INQUIRY.exe.2240000.2.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 28.2.INQUIRY.exe.2240000.2.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 28.2.INQUIRY.exe.2240000.2.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.INQUIRY.exe.2300000.3.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.INQUIRY.exe.2300000.3.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.INQUIRY.exe.2300000.3.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.INQUIRY.exe.2300000.3.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.INQUIRY.exe.400000.0.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.INQUIRY.exe.400000.0.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.INQUIRY.exe.400000.0.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.INQUIRY.exe.400000.0.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.2.INQUIRY.exe.2660000.3.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.2.INQUIRY.exe.2660000.3.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.2.INQUIRY.exe.2660000.3.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.2.INQUIRY.exe.2660000.3.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.INQUIRY.exe.2370000.2.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.INQUIRY.exe.2370000.2.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.INQUIRY.exe.2370000.2.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.INQUIRY.exe.2370000.2.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.INQUIRY.exe.2490000.3.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.INQUIRY.exe.2490000.3.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.INQUIRY.exe.2490000.3.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.INQUIRY.exe.2490000.3.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.INQUIRY.exe.400000.0.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.INQUIRY.exe.400000.0.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.INQUIRY.exe.400000.0.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.INQUIRY.exe.400000.0.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 27.2.INQUIRY.exe.2640000.3.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 27.2.INQUIRY.exe.2640000.3.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 27.2.INQUIRY.exe.2640000.3.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 27.2.INQUIRY.exe.2640000.3.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 28.2.INQUIRY.exe.22f0000.3.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 28.2.INQUIRY.exe.22f0000.3.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 28.2.INQUIRY.exe.22f0000.3.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 28.2.INQUIRY.exe.22f0000.3.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 28.2.INQUIRY.exe.400000.0.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 28.2.INQUIRY.exe.400000.0.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 28.2.INQUIRY.exe.400000.0.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 28.2.INQUIRY.exe.400000.0.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 28.2.INQUIRY.exe.2240000.2.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 28.2.INQUIRY.exe.2240000.2.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 28.2.INQUIRY.exe.2240000.2.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 28.2.INQUIRY.exe.2240000.2.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_004414DC SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,		0_2_004414DC
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_004414DC SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,		0_2_004414DC

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00441B28 push 00441BB5h; ret	0_2_00441BAD
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0040C020 push 0040C098h; ret	0_2_0040C090
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00430030 push 0043005Ch; ret	0_2_00430054
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0040C09A push 0040C10Bh; ret	0_2_0040C103
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0040C09C push 0040C10Bh; ret	0_2_0040C103
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0040C17A push 0040C1A8h; ret	0_2_0040C1A0
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0040C17C push 0040C1A8h; ret	0_2_0040C1A0
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00430198 push 004301C4h; ret	0_2_004301BC
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_004101B0 push 00410211h; ret	0_2_00410209
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00410214 push 00410415h; ret	0_2_0041040D
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0040C2A4 push eax; retn 0040h	0_2_0040C2B9
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_004583D8 push 00458404h; ret	0_2_004583FC
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00410418 push 0041055Ch; ret	0_2_00410554
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00426524 push 004265F4h; ret	0_2_004265EC
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00410530 push 0041055Ch; ret	0_2_00410554
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0046A5E4 push ecx; mov dword ptr [esp], ecx	0_2_0046A5E8
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0040659E push 004065F1h; ret	0_2_004065E9
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_004065A0 push 004065F1h; ret	0_2_004065E9
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0041C6E4 push ecx; mov dword ptr [esp], edx	0_2_0041C6E9
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00406770 push 0040679Ch; ret	0_2_00406794
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00426704 push 00426730h; ret	0_2_00426728
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_004667D8 push 00466804h; ret	0_2_004667FC
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_004627D8 push ecx; mov dword ptr [esp], ecx	0_2_004627DD
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0040682C push 00406858h; ret	0_2_00406850
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0046A8F4 push 0046A91Ah; ret	0_2_0046A912
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0046A958 push 0046A984h; ret	0_2_0046A97C
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0041A978 push ecx; mov dword ptr [esp], edx	0_2_0041A97A
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_004269BC push 004269E8h; ret	0_2_004269E0
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00428A50 push 00428A7Ch; ret	0_2_00428A74
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00444A7C push 00444AA8h; ret	0_2_00444AA0
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00428A04 push 00428A45h; ret	0_2_00428A3D
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00441B28 push 00441BB5h; ret	0_2_00441BAD
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0040C020 push 0040C098h; ret	0_2_0040C090
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00430030 push 0043005Ch; ret	0_2_00430054
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0040C09A push 0040C10Bh; ret	0_2_0040C103
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0040C09C push 0040C10Bh; ret	0_2_0040C103
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0040C17A push 0040C1A8h; ret	0_2_0040C1A0
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0040C17C push 0040C1A8h; ret	0_2_0040C1A0
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00430198 push 004301C4h; ret	0_2_004301BC
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_004101B0 push 00410211h; ret	0_2_00410209
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00410214 push 00410415h; ret	0_2_0041040D
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0040C2A4 push eax; retn 0040h	0_2_0040C2B9
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_004583D8 push 00458404h; ret	0_2_004583FC
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00410418 push 0041055Ch; ret	0_2_00410554
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00426524 push 004265F4h; ret	0_2_004265EC
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00410530 push 0041055Ch; ret	0_2_00410554
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0046A5E4 push ecx; mov dword ptr [esp], ecx	0_2_0046A5E8
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0040659E push 004065F1h; ret	0_2_004065E9
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_004065A0 push 004065F1h; ret	0_2_004065E9
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0041C6E4 push ecx; mov dword ptr [esp], edx	0_2_0041C6E9
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00406770 push 0040679Ch; ret	0_2_00406794
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00426704 push 00426730h; ret	0_2_00426728
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_004667D8 push 00466804h; ret	0_2_004667FC
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_004627D8 push ecx; mov dword ptr [esp], ecx	0_2_004627DD
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0040682C push 00406858h; ret	0_2_00406850
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0046A8F4 push 0046A91Ah; ret	0_2_0046A912
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0046A958 push 0046A984h; ret	0_2_0046A97C
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0041A978 push ecx; mov dword ptr [esp], edx	0_2_0041A97A
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_004269BC push 004269E8h; ret	0_2_004269E0
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00428A50 push 00428A7Ch; ret	0_2_00428A74
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00444A7C push 00444AA8h; ret	0_2_00444AA0
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00428A04 push 00428A45h; ret	0_2_00428A3D

Hooking and other Techniques for Hiding and Protection:

Changes the view of files in windows explorer (hidden files and folders)

Source: C:\Users\user\Desktop\INQUIRY.exe	Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden			Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden			Jump to behavior

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00455880 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	0_2_00455880
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00456024 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,	0_2_00456024
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0043C658 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	0_2_0043C658
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00452974 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,	0_2_00452974
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0043CF3C IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	0_2_0043CF3C
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00427418 IsIconic,GetWindowPlacement,GetWindowRect,	0_2_00427418
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0043BDB0 IsIconic,GetCapture,	0_2_0043BDB0
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00455F74 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,	0_2_00455F74
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00455880 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	0_2_00455880
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00456024 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,	0_2_00456024
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0043C658 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	0_2_0043C658
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00452974 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,	0_2_00452974
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0043CF3C IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	0_2_0043CF3C
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00427418 IsIconic,GetWindowPlacement,GetWindowRect,	0_2_00427418
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0043BDB0 IsIconic,GetCapture,	0_2_0043BDB0
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00455F74 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,	0_2_00455F74
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_2_00455880 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	2_2_00455880
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_2_00456024 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,	2_2_00456024
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_2_0043C658 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	2_2_0043C658
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_2_00452974 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,	2_2_00452974
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_2_0043CF3C IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	2_2_0043CF3C
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_2_00427418 IsIconic,GetWindowPlacement,GetWindowRect,	2_2_00427418
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_2_0043BDB0 IsIconic,GetCapture,	2_2_0043BDB0
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_2_00455F74 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,	2_2_00455F74

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_004414DC SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,		0_2_004414DC
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_004414DC SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,		0_2_004414DC

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\INQUIRY.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\Desktop\INQUIRY.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Stores large binary data to the registry

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363} DeviceTicket			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363} DeviceTicket			Jump to behavior

Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00430D08	0_2_00430D08
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00430D08	0_2_00430D08
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_2_00430D08	2_2_00430D08

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\INQUIRY.exe	File opened / queried: C:\Windows\system32\drivers\VBoxMouse.sys
Source: C:\Users\user\Desktop\INQUIRY.exe	File opened / queried: C:\Windows\system32\drivers\vmmouse.sys
Source: C:\Users\user\Desktop\INQUIRY.exe	File opened / queried: C:\Windows\system32\drivers\VBoxGuest.sys
Source: C:\Users\user\Desktop\INQUIRY.exe	File opened / queried: C:\Windows\system32\drivers\vmhgfs.sys
Source: C:\Users\user\Desktop\INQUIRY.exe	File opened / queried: C:\Windows\system32\drivers\VBoxMouse.sys
Source: C:\Users\user\Desktop\INQUIRY.exe	File opened / queried: C:\Windows\system32\drivers\vmmouse.sys
Source: C:\Users\user\Desktop\INQUIRY.exe	File opened / queried: C:\Windows\system32\drivers\VBoxGuest.sys
Source: C:\Users\user\Desktop\INQUIRY.exe	File opened / queried: C:\Windows\system32\drivers\vmhgfs.sys

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,		6_2_00408836
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,		6_2_00408836

Contains functionality to detect sandboxes (mouse cursor move detection)

Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,	0_2_00454E54
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,	0_2_00454E54
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,	2_2_00454E54

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\INQUIRY.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\INQUIRY.exe	Thread delayed: delay time: 300000
Source: C:\Users\user\Desktop\INQUIRY.exe	Thread delayed: delay time: 180000
Source: C:\Users\user\Desktop\INQUIRY.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\INQUIRY.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\INQUIRY.exe	Thread delayed: delay time: 300000
Source: C:\Users\user\Desktop\INQUIRY.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\INQUIRY.exe	Thread delayed: delay time: 300000
Source: C:\Users\user\Desktop\INQUIRY.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\INQUIRY.exe	Thread delayed: delay time: 300000
Source: C:\Users\user\Desktop\INQUIRY.exe	Thread delayed: delay time: 180000
Source: C:\Users\user\Desktop\INQUIRY.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\INQUIRY.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\INQUIRY.exe	Thread delayed: delay time: 300000
Source: C:\Users\user\Desktop\INQUIRY.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\INQUIRY.exe	Thread delayed: delay time: 300000

May check if the current machine is a sandbox (GetTickCount - Sleep)

Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00430D08		0_2_00430D08
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_2_00430D08		2_2_00430D08

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6680	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6756	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 4780	Thread sleep time: -140000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6820	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6780	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -99860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -99750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -99656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -98906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -98797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -98703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -98610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -98500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -98360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -98250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -98156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -98047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -97953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -97860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -97703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -97610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -97500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -97406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -97297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -97156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -97047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -96953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -96860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 4476	Thread sleep count: 213 > 30	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6152	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6432	Thread sleep time: -120000s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6444	Thread sleep time: -140000s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6292	Thread sleep time: -300000s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5900	Thread sleep time: -180000s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -99906s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -99812s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -99656s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -99562s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -99453s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -99359s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -99250s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -99109s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -99000s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -98906s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -98812s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -98703s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -98562s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -98453s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -98359s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -98250s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -98156s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -98062s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -97906s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -97812s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -97703s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -97609s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -97500s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -97359s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -97250s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6600	Thread sleep count: 150 > 30
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 612	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 7136	Thread sleep time: -120000s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6320	Thread sleep time: -140000s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6328	Thread sleep time: -300000s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 1548	Thread sleep count: 51 > 30
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5260	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5492	Thread sleep time: -120000s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5560	Thread sleep time: -140000s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5508	Thread sleep time: -300000s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5956	Thread sleep count: 99 > 30
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6680	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6756	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 4780	Thread sleep time: -140000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6820	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6780	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -99860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -99750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -99656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -98906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -98797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -98703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -98610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -98500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -98360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -98250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -98156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -98047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -97953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -97860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -97703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -97610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -97500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -97406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -97297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -97156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -97047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -96953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -96860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 4476	Thread sleep count: 213 > 30	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6152	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6432	Thread sleep time: -120000s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6444	Thread sleep time: -140000s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6292	Thread sleep time: -300000s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5900	Thread sleep time: -180000s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -99906s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -99812s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -99656s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -99562s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -99453s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -99359s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -99250s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -99109s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -99000s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -98906s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -98812s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -98703s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -98562s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -98453s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -98359s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -98250s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -98156s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -98062s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -97906s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -97812s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -97703s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -97609s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -97500s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -97359s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -97250s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6600	Thread sleep count: 150 > 30
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 612	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 7136	Thread sleep time: -120000s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6320	Thread sleep time: -140000s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6328	Thread sleep time: -300000s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 1548	Thread sleep count: 51 > 30
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5260	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5492	Thread sleep time: -120000s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5560	Thread sleep time: -140000s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5508	Thread sleep time: -300000s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5956	Thread sleep count: 99 > 30

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File opened: PhysicalDrive0			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File opened: PhysicalDrive0			Jump to behavior

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Desktop\INQUIRY.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\INQUIRY.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\INQUIRY.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\INQUIRY.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\Desktop\INQUIRY.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\INQUIRY.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\INQUIRY.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\INQUIRY.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_004089B8 FindFirstFileA,GetLastError,	0_2_004089B8
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00405AE8 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	0_2_00405AE8
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_004089B8 FindFirstFileA,GetLastError,	0_2_004089B8
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00405AE8 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	0_2_00405AE8
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_2_004089B8 FindFirstFileA,GetLastError,	2_2_004089B8
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_2_00405AE8 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	2_2_00405AE8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 5_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,	5_2_00406EC3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,	6_2_00408441
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,	6_2_00407E0E

Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00421010 GetSystemInfo,		0_2_00421010
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00421010 GetSystemInfo,		0_2_00421010

Source: INQUIRY.exe, 00000001.00000002.745763676.0000000007230000.00000002.00000001.sdmp, WerFault.exe, 00000009.00000002.731103149.0000000004F00000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.832980202.0000000006970000.00000002.00000001.sdmp, WerFault.exe, 00000016.00000002.819145650.0000000004EC0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 00000016.00000002.818731802.0000000004BCC000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW\|p
Source: WerFault.exe, 00000009.00000002.730528117.000000000481B000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.818731802.0000000004BCC000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: INQUIRY.exe, 00000001.00000002.745763676.0000000007230000.00000002.00000001.sdmp, WerFault.exe, 00000009.00000002.731103149.0000000004F00000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.832980202.0000000006970000.00000002.00000001.sdmp, WerFault.exe, 00000016.00000002.819145650.0000000004EC0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: INQUIRY.exe, 00000001.00000002.745763676.0000000007230000.00000002.00000001.sdmp, WerFault.exe, 00000009.00000002.731103149.0000000004F00000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.832980202.0000000006970000.00000002.00000001.sdmp, WerFault.exe, 00000016.00000002.819145650.0000000004EC0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WerFault.exe, 00000009.00000002.730528117.000000000481B000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWonic0Local Area Connection* 7
Source: INQUIRY.exe, 00000010.00000002.825594692.0000000000852000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: INQUIRY.exe, 00000001.00000002.745763676.0000000007230000.00000002.00000001.sdmp, WerFault.exe, 00000009.00000002.731103149.0000000004F00000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.832980202.0000000006970000.00000002.00000001.sdmp, WerFault.exe, 00000016.00000002.819145650.0000000004EC0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: INQUIRY.exe, 00000001.00000002.745763676.0000000007230000.00000002.00000001.sdmp, WerFault.exe, 00000009.00000002.731103149.0000000004F00000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.832980202.0000000006970000.00000002.00000001.sdmp, WerFault.exe, 00000016.00000002.819145650.0000000004EC0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 00000016.00000002.818731802.0000000004BCC000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW\|p
Source: WerFault.exe, 00000009.00000002.730528117.000000000481B000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.818731802.0000000004BCC000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: INQUIRY.exe, 00000001.00000002.745763676.0000000007230000.00000002.00000001.sdmp, WerFault.exe, 00000009.00000002.731103149.0000000004F00000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.832980202.0000000006970000.00000002.00000001.sdmp, WerFault.exe, 00000016.00000002.819145650.0000000004EC0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: INQUIRY.exe, 00000001.00000002.745763676.0000000007230000.00000002.00000001.sdmp, WerFault.exe, 00000009.00000002.731103149.0000000004F00000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.832980202.0000000006970000.00000002.00000001.sdmp, WerFault.exe, 00000016.00000002.819145650.0000000004EC0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WerFault.exe, 00000009.00000002.730528117.000000000481B000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWonic0Local Area Connection* 7
Source: INQUIRY.exe, 00000010.00000002.825594692.0000000000852000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: INQUIRY.exe, 00000001.00000002.745763676.0000000007230000.00000002.00000001.sdmp, WerFault.exe, 00000009.00000002.731103149.0000000004F00000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.832980202.0000000006970000.00000002.00000001.sdmp, WerFault.exe, 00000016.00000002.819145650.0000000004EC0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\INQUIRY.exe	Process information queried: ProcessInformation			Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information queried: ProcessInformation			Jump to behavior

Anti Debugging:

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugFlags	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugFlags	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugFlags	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugPort
Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugPort
Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugFlags
Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugObjectHandle
Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugFlags
Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugObjectHandle
Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugPort
Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugPort
Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugFlags
Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugObjectHandle
Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugFlags
Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugObjectHandle
Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugPort
Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugFlags
Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugObjectHandle
Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugFlags	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugFlags	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugFlags	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugPort
Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugPort
Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugFlags
Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugObjectHandle
Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugFlags
Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugObjectHandle
Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugPort
Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugPort
Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugFlags
Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugObjectHandle
Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugFlags
Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugObjectHandle
Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugPort
Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugFlags
Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugObjectHandle

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_0048B6F3 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		1_2_0048B6F3
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_0048B6F3 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		1_2_0048B6F3

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,		6_2_00408836
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,		6_2_00408836

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_004414DC SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,		0_2_004414DC
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_004414DC SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,		0_2_004414DC

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_0048F412 mov eax, dword ptr fs:[00000030h]	1_2_0048F412
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_0048F4D0 mov eax, dword ptr fs:[00000030h]	1_2_0048F4D0
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_0048F412 mov eax, dword ptr fs:[00000030h]	1_2_0048F412
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_0048F4D0 mov eax, dword ptr fs:[00000030h]	1_2_0048F4D0

Enables debug privileges

Source: C:\Users\user\Desktop\INQUIRY.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WerFault.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\INQUIRY.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\INQUIRY.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WerFault.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\INQUIRY.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WerFault.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\INQUIRY.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\INQUIRY.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WerFault.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_0048B6F3 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_0048B6F3
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_0048A746 SetUnhandledExceptionFilter,	1_2_0048A746
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_0048BBB5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_0048BBB5
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_0048DD7F __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_0048DD7F
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_0048B6F3 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_0048B6F3
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_0048A746 SetUnhandledExceptionFilter,	1_2_0048A746
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_0048BBB5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_0048BBB5
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_0048DD7F __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_0048DD7F

Source: C:\Users\user\Desktop\INQUIRY.exe	Memory protected: page read and write \| page guard			Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory protected: page read and write \| page guard			Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

.NET source code references suspicious native API functions

Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 0.2.INQUIRY.exe.2640000.3.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 1.2.INQUIRY.exe.2270000.2.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 1.2.INQUIRY.exe.2300000.3.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 1.2.INQUIRY.exe.2300000.3.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 1.2.INQUIRY.exe.400000.0.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 1.2.INQUIRY.exe.400000.0.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 13.2.INQUIRY.exe.2660000.3.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 13.2.INQUIRY.exe.2660000.3.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 16.2.INQUIRY.exe.2370000.2.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 16.2.INQUIRY.exe.2370000.2.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 16.2.INQUIRY.exe.2490000.3.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 16.2.INQUIRY.exe.2490000.3.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 16.2.INQUIRY.exe.400000.0.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 16.2.INQUIRY.exe.400000.0.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 27.2.INQUIRY.exe.2640000.3.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 27.2.INQUIRY.exe.2640000.3.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 28.2.INQUIRY.exe.22f0000.3.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 28.2.INQUIRY.exe.22f0000.3.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 28.2.INQUIRY.exe.400000.0.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 28.2.INQUIRY.exe.400000.0.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 28.2.INQUIRY.exe.2240000.2.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 28.2.INQUIRY.exe.2240000.2.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 0.2.INQUIRY.exe.2640000.3.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 1.2.INQUIRY.exe.2270000.2.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 1.2.INQUIRY.exe.2300000.3.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 1.2.INQUIRY.exe.2300000.3.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 1.2.INQUIRY.exe.400000.0.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 1.2.INQUIRY.exe.400000.0.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 13.2.INQUIRY.exe.2660000.3.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 13.2.INQUIRY.exe.2660000.3.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 16.2.INQUIRY.exe.2370000.2.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 16.2.INQUIRY.exe.2370000.2.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 16.2.INQUIRY.exe.2490000.3.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 16.2.INQUIRY.exe.2490000.3.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 16.2.INQUIRY.exe.400000.0.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 16.2.INQUIRY.exe.400000.0.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 27.2.INQUIRY.exe.2640000.3.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 27.2.INQUIRY.exe.2640000.3.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 28.2.INQUIRY.exe.22f0000.3.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 28.2.INQUIRY.exe.22f0000.3.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 28.2.INQUIRY.exe.400000.0.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 28.2.INQUIRY.exe.400000.0.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 28.2.INQUIRY.exe.2240000.2.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 28.2.INQUIRY.exe.2240000.2.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\INQUIRY.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\INQUIRY.exe	Section loaded: unknown target: C:\Users\user\Desktop\INQUIRY.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Section loaded: unknown target: C:\Users\user\Desktop\INQUIRY.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Section loaded: unknown target: C:\Users\user\Desktop\INQUIRY.exe protection: execute and read and write
Source: C:\Users\user\Desktop\INQUIRY.exe	Section loaded: unknown target: C:\Users\user\Desktop\INQUIRY.exe protection: execute and read and write
Source: C:\Users\user\Desktop\INQUIRY.exe	Section loaded: unknown target: C:\Users\user\Desktop\INQUIRY.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Section loaded: unknown target: C:\Users\user\Desktop\INQUIRY.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Section loaded: unknown target: C:\Users\user\Desktop\INQUIRY.exe protection: execute and read and write
Source: C:\Users\user\Desktop\INQUIRY.exe	Section loaded: unknown target: C:\Users\user\Desktop\INQUIRY.exe protection: execute and read and write

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\INQUIRY.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
Source: C:\Users\user\Desktop\INQUIRY.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
Source: C:\Users\user\Desktop\INQUIRY.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
Source: C:\Users\user\Desktop\INQUIRY.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
Source: C:\Users\user\Desktop\INQUIRY.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
Source: C:\Users\user\Desktop\INQUIRY.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
Source: C:\Users\user\Desktop\INQUIRY.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
Source: C:\Users\user\Desktop\INQUIRY.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000

Writes to foreign memory regions

Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe'	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2308	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2272
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2100
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2284
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe'	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2308	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2272
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2100
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2284
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'

Language, Device and Operating System Detection:

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	0_2_00405CA0
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: GetLocaleInfoA,GetACP,	0_2_0040AD50
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: GetLocaleInfoA,	0_2_004099D4
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: GetLocaleInfoA,	0_2_00409A20
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	0_2_00405DAC
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	0_2_00405CA0
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: GetLocaleInfoA,GetACP,	0_2_0040AD50
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: GetLocaleInfoA,	0_2_004099D4
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: GetLocaleInfoA,	0_2_00409A20
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	0_2_00405DAC
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: GetLocaleInfoA,	1_2_0048EA4A
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	2_2_00405CA0
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: GetLocaleInfoA,GetACP,	2_2_0040AD50
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: GetLocaleInfoA,	2_2_004099D4
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: GetLocaleInfoA,	2_2_00409A20
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	2_2_00405DAC

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0040697A GetSystemTime,		0_2_0040697A
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0040697A GetSystemTime,		0_2_0040697A

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 5_2_0040724C memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,		5_2_0040724C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 5_2_0040724C memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,		5_2_0040724C

Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00441B28 GetVersion,		0_2_00441B28
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00441B28 GetVersion,		0_2_00441B28

Source: C:\Users\user\Desktop\INQUIRY.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid			Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid			Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

AV process strings found (often used to terminate AV products)

Source: INQUIRY.exe, 00000011.00000002.835872619.000000000019D000.00000004.00000010.sdmp	Binary or memory string: avp.exe
Source: INQUIRY.exe, 00000010.00000002.825678890.00000000008CC000.00000004.00000020.sdmp	Binary or memory string: r\MsMpeng.exe
Source: INQUIRY.exe, 00000010.00000002.825678890.00000000008CC000.00000004.00000020.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: INQUIRY.exe, 00000011.00000002.835872619.000000000019D000.00000004.00000010.sdmp	Binary or memory string: avp.exe
Source: INQUIRY.exe, 00000010.00000002.825678890.00000000008CC000.00000004.00000020.sdmp	Binary or memory string: r\MsMpeng.exe
Source: INQUIRY.exe, 00000010.00000002.825678890.00000000008CC000.00000004.00000020.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Desktop\INQUIRY.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\INQUIRY.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\Desktop\INQUIRY.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\INQUIRY.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\Desktop\INQUIRY.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\INQUIRY.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\Desktop\INQUIRY.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\INQUIRY.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\Desktop\INQUIRY.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\INQUIRY.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\Desktop\INQUIRY.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\INQUIRY.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\Desktop\INQUIRY.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\INQUIRY.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\Desktop\INQUIRY.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\INQUIRY.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information:

Yara detected HawkEye Keylogger

Source: Yara match	File source: 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.923851920.0000000002210000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000001.752146287.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.875783315.0000000002717000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.859116925.00000000007A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.735055042.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.858712668.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.849214765.00000000026D7000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.919336144.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.875508614.0000000002682000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.735183511.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000001.871375197.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.736771009.00000000021E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000001.839775376.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.858806395.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.863200098.0000000002DDA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.826009202.0000000002372000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.927425340.0000000002382000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.757155287.00000000026F7000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.924535204.00000000022F2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.849044012.0000000002642000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.863232173.0000000002DE0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.824784026.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.737371268.0000000002302000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.859836497.0000000002242000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.919755783.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.656369760.00000000026D7000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.826605147.0000000002492000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.860072694.00000000022F2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.824923724.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.928494489.0000000002A21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.820474176.0000000005470000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: WerFault.exe PID: 6776, type: MEMORY
Source: Yara match	File source: Process Memory Space: INQUIRY.exe PID: 6808, type: MEMORY
Source: Yara match	File source: Process Memory Space: INQUIRY.exe PID: 5896, type: MEMORY
Source: Yara match	File source: Process Memory Space: INQUIRY.exe PID: 6076, type: MEMORY
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB44.tmp.mdmp, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B59.tmp.mdmp, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER7CAE.tmp.mdmp, type: DROPPED
Source: Yara match	File source: 16.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INQUIRY.exe.21e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.INQUIRY.exe.7a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.INQUIRY.exe.22e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INQUIRY.exe.2270000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.INQUIRY.exe.2680000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.INQUIRY.exe.2370000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.INQUIRY.exe.22f0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.INQUIRY.exe.2210000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.INQUIRY.exe.2210000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INQUIRY.exe.21e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INQUIRY.exe.2300000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.INQUIRY.exe.2380000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.INQUIRY.exe.2490000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INQUIRY.exe.25f0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.INQUIRY.exe.7a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.INQUIRY.exe.2630000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.INQUIRY.exe.22e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.INQUIRY.exe.25e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.INQUIRY.exe.22f0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.INQUIRY.exe.2240000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.INQUIRY.exe.2660000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE

Yara detected MailPassView

Source: Yara match	File source: 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.741822453.0000000003A41000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.770041777.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.929210977.0000000003A21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.923851920.0000000002210000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000001.752146287.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.875783315.0000000002717000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.859116925.00000000007A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.735055042.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.858712668.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.849214765.00000000026D7000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.919336144.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.875508614.0000000002682000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.735183511.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000001.871375197.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.863445427.0000000003961000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.736771009.00000000021E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000001.839775376.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.858806395.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.888584585.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.826009202.0000000002372000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.927425340.0000000002382000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.757155287.00000000026F7000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.924535204.00000000022F2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.849044012.0000000002642000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.829490755.0000000003E11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.824784026.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.737371268.0000000002302000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.859836497.0000000002242000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.919755783.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.656369760.00000000026D7000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.826605147.0000000002492000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.860072694.00000000022F2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.824923724.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: INQUIRY.exe PID: 6808, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 5684, type: MEMORY
Source: Yara match	File source: Process Memory Space: INQUIRY.exe PID: 5896, type: MEMORY
Source: Yara match	File source: Process Memory Space: INQUIRY.exe PID: 6076, type: MEMORY
Source: Yara match	File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INQUIRY.exe.21e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.INQUIRY.exe.7a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.INQUIRY.exe.22e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INQUIRY.exe.2270000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.INQUIRY.exe.2680000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.INQUIRY.exe.2370000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.INQUIRY.exe.22f0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.INQUIRY.exe.2210000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.INQUIRY.exe.2210000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INQUIRY.exe.21e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INQUIRY.exe.2300000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.INQUIRY.exe.2380000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.INQUIRY.exe.2490000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INQUIRY.exe.25f0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.INQUIRY.exe.7a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.INQUIRY.exe.2630000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.INQUIRY.exe.22e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.INQUIRY.exe.25e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.INQUIRY.exe.22f0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.INQUIRY.exe.2240000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.INQUIRY.exe.2660000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data

Tries to steal Instant Messenger accounts or passwords

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt

Tries to steal Mail credentials (via file access)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail

Tries to steal Mail credentials (via file registry)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, PopPassword	5_2_00402D9A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, SMTPPassword	5_2_00402D9A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: ESMTPPassword	5_2_004033D7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, PopPassword	5_2_00402D9A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, SMTPPassword	5_2_00402D9A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: ESMTPPassword	5_2_004033D7

Yara detected WebBrowserPassView password recovery tool

Source: Yara match	File source: 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.741822453.0000000003A41000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.894159498.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.929210977.0000000003A21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.923851920.0000000002210000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000001.752146287.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.875783315.0000000002717000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.859116925.00000000007A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.735055042.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.858712668.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.849214765.00000000026D7000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.919336144.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.875508614.0000000002682000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.735183511.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.863445427.0000000003961000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.695692485.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.736771009.00000000021E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000001.839775376.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.858806395.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.826009202.0000000002372000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.927425340.0000000002382000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.757155287.00000000026F7000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.924535204.00000000022F2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.849044012.0000000002642000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.829490755.0000000003E11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.824784026.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.737371268.0000000002302000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.859836497.0000000002242000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.919755783.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.656369760.00000000026D7000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.826605147.0000000002492000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.860072694.00000000022F2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.824923724.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 6700, type: MEMORY
Source: Yara match	File source: Process Memory Space: INQUIRY.exe PID: 6808, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 4184, type: MEMORY
Source: Yara match	File source: Process Memory Space: INQUIRY.exe PID: 5896, type: MEMORY
Source: Yara match	File source: Process Memory Space: INQUIRY.exe PID: 6076, type: MEMORY
Source: Yara match	File source: 16.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INQUIRY.exe.21e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.INQUIRY.exe.7a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.INQUIRY.exe.22e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INQUIRY.exe.2270000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.INQUIRY.exe.2680000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.INQUIRY.exe.2370000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.INQUIRY.exe.22f0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.INQUIRY.exe.2210000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.INQUIRY.exe.2210000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INQUIRY.exe.21e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INQUIRY.exe.2300000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.INQUIRY.exe.2380000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.INQUIRY.exe.2490000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INQUIRY.exe.25f0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.INQUIRY.exe.7a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.INQUIRY.exe.2630000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.INQUIRY.exe.22e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.INQUIRY.exe.25e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.INQUIRY.exe.22f0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.INQUIRY.exe.2240000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.INQUIRY.exe.2660000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected HawkEye Rat

Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp	String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp	String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger \| Execution Confirmed \|
Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp	String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger \| Stealer Records \|
Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp	String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: INQUIRY.exe	String found in binary or memory: HawkEye_Keylogger_Stealer_Records_
Source: INQUIRY.exe	String found in binary or memory: HawkEyeKeylogger
Source: INQUIRY.exe	String found in binary or memory: HawkEye_Keylogger_Keylog_Records_
Source: INQUIRY.exe	String found in binary or memory: HawkEye_Keylogger_Execution_Confirmed_
Source: INQUIRY.exe, 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp	String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: INQUIRY.exe, 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp	String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger \| Execution Confirmed \|
Source: INQUIRY.exe, 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp	String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger \| Stealer Records \|
Source: INQUIRY.exe, 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp	String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: INQUIRY.exe, 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp	String found in binary or memory: q'&HawkEye_Keylogger_Execution_Confirmed_
Source: INQUIRY.exe, 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp	String found in binary or memory: q#"HawkEye_Keylogger_Stealer_Records_
Source: WerFault.exe, 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp	String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: WerFault.exe, 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp	String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger \| Execution Confirmed \|
Source: WerFault.exe, 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp	String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger \| Stealer Records \|
Source: WerFault.exe, 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp	String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp	String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp	String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger \| Execution Confirmed \|
Source: INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp	String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger \| Stealer Records \|
Source: INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp	String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp	String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp	String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger \| Execution Confirmed \|
Source: INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp	String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger \| Stealer Records \|
Source: INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp	String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: INQUIRY.exe, 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmp	String found in binary or memory: HawkEyeKeylogger
Source: INQUIRY.exe, 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmp	String found in binary or memory: q'&HawkEye_Keylogger_Execution_Confirmed_
Source: INQUIRY.exe, 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmp	String found in binary or memory: q#"HawkEye_Keylogger_Stealer_Records_
Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp	String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp	String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger \| Execution Confirmed \|
Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp	String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger \| Stealer Records \|
Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp	String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: INQUIRY.exe	String found in binary or memory: HawkEye_Keylogger_Stealer_Records_
Source: INQUIRY.exe	String found in binary or memory: HawkEyeKeylogger
Source: INQUIRY.exe	String found in binary or memory: HawkEye_Keylogger_Keylog_Records_
Source: INQUIRY.exe	String found in binary or memory: HawkEye_Keylogger_Execution_Confirmed_
Source: INQUIRY.exe, 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp	String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: INQUIRY.exe, 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp	String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger \| Execution Confirmed \|
Source: INQUIRY.exe, 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp	String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger \| Stealer Records \|
Source: INQUIRY.exe, 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp	String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: INQUIRY.exe, 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp	String found in binary or memory: q'&HawkEye_Keylogger_Execution_Confirmed_
Source: INQUIRY.exe, 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp	String found in binary or memory: q#"HawkEye_Keylogger_Stealer_Records_
Source: WerFault.exe, 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp	String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: WerFault.exe, 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp	String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger \| Execution Confirmed \|
Source: WerFault.exe, 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp	String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger \| Stealer Records \|
Source: WerFault.exe, 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp	String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp	String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp	String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger \| Execution Confirmed \|
Source: INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp	String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger \| Stealer Records \|
Source: INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp	String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp	String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp	String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger \| Execution Confirmed \|
Source: INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp	String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger \| Stealer Records \|
Source: INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp	String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: INQUIRY.exe, 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmp	String found in binary or memory: HawkEyeKeylogger
Source: INQUIRY.exe, 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmp	String found in binary or memory: q'&HawkEye_Keylogger_Execution_Confirmed_
Source: INQUIRY.exe, 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmp	String found in binary or memory: q#"HawkEye_Keylogger_Stealer_Records_

Yara detected HawkEye Keylogger

Source: Yara match	File source: 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.923851920.0000000002210000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000001.752146287.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.875783315.0000000002717000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.859116925.00000000007A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.735055042.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.858712668.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.849214765.00000000026D7000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.919336144.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.875508614.0000000002682000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.735183511.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000001.871375197.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.736771009.00000000021E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000001.839775376.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.858806395.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.863200098.0000000002DDA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.826009202.0000000002372000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.927425340.0000000002382000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.757155287.00000000026F7000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.924535204.00000000022F2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.849044012.0000000002642000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.863232173.0000000002DE0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.824784026.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.737371268.0000000002302000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.859836497.0000000002242000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.919755783.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.656369760.00000000026D7000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.826605147.0000000002492000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.860072694.00000000022F2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.824923724.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.928494489.0000000002A21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.820474176.0000000005470000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: WerFault.exe PID: 6776, type: MEMORY
Source: Yara match	File source: Process Memory Space: INQUIRY.exe PID: 6808, type: MEMORY
Source: Yara match	File source: Process Memory Space: INQUIRY.exe PID: 5896, type: MEMORY
Source: Yara match	File source: Process Memory Space: INQUIRY.exe PID: 6076, type: MEMORY
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB44.tmp.mdmp, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B59.tmp.mdmp, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER7CAE.tmp.mdmp, type: DROPPED
Source: Yara match	File source: 16.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INQUIRY.exe.21e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.INQUIRY.exe.7a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.INQUIRY.exe.22e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INQUIRY.exe.2270000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.INQUIRY.exe.2680000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.INQUIRY.exe.2370000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.INQUIRY.exe.22f0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.INQUIRY.exe.2210000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.INQUIRY.exe.2210000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INQUIRY.exe.21e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INQUIRY.exe.2300000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.INQUIRY.exe.2380000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.INQUIRY.exe.2490000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INQUIRY.exe.25f0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.INQUIRY.exe.7a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.INQUIRY.exe.2630000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.INQUIRY.exe.22e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.INQUIRY.exe.25e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.INQUIRY.exe.22f0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.INQUIRY.exe.2240000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.INQUIRY.exe.2660000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.16.154.36	unknown	United States	13335	CLOUDFLARENETUS	false
104.16.155.36	unknown	United States	13335	CLOUDFLARENETUS	false
166.62.27.57	unknown	United States	26496	AS-26496-GO-DADDY-COM-LLCUS	true

Private

IP
192.168.2.1

Contacted Domains

Name	IP	Active
whatismyipaddress.com	104.16.154.36	true
mail.iigcest.com	166.62.27.57	true
121.205.6.0.in-addr.arpa	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://whatismyipaddress.com/	false		high

AV Detection:

Found malware configuration

Source: vbc.exe.6700.6.memstr	Malware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView"], "Version": ""}
Source: vbc.exe.6700.6.memstr	Malware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView"], "Version": ""}

Multi AV Scanner detection for submitted file

Source: INQUIRY.exe	Virustotal: Detection: 43%	Perma Link
Source: INQUIRY.exe	ReversingLabs: Detection: 41%
Source: INQUIRY.exe	Virustotal: Detection: 43%	Perma Link
Source: INQUIRY.exe	ReversingLabs: Detection: 41%

Machine Learning detection for sample

Source: INQUIRY.exe	Joe Sandbox ML: detected
Source: INQUIRY.exe	Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 16.2.INQUIRY.exe.22e0000.1.unpack	Avira: Label: TR/Inject.vcoldi
Source: 32.2.INQUIRY.exe.2680000.3.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 32.2.INQUIRY.exe.2680000.3.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 1.2.INQUIRY.exe.21e0000.1.unpack	Avira: Label: TR/Inject.vcoldi
Source: 1.2.INQUIRY.exe.2270000.2.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 1.2.INQUIRY.exe.2270000.2.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 16.2.INQUIRY.exe.2370000.2.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 16.2.INQUIRY.exe.2370000.2.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 0.2.INQUIRY.exe.2640000.3.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 0.2.INQUIRY.exe.2640000.3.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 27.2.INQUIRY.exe.2640000.3.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 27.2.INQUIRY.exe.2640000.3.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 33.2.INQUIRY.exe.400000.0.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 33.2.INQUIRY.exe.400000.0.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 0.2.INQUIRY.exe.25f0000.2.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 28.2.INQUIRY.exe.22f0000.3.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 28.2.INQUIRY.exe.22f0000.3.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 33.2.INQUIRY.exe.22f0000.2.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 33.2.INQUIRY.exe.22f0000.2.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 1.2.INQUIRY.exe.2300000.3.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 1.2.INQUIRY.exe.2300000.3.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 16.2.INQUIRY.exe.2490000.3.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 16.2.INQUIRY.exe.2490000.3.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 33.2.INQUIRY.exe.2210000.1.unpack	Avira: Label: TR/Inject.vcoldi
Source: 28.2.INQUIRY.exe.400000.0.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 28.2.INQUIRY.exe.400000.0.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 13.2.INQUIRY.exe.2660000.3.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 13.2.INQUIRY.exe.2660000.3.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 33.2.INQUIRY.exe.2380000.3.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 33.2.INQUIRY.exe.2380000.3.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 32.2.INQUIRY.exe.2630000.2.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 28.2.INQUIRY.exe.7a0000.1.unpack	Avira: Label: TR/Inject.vcoldi
Source: 16.2.INQUIRY.exe.400000.0.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 16.2.INQUIRY.exe.400000.0.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 27.2.INQUIRY.exe.25e0000.2.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 28.2.INQUIRY.exe.2240000.2.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 28.2.INQUIRY.exe.2240000.2.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 1.2.INQUIRY.exe.400000.0.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 1.2.INQUIRY.exe.400000.0.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 16.2.INQUIRY.exe.22e0000.1.unpack	Avira: Label: TR/Inject.vcoldi
Source: 32.2.INQUIRY.exe.2680000.3.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 32.2.INQUIRY.exe.2680000.3.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 1.2.INQUIRY.exe.21e0000.1.unpack	Avira: Label: TR/Inject.vcoldi
Source: 1.2.INQUIRY.exe.2270000.2.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 1.2.INQUIRY.exe.2270000.2.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 16.2.INQUIRY.exe.2370000.2.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 16.2.INQUIRY.exe.2370000.2.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 0.2.INQUIRY.exe.2640000.3.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 0.2.INQUIRY.exe.2640000.3.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 27.2.INQUIRY.exe.2640000.3.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 27.2.INQUIRY.exe.2640000.3.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 33.2.INQUIRY.exe.400000.0.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 33.2.INQUIRY.exe.400000.0.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 0.2.INQUIRY.exe.25f0000.2.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 28.2.INQUIRY.exe.22f0000.3.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 28.2.INQUIRY.exe.22f0000.3.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 33.2.INQUIRY.exe.22f0000.2.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 33.2.INQUIRY.exe.22f0000.2.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 1.2.INQUIRY.exe.2300000.3.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 1.2.INQUIRY.exe.2300000.3.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 16.2.INQUIRY.exe.2490000.3.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 16.2.INQUIRY.exe.2490000.3.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 33.2.INQUIRY.exe.2210000.1.unpack	Avira: Label: TR/Inject.vcoldi
Source: 28.2.INQUIRY.exe.400000.0.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 28.2.INQUIRY.exe.400000.0.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 13.2.INQUIRY.exe.2660000.3.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 13.2.INQUIRY.exe.2660000.3.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 33.2.INQUIRY.exe.2380000.3.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 33.2.INQUIRY.exe.2380000.3.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 32.2.INQUIRY.exe.2630000.2.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 28.2.INQUIRY.exe.7a0000.1.unpack	Avira: Label: TR/Inject.vcoldi
Source: 16.2.INQUIRY.exe.400000.0.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 16.2.INQUIRY.exe.400000.0.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 27.2.INQUIRY.exe.25e0000.2.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 28.2.INQUIRY.exe.2240000.2.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 28.2.INQUIRY.exe.2240000.2.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 1.2.INQUIRY.exe.400000.0.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 1.2.INQUIRY.exe.400000.0.unpack	Avira: Label: SPR/Tool.MailPassView.473

Spreading:

May infect USB drives

Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp	Binary or memory string: autorun.inf
Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp	Binary or memory string: [autorun]
Source: INQUIRY.exe	Binary or memory string: [autorun]
Source: INQUIRY.exe	Binary or memory string: autorun.inf
Source: WerFault.exe, 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp	Binary or memory string: autorun.inf
Source: WerFault.exe, 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp	Binary or memory string: [autorun]
Source: INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp	Binary or memory string: autorun.inf
Source: INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp	Binary or memory string: [autorun]
Source: INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp	Binary or memory string: autorun.inf
Source: INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp	Binary or memory string: [autorun]
Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp	Binary or memory string: autorun.inf
Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp	Binary or memory string: [autorun]
Source: INQUIRY.exe	Binary or memory string: [autorun]
Source: INQUIRY.exe	Binary or memory string: autorun.inf
Source: WerFault.exe, 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp	Binary or memory string: autorun.inf
Source: WerFault.exe, 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp	Binary or memory string: [autorun]
Source: INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp	Binary or memory string: autorun.inf
Source: INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp	Binary or memory string: [autorun]
Source: INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp	Binary or memory string: autorun.inf
Source: INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp	Binary or memory string: [autorun]

Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_004089B8 FindFirstFileA,GetLastError,	0_2_004089B8
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00405AE8 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	0_2_00405AE8
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_004089B8 FindFirstFileA,GetLastError,	0_2_004089B8
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00405AE8 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	0_2_00405AE8
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_2_004089B8 FindFirstFileA,GetLastError,	2_2_004089B8
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_2_00405AE8 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	2_2_00405AE8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 5_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,	5_2_00406EC3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,	6_2_00408441
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,	6_2_00407E0E

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2019926 ET TROJAN HawkEye Keylogger Report SMTP 192.168.2.4:49750 -> 166.62.27.57:587
Source: Traffic	Snort IDS: 2019926 ET TROJAN HawkEye Keylogger Report SMTP 192.168.2.4:49774 -> 166.62.27.57:587
Source: Traffic	Snort IDS: 2019926 ET TROJAN HawkEye Keylogger Report SMTP 192.168.2.4:49750 -> 166.62.27.57:587
Source: Traffic	Snort IDS: 2019926 ET TROJAN HawkEye Keylogger Report SMTP 192.168.2.4:49774 -> 166.62.27.57:587

May check the online IP address of the machine

Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.4:49750 -> 166.62.27.57:587
Source: global traffic	TCP traffic: 192.168.2.4:49750 -> 166.62.27.57:587

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 104.16.154.36 104.16.154.36
Source: Joe Sandbox View	IP Address: 104.16.154.36 104.16.154.36

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
Source: Joe Sandbox View	ASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS

Uses SMTP (mail sending)

Source: global traffic	TCP traffic: 192.168.2.4:49750 -> 166.62.27.57:587
Source: global traffic	TCP traffic: 192.168.2.4:49750 -> 166.62.27.57:587

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive

Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, INQUIRY.exe, 00000001.00000002.741822453.0000000003A41000.00000004.00000001.sdmp, vbc.exe, 00000006.00000002.695692485.0000000000400000.00000040.00000001.sdmp, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, INQUIRY.exe, 00000001.00000002.741822453.0000000003A41000.00000004.00000001.sdmp, vbc.exe, 00000006.00000002.695692485.0000000000400000.00000040.00000001.sdmp, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: INQUIRY.exe, vbc.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: vbc.exe, 00000006.00000002.696465332.000000000084E000.00000004.00000040.sdmp, vbc.exe, 00000014.00000002.775214194.0000000000A2E000.00000004.00000040.sdmp	String found in binary or memory: ttps://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4421591https://consent.google.com/about:blankhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591 equals www.facebook.com (Facebook)
Source: vbc.exe, 00000006.00000002.696465332.000000000084E000.00000004.00000040.sdmp, vbc.exe, 00000014.00000002.775214194.0000000000A2E000.00000004.00000040.sdmp	String found in binary or memory: ttps://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4421591https://consent.google.com/about:blankhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591 equals www.yahoo.com (Yahoo)
Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, INQUIRY.exe, 00000001.00000002.741822453.0000000003A41000.00000004.00000001.sdmp, vbc.exe, 00000006.00000002.695692485.0000000000400000.00000040.00000001.sdmp, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, INQUIRY.exe, 00000001.00000002.741822453.0000000003A41000.00000004.00000001.sdmp, vbc.exe, 00000006.00000002.695692485.0000000000400000.00000040.00000001.sdmp, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: INQUIRY.exe, vbc.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: vbc.exe, 00000006.00000002.696465332.000000000084E000.00000004.00000040.sdmp, vbc.exe, 00000014.00000002.775214194.0000000000A2E000.00000004.00000040.sdmp	String found in binary or memory: ttps://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4421591https://consent.google.com/about:blankhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591 equals www.facebook.com (Facebook)
Source: vbc.exe, 00000006.00000002.696465332.000000000084E000.00000004.00000040.sdmp, vbc.exe, 00000014.00000002.775214194.0000000000A2E000.00000004.00000040.sdmp	String found in binary or memory: ttps://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4421591https://consent.google.com/about:blankhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591 equals www.yahoo.com (Yahoo)

Source: unknown	DNS traffic detected: queries for: 121.205.6.0.in-addr.arpa
Source: unknown	DNS traffic detected: queries for: 121.205.6.0.in-addr.arpa

Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, INQUIRY.exe, 00000001.00000002.741822453.0000000003A41000.00000004.00000001.sdmp, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: INQUIRY.exe, 00000001.00000003.656578776.0000000004FED000.00000004.00000001.sdmp	String found in binary or memory: http://en.w
Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: INQUIRY.exe, 00000010.00000002.825594692.0000000000852000.00000004.00000020.sdmp	String found in binary or memory: http://go.microsoft.
Source: INQUIRY.exe, 00000010.00000002.825594692.0000000000852000.00000004.00000020.sdmp	String found in binary or memory: http://go.microsoft.LinkId=42127
Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, INQUIRY.exe, 00000001.00000002.741822453.0000000003A41000.00000004.00000001.sdmp, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: INQUIRY.exe, 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp, INQUIRY.exe, 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmp	String found in binary or memory: http://whatismyipaddress.com
Source: INQUIRY.exe, INQUIRY.exe, 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmp	String found in binary or memory: http://whatismyipaddress.com/
Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, INQUIRY.exe, 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp	String found in binary or memory: http://whatismyipaddress.com/-
Source: INQUIRY.exe, 00000001.00000003.659052456.0000000005013000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.659667033.0000000005016000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.660235609.0000000005016000.00000004.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: INQUIRY.exe, 00000001.00000003.659667033.0000000005016000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.661195055.0000000005011000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.660235609.0000000005016000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: INQUIRY.exe, 00000001.00000003.659571445.0000000005016000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com$p
Source: INQUIRY.exe, 00000001.00000003.660235609.0000000005016000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com0p
Source: INQUIRY.exe, 00000001.00000003.660235609.0000000005016000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comMic
Source: INQUIRY.exe, 00000001.00000003.661005611.0000000004FEB000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comTC
Source: INQUIRY.exe, 00000001.00000003.660146058.0000000004FEC000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comTC(
Source: INQUIRY.exe, 00000001.00000003.660146058.0000000004FEC000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comTCE
Source: INQUIRY.exe, 00000001.00000003.660352640.0000000005011000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comandh
Source: INQUIRY.exe, 00000001.00000003.659772843.0000000005016000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comits
Source: INQUIRY.exe, 00000001.00000003.659772843.0000000005016000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: INQUIRY.exe, 00000001.00000003.660352640.0000000005011000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comle
Source: INQUIRY.exe, 00000001.00000003.660235609.0000000005016000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.660006267.0000000004FF6000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comn
Source: INQUIRY.exe, 00000001.00000003.660146058.0000000004FEC000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.como.
Source: INQUIRY.exe, 00000001.00000003.660235609.0000000005016000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comsm
Source: INQUIRY.exe, 00000001.00000003.660235609.0000000005016000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comtig
Source: INQUIRY.exe, 00000001.00000003.665416380.0000000004FEF000.00000004.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: INQUIRY.exe, 00000001.00000003.664630621.000000000501B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: INQUIRY.exe, 00000001.00000003.664546236.0000000005011000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlu
Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: INQUIRY.exe, 00000001.00000003.662998950.0000000005011000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersd
Source: INQUIRY.exe, 00000001.00000003.663957016.0000000005016000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designershq
Source: INQUIRY.exe, 00000001.00000003.664066811.0000000005016000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designerslb
Source: INQUIRY.exe, 00000001.00000003.664511180.0000000004FEF000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com=
Source: INQUIRY.exe, 00000001.00000003.665416380.0000000004FEF000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comTTFF
Source: INQUIRY.exe, 00000001.00000003.665416380.0000000004FEF000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comalsd=
Source: INQUIRY.exe, 00000001.00000003.670995336.0000000004FEF000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comepko
Source: INQUIRY.exe, 00000001.00000003.664511180.0000000004FEF000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comessed
Source: INQUIRY.exe, 00000001.00000003.665416380.0000000004FEF000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comgrito
Source: INQUIRY.exe, 00000001.00000003.664511180.0000000004FEF000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comk
Source: INQUIRY.exe, 00000001.00000003.670995336.0000000004FEF000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comlvfet
Source: INQUIRY.exe, 00000001.00000003.670995336.0000000004FEF000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comm=
Source: INQUIRY.exe, 00000001.00000003.665416380.0000000004FEF000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comnc.
Source: INQUIRY.exe, 00000001.00000003.665416380.0000000004FEF000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.coms
Source: INQUIRY.exe, 00000001.00000003.665416380.0000000004FEF000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comsiv&
Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: INQUIRY.exe, 00000001.00000003.659052456.0000000005013000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.657519748.0000000005012000.00000004.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: INQUIRY.exe, 00000001.00000003.666565645.0000000004FEF000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/
Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: INQUIRY.exe, 00000001.00000003.661599639.0000000004FEB000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.661257796.0000000004FEB000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.660714589.0000000004FE4000.00000004.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: INQUIRY.exe, 00000001.00000003.661005611.0000000004FEB000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/://w
Source: INQUIRY.exe, 00000001.00000003.661599639.0000000004FEB000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Treb
Source: INQUIRY.exe, 00000001.00000003.661599639.0000000004FEB000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/_
Source: INQUIRY.exe, 00000001.00000003.661599639.0000000004FEB000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/cheV
Source: INQUIRY.exe, 00000001.00000003.661599639.0000000004FEB000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: INQUIRY.exe, 00000001.00000003.661599639.0000000004FEB000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp//
Source: INQUIRY.exe, 00000001.00000003.661005611.0000000004FEB000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/=
Source: INQUIRY.exe, 00000001.00000003.661599639.0000000004FEB000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/s
Source: INQUIRY.exe, 00000001.00000003.660714589.0000000004FE4000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/s/
Source: INQUIRY.exe, 00000001.00000003.661005611.0000000004FEB000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/typo
Source: vbc.exe, 00000013.00000002.770041777.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: INQUIRY.exe, 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp, INQUIRY.exe, 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmp	String found in binary or memory: http://www.site.com/logs.php
Source: INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: INQUIRY.exe, 00000001.00000003.660146058.0000000004FEC000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comic
Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: INQUIRY.exe, vbc.exe	String found in binary or memory: https://login.yahoo.com/config/login
Source: INQUIRY.exe, 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp, INQUIRY.exe, 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmp	String found in binary or memory: https://whatismyipaddress.com
Source: INQUIRY.exe, 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmp	String found in binary or memory: https://whatismyipaddress.com/
Source: vbc.exe, 00000006.00000002.696465332.000000000084E000.00000004.00000040.sdmp, vbc.exe, 00000014.00000002.775214194.0000000000A2E000.00000004.00000040.sdmp	String found in binary or memory: https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4
Source: INQUIRY.exe, vbc.exe	String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, INQUIRY.exe, 00000001.00000002.741822453.0000000003A41000.00000004.00000001.sdmp, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: INQUIRY.exe, 00000001.00000003.656578776.0000000004FED000.00000004.00000001.sdmp	String found in binary or memory: http://en.w
Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: INQUIRY.exe, 00000010.00000002.825594692.0000000000852000.00000004.00000020.sdmp	String found in binary or memory: http://go.microsoft.
Source: INQUIRY.exe, 00000010.00000002.825594692.0000000000852000.00000004.00000020.sdmp	String found in binary or memory: http://go.microsoft.LinkId=42127
Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, INQUIRY.exe, 00000001.00000002.741822453.0000000003A41000.00000004.00000001.sdmp, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: INQUIRY.exe, 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp, INQUIRY.exe, 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmp	String found in binary or memory: http://whatismyipaddress.com
Source: INQUIRY.exe, INQUIRY.exe, 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmp	String found in binary or memory: http://whatismyipaddress.com/
Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, INQUIRY.exe, 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp	String found in binary or memory: http://whatismyipaddress.com/-
Source: INQUIRY.exe, 00000001.00000003.659052456.0000000005013000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.659667033.0000000005016000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.660235609.0000000005016000.00000004.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: INQUIRY.exe, 00000001.00000003.659667033.0000000005016000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.661195055.0000000005011000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.660235609.0000000005016000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: INQUIRY.exe, 00000001.00000003.659571445.0000000005016000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com$p
Source: INQUIRY.exe, 00000001.00000003.660235609.0000000005016000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com0p
Source: INQUIRY.exe, 00000001.00000003.660235609.0000000005016000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comMic
Source: INQUIRY.exe, 00000001.00000003.661005611.0000000004FEB000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comTC
Source: INQUIRY.exe, 00000001.00000003.660146058.0000000004FEC000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comTC(
Source: INQUIRY.exe, 00000001.00000003.660146058.0000000004FEC000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comTCE
Source: INQUIRY.exe, 00000001.00000003.660352640.0000000005011000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comandh
Source: INQUIRY.exe, 00000001.00000003.659772843.0000000005016000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comits
Source: INQUIRY.exe, 00000001.00000003.659772843.0000000005016000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: INQUIRY.exe, 00000001.00000003.660352640.0000000005011000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comle
Source: INQUIRY.exe, 00000001.00000003.660235609.0000000005016000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.660006267.0000000004FF6000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comn
Source: INQUIRY.exe, 00000001.00000003.660146058.0000000004FEC000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.como.
Source: INQUIRY.exe, 00000001.00000003.660235609.0000000005016000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comsm
Source: INQUIRY.exe, 00000001.00000003.660235609.0000000005016000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comtig
Source: INQUIRY.exe, 00000001.00000003.665416380.0000000004FEF000.00000004.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: INQUIRY.exe, 00000001.00000003.664630621.000000000501B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: INQUIRY.exe, 00000001.00000003.664546236.0000000005011000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlu
Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: INQUIRY.exe, 00000001.00000003.662998950.0000000005011000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersd
Source: INQUIRY.exe, 00000001.00000003.663957016.0000000005016000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designershq
Source: INQUIRY.exe, 00000001.00000003.664066811.0000000005016000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designerslb
Source: INQUIRY.exe, 00000001.00000003.664511180.0000000004FEF000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com=
Source: INQUIRY.exe, 00000001.00000003.665416380.0000000004FEF000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comTTFF
Source: INQUIRY.exe, 00000001.00000003.665416380.0000000004FEF000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comalsd=
Source: INQUIRY.exe, 00000001.00000003.670995336.0000000004FEF000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comepko
Source: INQUIRY.exe, 00000001.00000003.664511180.0000000004FEF000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comessed
Source: INQUIRY.exe, 00000001.00000003.665416380.0000000004FEF000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comgrito
Source: INQUIRY.exe, 00000001.00000003.664511180.0000000004FEF000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comk
Source: INQUIRY.exe, 00000001.00000003.670995336.0000000004FEF000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comlvfet
Source: INQUIRY.exe, 00000001.00000003.670995336.0000000004FEF000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comm=
Source: INQUIRY.exe, 00000001.00000003.665416380.0000000004FEF000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comnc.
Source: INQUIRY.exe, 00000001.00000003.665416380.0000000004FEF000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.coms
Source: INQUIRY.exe, 00000001.00000003.665416380.0000000004FEF000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comsiv&
Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: INQUIRY.exe, 00000001.00000003.659052456.0000000005013000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.657519748.0000000005012000.00000004.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: INQUIRY.exe, 00000001.00000003.666565645.0000000004FEF000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/
Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: INQUIRY.exe, 00000001.00000003.661599639.0000000004FEB000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.661257796.0000000004FEB000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.660714589.0000000004FE4000.00000004.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: INQUIRY.exe, 00000001.00000003.661005611.0000000004FEB000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/://w
Source: INQUIRY.exe, 00000001.00000003.661599639.0000000004FEB000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Treb
Source: INQUIRY.exe, 00000001.00000003.661599639.0000000004FEB000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/_
Source: INQUIRY.exe, 00000001.00000003.661599639.0000000004FEB000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/cheV
Source: INQUIRY.exe, 00000001.00000003.661599639.0000000004FEB000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: INQUIRY.exe, 00000001.00000003.661599639.0000000004FEB000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp//
Source: INQUIRY.exe, 00000001.00000003.661005611.0000000004FEB000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/=
Source: INQUIRY.exe, 00000001.00000003.661599639.0000000004FEB000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/s
Source: INQUIRY.exe, 00000001.00000003.660714589.0000000004FE4000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/s/
Source: INQUIRY.exe, 00000001.00000003.661005611.0000000004FEB000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/typo
Source: vbc.exe, 00000013.00000002.770041777.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: INQUIRY.exe, 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp, INQUIRY.exe, 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmp	String found in binary or memory: http://www.site.com/logs.php
Source: INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: INQUIRY.exe, 00000001.00000003.660146058.0000000004FEC000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comic
Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: INQUIRY.exe, vbc.exe	String found in binary or memory: https://login.yahoo.com/config/login
Source: INQUIRY.exe, 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp, INQUIRY.exe, 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmp	String found in binary or memory: https://whatismyipaddress.com
Source: INQUIRY.exe, 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmp	String found in binary or memory: https://whatismyipaddress.com/
Source: vbc.exe, 00000006.00000002.696465332.000000000084E000.00000004.00000040.sdmp, vbc.exe, 00000014.00000002.775214194.0000000000A2E000.00000004.00000040.sdmp	String found in binary or memory: https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4
Source: INQUIRY.exe, vbc.exe	String found in binary or memory: https://www.google.com/accounts/servicelogin

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected HawkEye Keylogger

Source: Yara match	File source: 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.923851920.0000000002210000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000001.752146287.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.875783315.0000000002717000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.859116925.00000000007A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.735055042.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.858712668.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.849214765.00000000026D7000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.919336144.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.875508614.0000000002682000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.735183511.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000001.871375197.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.736771009.00000000021E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000001.839775376.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.858806395.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.863200098.0000000002DDA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.826009202.0000000002372000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.927425340.0000000002382000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.757155287.00000000026F7000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.924535204.00000000022F2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.849044012.0000000002642000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.863232173.0000000002DE0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.824784026.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.737371268.0000000002302000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.859836497.0000000002242000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.919755783.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.656369760.00000000026D7000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.826605147.0000000002492000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.860072694.00000000022F2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.824923724.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.928494489.0000000002A21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.820474176.0000000005470000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: WerFault.exe PID: 6776, type: MEMORY
Source: Yara match	File source: Process Memory Space: INQUIRY.exe PID: 6808, type: MEMORY
Source: Yara match	File source: Process Memory Space: INQUIRY.exe PID: 5896, type: MEMORY
Source: Yara match	File source: Process Memory Space: INQUIRY.exe PID: 6076, type: MEMORY
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB44.tmp.mdmp, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B59.tmp.mdmp, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER7CAE.tmp.mdmp, type: DROPPED
Source: Yara match	File source: 16.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INQUIRY.exe.21e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.INQUIRY.exe.7a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.INQUIRY.exe.22e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INQUIRY.exe.2270000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.INQUIRY.exe.2680000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.INQUIRY.exe.2370000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.INQUIRY.exe.22f0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.INQUIRY.exe.2210000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.INQUIRY.exe.2210000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INQUIRY.exe.21e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INQUIRY.exe.2300000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.INQUIRY.exe.2380000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.INQUIRY.exe.2490000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INQUIRY.exe.25f0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.INQUIRY.exe.7a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.INQUIRY.exe.2630000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.INQUIRY.exe.22e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.INQUIRY.exe.25e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.INQUIRY.exe.22f0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.INQUIRY.exe.2240000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.INQUIRY.exe.2660000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 1.2.INQUIRY.exe.2300000.3.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 1.2.INQUIRY.exe.400000.0.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 13.2.INQUIRY.exe.2660000.3.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 16.2.INQUIRY.exe.2370000.2.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 16.2.INQUIRY.exe.2490000.3.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 16.2.INQUIRY.exe.400000.0.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 27.2.INQUIRY.exe.2640000.3.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 28.2.INQUIRY.exe.22f0000.3.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 28.2.INQUIRY.exe.400000.0.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 28.2.INQUIRY.exe.2240000.2.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 1.2.INQUIRY.exe.2300000.3.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 1.2.INQUIRY.exe.400000.0.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 13.2.INQUIRY.exe.2660000.3.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 16.2.INQUIRY.exe.2370000.2.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 16.2.INQUIRY.exe.2490000.3.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 16.2.INQUIRY.exe.400000.0.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 27.2.INQUIRY.exe.2640000.3.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 28.2.INQUIRY.exe.22f0000.3.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 28.2.INQUIRY.exe.400000.0.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 28.2.INQUIRY.exe.2240000.2.unpack, Form1.cs	.Net Code: HookKeyboard

Installs a global keyboard hook

Source: C:\Users\user\Desktop\INQUIRY.exe	Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\INQUIRY.exe	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\INQUIRY.exe
Source: C:\Users\user\Desktop\INQUIRY.exe	Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\INQUIRY.exe
Source: C:\Users\user\Desktop\INQUIRY.exe	Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\INQUIRY.exe
Source: C:\Users\user\Desktop\INQUIRY.exe	Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\INQUIRY.exe	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\INQUIRY.exe
Source: C:\Users\user\Desktop\INQUIRY.exe	Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\INQUIRY.exe
Source: C:\Users\user\Desktop\INQUIRY.exe	Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\INQUIRY.exe

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_004070D2 OpenClipboard,		0_2_004070D2
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_004070D2 OpenClipboard,		0_2_004070D2

Contains functionality to read the clipboard data

Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_004233B4 GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader,		0_2_004233B4
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_004233B4 GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader,		0_2_004233B4

Contains functionality to record screenshots

Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_2_004239F8 GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,		2_2_004239F8
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_2_004239F8 GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,		2_2_004239F8

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00459724 GetKeyboardState,SetKeyboardState,SendMessageA,SendMessageA,		0_2_00459724
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00459724 GetKeyboardState,SetKeyboardState,SendMessageA,SendMessageA,		0_2_00459724

Creates a window with clipboard capturing capabilities

Source: C:\Users\user\Desktop\INQUIRY.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\user\Desktop\INQUIRY.exe	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\user\Desktop\INQUIRY.exe	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\user\Desktop\INQUIRY.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\user\Desktop\INQUIRY.exe	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\user\Desktop\INQUIRY.exe	Window created: window name: CLIPBRDWNDCLASS

Yara detected Keylogger Generic

Source: Yara match	File source: Process Memory Space: INQUIRY.exe PID: 6808, type: MEMORY
Source: Yara match	File source: Process Memory Space: INQUIRY.exe PID: 5896, type: MEMORY
Source: Yara match	File source: Process Memory Space: INQUIRY.exe PID: 6076, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000021.00000002.923851920.0000000002210000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000021.00000002.923851920.0000000002210000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000001.752146287.00000000004D2000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000001.752146287.00000000004D2000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000020.00000002.875783315.0000000002717000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000020.00000002.875783315.0000000002717000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000001C.00000002.859116925.00000000007A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001C.00000002.859116925.00000000007A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.735055042.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.735055042.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000001C.00000002.858712668.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001C.00000002.858712668.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000001B.00000002.849214765.00000000026D7000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001B.00000002.849214765.00000000026D7000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000021.00000002.919336144.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000021.00000002.919336144.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000020.00000002.875508614.0000000002682000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000020.00000002.875508614.0000000002682000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.735183511.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.735183511.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000021.00000001.871375197.00000000004D2000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000021.00000001.871375197.00000000004D2000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.736771009.00000000021E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.736771009.00000000021E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000001C.00000001.839775376.00000000004D2000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001C.00000001.839775376.00000000004D2000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000001C.00000002.858806395.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001C.00000002.858806395.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000001C.00000002.863200098.0000000002DDA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.826009202.0000000002372000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.826009202.0000000002372000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000021.00000002.927425340.0000000002382000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000021.00000002.927425340.0000000002382000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.757155287.00000000026F7000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.757155287.00000000026F7000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000021.00000002.924535204.00000000022F2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000021.00000002.924535204.00000000022F2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000001B.00000002.849044012.0000000002642000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001B.00000002.849044012.0000000002642000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.824784026.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.824784026.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.737371268.0000000002302000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.737371268.0000000002302000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000001C.00000002.859836497.0000000002242000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001C.00000002.859836497.0000000002242000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000021.00000002.919755783.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000021.00000002.919755783.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.656369760.00000000026D7000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.656369760.00000000026D7000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.826605147.0000000002492000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.826605147.0000000002492000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000001C.00000002.860072694.00000000022F2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001C.00000002.860072694.00000000022F2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.824923724.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.824923724.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000021.00000002.928494489.0000000002A21000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000021.00000002.928494489.0000000002A21000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000016.00000002.820474176.0000000005470000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000016.00000002.820474176.0000000005470000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB44.tmp.mdmp, type: DROPPED	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB44.tmp.mdmp, type: DROPPED	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B59.tmp.mdmp, type: DROPPED	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B59.tmp.mdmp, type: DROPPED	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER7CAE.tmp.mdmp, type: DROPPED	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER7CAE.tmp.mdmp, type: DROPPED	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.INQUIRY.exe.21e0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.INQUIRY.exe.21e0000.1.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 33.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 33.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 28.2.INQUIRY.exe.7a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 28.2.INQUIRY.exe.7a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.2.INQUIRY.exe.22e0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.INQUIRY.exe.22e0000.1.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 28.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 28.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.INQUIRY.exe.2270000.2.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.INQUIRY.exe.2270000.2.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 32.2.INQUIRY.exe.2680000.3.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 32.2.INQUIRY.exe.2680000.3.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.2.INQUIRY.exe.2370000.2.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.INQUIRY.exe.2370000.2.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 33.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 33.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 28.2.INQUIRY.exe.22f0000.3.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 28.2.INQUIRY.exe.22f0000.3.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 33.2.INQUIRY.exe.2210000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 33.2.INQUIRY.exe.2210000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 33.2.INQUIRY.exe.2210000.1.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 33.2.INQUIRY.exe.2210000.1.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 27.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 27.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.INQUIRY.exe.21e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.INQUIRY.exe.21e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.INQUIRY.exe.2300000.3.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.INQUIRY.exe.2300000.3.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 33.2.INQUIRY.exe.2380000.3.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 33.2.INQUIRY.exe.2380000.3.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.2.INQUIRY.exe.2490000.3.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.INQUIRY.exe.2490000.3.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.INQUIRY.exe.25f0000.2.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.INQUIRY.exe.25f0000.2.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 28.2.INQUIRY.exe.7a0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 28.2.INQUIRY.exe.7a0000.1.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 32.2.INQUIRY.exe.2630000.2.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 32.2.INQUIRY.exe.2630000.2.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.2.INQUIRY.exe.22e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.INQUIRY.exe.22e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 27.2.INQUIRY.exe.25e0000.2.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 27.2.INQUIRY.exe.25e0000.2.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 33.2.INQUIRY.exe.22f0000.2.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 33.2.INQUIRY.exe.22f0000.2.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 28.2.INQUIRY.exe.2240000.2.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 28.2.INQUIRY.exe.2240000.2.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 28.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 28.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.INQUIRY.exe.2660000.3.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.INQUIRY.exe.2660000.3.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000021.00000002.923851920.0000000002210000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000021.00000002.923851920.0000000002210000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000001.752146287.00000000004D2000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000001.752146287.00000000004D2000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000020.00000002.875783315.0000000002717000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000020.00000002.875783315.0000000002717000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000001C.00000002.859116925.00000000007A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001C.00000002.859116925.00000000007A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.735055042.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.735055042.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000001C.00000002.858712668.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001C.00000002.858712668.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000001B.00000002.849214765.00000000026D7000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001B.00000002.849214765.00000000026D7000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000021.00000002.919336144.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000021.00000002.919336144.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000020.00000002.875508614.0000000002682000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000020.00000002.875508614.0000000002682000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.735183511.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.735183511.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000021.00000001.871375197.00000000004D2000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000021.00000001.871375197.00000000004D2000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.736771009.00000000021E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.736771009.00000000021E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000001C.00000001.839775376.00000000004D2000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001C.00000001.839775376.00000000004D2000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000001C.00000002.858806395.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001C.00000002.858806395.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000001C.00000002.863200098.0000000002DDA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.826009202.0000000002372000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.826009202.0000000002372000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000021.00000002.927425340.0000000002382000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000021.00000002.927425340.0000000002382000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.757155287.00000000026F7000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.757155287.00000000026F7000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000021.00000002.924535204.00000000022F2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000021.00000002.924535204.00000000022F2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000001B.00000002.849044012.0000000002642000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001B.00000002.849044012.0000000002642000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.824784026.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.824784026.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.737371268.0000000002302000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.737371268.0000000002302000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000001C.00000002.859836497.0000000002242000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001C.00000002.859836497.0000000002242000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000021.00000002.919755783.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000021.00000002.919755783.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.656369760.00000000026D7000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.656369760.00000000026D7000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.826605147.0000000002492000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.826605147.0000000002492000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000001C.00000002.860072694.00000000022F2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001C.00000002.860072694.00000000022F2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.824923724.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.824923724.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000021.00000002.928494489.0000000002A21000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000021.00000002.928494489.0000000002A21000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000016.00000002.820474176.0000000005470000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000016.00000002.820474176.0000000005470000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB44.tmp.mdmp, type: DROPPED	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB44.tmp.mdmp, type: DROPPED	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B59.tmp.mdmp, type: DROPPED	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B59.tmp.mdmp, type: DROPPED	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER7CAE.tmp.mdmp, type: DROPPED	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER7CAE.tmp.mdmp, type: DROPPED	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.INQUIRY.exe.21e0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.INQUIRY.exe.21e0000.1.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 33.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 33.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 28.2.INQUIRY.exe.7a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 28.2.INQUIRY.exe.7a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.2.INQUIRY.exe.22e0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.INQUIRY.exe.22e0000.1.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 28.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 28.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.INQUIRY.exe.2270000.2.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.INQUIRY.exe.2270000.2.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 32.2.INQUIRY.exe.2680000.3.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 32.2.INQUIRY.exe.2680000.3.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.2.INQUIRY.exe.2370000.2.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.INQUIRY.exe.2370000.2.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 33.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 33.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 28.2.INQUIRY.exe.22f0000.3.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 28.2.INQUIRY.exe.22f0000.3.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 33.2.INQUIRY.exe.2210000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 33.2.INQUIRY.exe.2210000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 33.2.INQUIRY.exe.2210000.1.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 33.2.INQUIRY.exe.2210000.1.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 27.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 27.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.INQUIRY.exe.21e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.INQUIRY.exe.21e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.INQUIRY.exe.2300000.3.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.INQUIRY.exe.2300000.3.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 33.2.INQUIRY.exe.2380000.3.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 33.2.INQUIRY.exe.2380000.3.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.2.INQUIRY.exe.2490000.3.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.INQUIRY.exe.2490000.3.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.INQUIRY.exe.25f0000.2.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.INQUIRY.exe.25f0000.2.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 28.2.INQUIRY.exe.7a0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 28.2.INQUIRY.exe.7a0000.1.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 32.2.INQUIRY.exe.2630000.2.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 32.2.INQUIRY.exe.2630000.2.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.2.INQUIRY.exe.22e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.INQUIRY.exe.22e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 27.2.INQUIRY.exe.25e0000.2.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 27.2.INQUIRY.exe.25e0000.2.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 33.2.INQUIRY.exe.22f0000.2.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 33.2.INQUIRY.exe.22f0000.2.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 28.2.INQUIRY.exe.2240000.2.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 28.2.INQUIRY.exe.2240000.2.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 28.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 28.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.INQUIRY.exe.2660000.3.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.INQUIRY.exe.2660000.3.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group

Contains functionality to call native functions

Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_004557F8 NtdllDefWindowProc_A,	0_2_004557F8
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00456024 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,	0_2_00456024
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0044A3C8 GetSubMenu,SaveDC,RestoreDC,72E7B080,SaveDC,RestoreDC,NtdllDefWindowProc_A,	0_2_0044A3C8
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0043A6DC NtdllDefWindowProc_A,GetCapture,	0_2_0043A6DC
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0042E904 NtdllDefWindowProc_A,	0_2_0042E904
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00455F74 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,	0_2_00455F74
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_004557F8 NtdllDefWindowProc_A,	0_2_004557F8
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00456024 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,	0_2_00456024
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0044A3C8 GetSubMenu,SaveDC,RestoreDC,72E7B080,SaveDC,RestoreDC,NtdllDefWindowProc_A,	0_2_0044A3C8
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0043A6DC NtdllDefWindowProc_A,GetCapture,	0_2_0043A6DC
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0042E904 NtdllDefWindowProc_A,	0_2_0042E904
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00455F74 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,	0_2_00455F74
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_00490159 NtCreateSection,	1_2_00490159
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_2_004557F8 NtdllDefWindowProc_A,	2_2_004557F8
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_2_00456024 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,	2_2_00456024
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_2_0044A3C8 GetSubMenu,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,NtdllDefWindowProc_A,	2_2_0044A3C8
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_2_0043A6DC NtdllDefWindowProc_A,GetCapture,	2_2_0043A6DC
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_2_0042E904 NtdllDefWindowProc_A,	2_2_0042E904
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_2_00455F74 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,	2_2_00455F74
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,	6_2_00408836

Detected potential crypto function

Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0044A3C8	0_2_0044A3C8
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0046F74C	0_2_0046F74C
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_004759E0	0_2_004759E0
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0044FECC	0_2_0044FECC
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0044A3C8	0_2_0044A3C8
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0046F74C	0_2_0046F74C
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_004759E0	0_2_004759E0
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0044FECC	0_2_0044FECC
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_0040D426	1_2_0040D426
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_0040D523	1_2_0040D523
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_0041D5AE	1_2_0041D5AE
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_00417646	1_2_00417646
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_0040D6C4	1_2_0040D6C4
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_004429BE	1_2_004429BE
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_00446AF4	1_2_00446AF4
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_0046ABFC	1_2_0046ABFC
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_00463C4D	1_2_00463C4D
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_00463CBE	1_2_00463CBE
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_0040ED03	1_2_0040ED03
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_00463D2F	1_2_00463D2F
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_00463DC0	1_2_00463DC0
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_0040CF92	1_2_0040CF92
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_0041AFA6	1_2_0041AFA6
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_0048F13D	1_2_0048F13D
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_00489976	1_2_00489976
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_004F9017	1_2_004F9017
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_004F90A8	1_2_004F90A8
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_004A227A	1_2_004A227A
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_004B028E	1_2_004B028E
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_0043C7BC	1_2_0043C7BC
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_2_0044A3C8	2_2_0044A3C8
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_2_0046F74C	2_2_0046F74C
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_2_004759E0	2_2_004759E0
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_2_0044FECC	2_2_0044FECC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 5_2_00404DDB	5_2_00404DDB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 5_2_0040BD8A	5_2_0040BD8A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 5_2_00404E4C	5_2_00404E4C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 5_2_00404EBD	5_2_00404EBD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 5_2_00404F4E	5_2_00404F4E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00404419	6_2_00404419
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00404516	6_2_00404516
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00413538	6_2_00413538
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_004145A1	6_2_004145A1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_0040E639	6_2_0040E639
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_004337AF	6_2_004337AF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_004399B1	6_2_004399B1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_0043DAE7	6_2_0043DAE7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00405CF6	6_2_00405CF6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00403F85	6_2_00403F85
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00411F99	6_2_00411F99

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: String function: 004035DC appears 35 times
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: String function: 00404348 appears 78 times
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: String function: 004039A8 appears 40 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 00413F8E appears 66 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 00413E2D appears 34 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 00442A90 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 004141D6 appears 88 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 00411538 appears 35 times
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: String function: 004035DC appears 70 times
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: String function: 0040436C appears 36 times
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: String function: 004066E0 appears 32 times
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: String function: 0044BA9D appears 36 times
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: String function: 00403E24 appears 34 times
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: String function: 0040C2F0 appears 36 times
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: String function: 00404348 appears 156 times
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: String function: 004039A8 appears 80 times

One or more processes crash

Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2308
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2308

PE file contains strange resources

Source: INQUIRY.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: INQUIRY.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs INQUIRY.exe
Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs INQUIRY.exe
Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamemailpv.exe< vs INQUIRY.exe
Source: INQUIRY.exe, 00000000.00000002.656350929.00000000026C2000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamePhulli.exe0 vs INQUIRY.exe
Source: INQUIRY.exe, 00000000.00000002.655979253.0000000002270000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs INQUIRY.exe
Source: INQUIRY.exe	Binary or memory string: OriginalFilename vs INQUIRY.exe
Source: INQUIRY.exe	Binary or memory string: OriginalFileName vs INQUIRY.exe
Source: INQUIRY.exe, 00000001.00000002.741822453.0000000003A41000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamemailpv.exe< vs INQUIRY.exe
Source: INQUIRY.exe, 00000001.00000002.741822453.0000000003A41000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs INQUIRY.exe
Source: INQUIRY.exe, 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs INQUIRY.exe
Source: INQUIRY.exe, 00000001.00000002.737328211.00000000022F2000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamePhulli.exe0 vs INQUIRY.exe
Source: INQUIRY.exe, 00000001.00000002.745763676.0000000007230000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs INQUIRY.exe
Source: INQUIRY.exe, 00000002.00000002.750595289.0000000002270000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs INQUIRY.exe
Source: INQUIRY.exe, 0000000D.00000002.757044777.00000000026E2000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamePhulli.exe0 vs INQUIRY.exe
Source: INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs INQUIRY.exe
Source: INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs INQUIRY.exe
Source: INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamemailpv.exe< vs INQUIRY.exe
Source: INQUIRY.exe, 0000000D.00000002.756074232.0000000002160000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs INQUIRY.exe
Source: INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs INQUIRY.exe
Source: INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs INQUIRY.exe
Source: INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamemailpv.exe< vs INQUIRY.exe
Source: INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamePhulli.exe0 vs INQUIRY.exe
Source: INQUIRY.exe, 00000010.00000002.832980202.0000000006970000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs INQUIRY.exe
Source: INQUIRY.exe, 00000010.00000002.825594692.0000000000852000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenamemscorwks.dllT vs INQUIRY.exe
Source: INQUIRY.exe, 00000011.00000002.836765666.0000000002160000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs INQUIRY.exe
Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs INQUIRY.exe
Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs INQUIRY.exe
Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamemailpv.exe< vs INQUIRY.exe
Source: INQUIRY.exe, 00000000.00000002.656350929.00000000026C2000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamePhulli.exe0 vs INQUIRY.exe
Source: INQUIRY.exe, 00000000.00000002.655979253.0000000002270000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs INQUIRY.exe
Source: INQUIRY.exe	Binary or memory string: OriginalFilename vs INQUIRY.exe
Source: INQUIRY.exe	Binary or memory string: OriginalFileName vs INQUIRY.exe
Source: INQUIRY.exe, 00000001.00000002.741822453.0000000003A41000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamemailpv.exe< vs INQUIRY.exe
Source: INQUIRY.exe, 00000001.00000002.741822453.0000000003A41000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs INQUIRY.exe
Source: INQUIRY.exe, 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs INQUIRY.exe
Source: INQUIRY.exe, 00000001.00000002.737328211.00000000022F2000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamePhulli.exe0 vs INQUIRY.exe
Source: INQUIRY.exe, 00000001.00000002.745763676.0000000007230000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs INQUIRY.exe
Source: INQUIRY.exe, 00000002.00000002.750595289.0000000002270000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs INQUIRY.exe
Source: INQUIRY.exe, 0000000D.00000002.757044777.00000000026E2000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamePhulli.exe0 vs INQUIRY.exe
Source: INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs INQUIRY.exe
Source: INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs INQUIRY.exe
Source: INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamemailpv.exe< vs INQUIRY.exe
Source: INQUIRY.exe, 0000000D.00000002.756074232.0000000002160000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs INQUIRY.exe
Source: INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs INQUIRY.exe
Source: INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs INQUIRY.exe
Source: INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamemailpv.exe< vs INQUIRY.exe
Source: INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamePhulli.exe0 vs INQUIRY.exe
Source: INQUIRY.exe, 00000010.00000002.832980202.0000000006970000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs INQUIRY.exe
Source: INQUIRY.exe, 00000010.00000002.825594692.0000000000852000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenamemscorwks.dllT vs INQUIRY.exe
Source: INQUIRY.exe, 00000011.00000002.836765666.0000000002160000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs INQUIRY.exe

Tries to load missing DLLs

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Section loaded: phoneinfo.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: phoneinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Section loaded: phoneinfo.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: phoneinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll

Yara signature match

Source: 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000021.00000002.923851920.0000000002210000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000021.00000002.923851920.0000000002210000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000001.752146287.00000000004D2000.00000040.00020000.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000010.00000001.752146287.00000000004D2000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000020.00000002.875783315.0000000002717000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000020.00000002.875783315.0000000002717000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000001C.00000002.859116925.00000000007A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000001C.00000002.859116925.00000000007A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.735055042.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000001.00000002.735055042.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000001C.00000002.858712668.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000001C.00000002.858712668.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000001B.00000002.849214765.00000000026D7000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000001B.00000002.849214765.00000000026D7000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000021.00000002.919336144.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000021.00000002.919336144.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000020.00000002.875508614.0000000002682000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000020.00000002.875508614.0000000002682000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.735183511.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000001.00000002.735183511.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000021.00000001.871375197.00000000004D2000.00000040.00020000.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000021.00000001.871375197.00000000004D2000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.736771009.00000000021E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000001.00000002.736771009.00000000021E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000001C.00000001.839775376.00000000004D2000.00000040.00020000.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000001C.00000001.839775376.00000000004D2000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000001C.00000002.858806395.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000001C.00000002.858806395.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000001C.00000002.863200098.0000000002DDA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.826009202.0000000002372000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000010.00000002.826009202.0000000002372000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000021.00000002.927425340.0000000002382000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000021.00000002.927425340.0000000002382000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.757155287.00000000026F7000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000D.00000002.757155287.00000000026F7000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000021.00000002.924535204.00000000022F2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000021.00000002.924535204.00000000022F2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000001B.00000002.849044012.0000000002642000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000001B.00000002.849044012.0000000002642000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.824784026.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000010.00000002.824784026.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.737371268.0000000002302000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000001.00000002.737371268.0000000002302000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000001C.00000002.859836497.0000000002242000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000001C.00000002.859836497.0000000002242000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000021.00000002.919755783.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000021.00000002.919755783.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.656369760.00000000026D7000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000000.00000002.656369760.00000000026D7000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.826605147.0000000002492000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000010.00000002.826605147.0000000002492000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000001C.00000002.860072694.00000000022F2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000001C.00000002.860072694.00000000022F2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.824923724.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000010.00000002.824923724.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000021.00000002.928494489.0000000002A21000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000021.00000002.928494489.0000000002A21000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000016.00000002.820474176.0000000005470000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000016.00000002.820474176.0000000005470000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB44.tmp.mdmp, type: DROPPED	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB44.tmp.mdmp, type: DROPPED	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B59.tmp.mdmp, type: DROPPED	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B59.tmp.mdmp, type: DROPPED	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER7CAE.tmp.mdmp, type: DROPPED	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER7CAE.tmp.mdmp, type: DROPPED	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.INQUIRY.exe.21e0000.1.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 1.2.INQUIRY.exe.21e0000.1.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 33.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 33.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 28.2.INQUIRY.exe.7a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 28.2.INQUIRY.exe.7a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.2.INQUIRY.exe.22e0000.1.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.2.INQUIRY.exe.22e0000.1.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 28.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 28.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.INQUIRY.exe.2270000.2.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 1.2.INQUIRY.exe.2270000.2.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 32.2.INQUIRY.exe.2680000.3.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 32.2.INQUIRY.exe.2680000.3.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.2.INQUIRY.exe.2370000.2.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.2.INQUIRY.exe.2370000.2.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 33.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 33.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 28.2.INQUIRY.exe.22f0000.3.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 28.2.INQUIRY.exe.22f0000.3.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 33.2.INQUIRY.exe.2210000.1.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 33.2.INQUIRY.exe.2210000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 33.2.INQUIRY.exe.2210000.1.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 33.2.INQUIRY.exe.2210000.1.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 27.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 27.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.INQUIRY.exe.21e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 1.2.INQUIRY.exe.21e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.INQUIRY.exe.2300000.3.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 1.2.INQUIRY.exe.2300000.3.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 33.2.INQUIRY.exe.2380000.3.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 33.2.INQUIRY.exe.2380000.3.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.2.INQUIRY.exe.2490000.3.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.2.INQUIRY.exe.2490000.3.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.INQUIRY.exe.25f0000.2.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.INQUIRY.exe.25f0000.2.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 28.2.INQUIRY.exe.7a0000.1.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 28.2.INQUIRY.exe.7a0000.1.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 32.2.INQUIRY.exe.2630000.2.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 32.2.INQUIRY.exe.2630000.2.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.2.INQUIRY.exe.22e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.2.INQUIRY.exe.22e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 27.2.INQUIRY.exe.25e0000.2.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 27.2.INQUIRY.exe.25e0000.2.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 33.2.INQUIRY.exe.22f0000.2.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 33.2.INQUIRY.exe.22f0000.2.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 28.2.INQUIRY.exe.2240000.2.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 28.2.INQUIRY.exe.2240000.2.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 28.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 28.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.2.INQUIRY.exe.2660000.3.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.2.INQUIRY.exe.2660000.3.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 1.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000021.00000002.923851920.0000000002210000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000021.00000002.923851920.0000000002210000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000001.752146287.00000000004D2000.00000040.00020000.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000010.00000001.752146287.00000000004D2000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000020.00000002.875783315.0000000002717000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000020.00000002.875783315.0000000002717000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000001C.00000002.859116925.00000000007A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000001C.00000002.859116925.00000000007A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.735055042.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000001.00000002.735055042.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000001C.00000002.858712668.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000001C.00000002.858712668.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000001B.00000002.849214765.00000000026D7000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000001B.00000002.849214765.00000000026D7000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000021.00000002.919336144.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000021.00000002.919336144.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000020.00000002.875508614.0000000002682000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000020.00000002.875508614.0000000002682000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.735183511.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000001.00000002.735183511.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000021.00000001.871375197.00000000004D2000.00000040.00020000.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000021.00000001.871375197.00000000004D2000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.736771009.00000000021E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000001.00000002.736771009.00000000021E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000001C.00000001.839775376.00000000004D2000.00000040.00020000.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000001C.00000001.839775376.00000000004D2000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000001C.00000002.858806395.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000001C.00000002.858806395.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000001C.00000002.863200098.0000000002DDA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.826009202.0000000002372000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000010.00000002.826009202.0000000002372000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000021.00000002.927425340.0000000002382000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000021.00000002.927425340.0000000002382000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.757155287.00000000026F7000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000D.00000002.757155287.00000000026F7000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000021.00000002.924535204.00000000022F2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000021.00000002.924535204.00000000022F2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000001B.00000002.849044012.0000000002642000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000001B.00000002.849044012.0000000002642000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.824784026.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000010.00000002.824784026.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.737371268.0000000002302000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000001.00000002.737371268.0000000002302000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000001C.00000002.859836497.0000000002242000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000001C.00000002.859836497.0000000002242000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000021.00000002.919755783.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000021.00000002.919755783.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.656369760.00000000026D7000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000000.00000002.656369760.00000000026D7000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.826605147.0000000002492000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000010.00000002.826605147.0000000002492000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000001C.00000002.860072694.00000000022F2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000001C.00000002.860072694.00000000022F2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.824923724.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000010.00000002.824923724.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000021.00000002.928494489.0000000002A21000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000021.00000002.928494489.0000000002A21000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000016.00000002.820474176.0000000005470000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000016.00000002.820474176.0000000005470000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB44.tmp.mdmp, type: DROPPED	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB44.tmp.mdmp, type: DROPPED	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B59.tmp.mdmp, type: DROPPED	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B59.tmp.mdmp, type: DROPPED	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER7CAE.tmp.mdmp, type: DROPPED	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER7CAE.tmp.mdmp, type: DROPPED	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.INQUIRY.exe.21e0000.1.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 1.2.INQUIRY.exe.21e0000.1.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 33.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 33.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 28.2.INQUIRY.exe.7a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 28.2.INQUIRY.exe.7a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.2.INQUIRY.exe.22e0000.1.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.2.INQUIRY.exe.22e0000.1.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 28.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 28.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.INQUIRY.exe.2270000.2.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 1.2.INQUIRY.exe.2270000.2.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 32.2.INQUIRY.exe.2680000.3.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 32.2.INQUIRY.exe.2680000.3.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.2.INQUIRY.exe.2370000.2.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.2.INQUIRY.exe.2370000.2.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 33.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 33.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 28.2.INQUIRY.exe.22f0000.3.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 28.2.INQUIRY.exe.22f0000.3.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 33.2.INQUIRY.exe.2210000.1.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 33.2.INQUIRY.exe.2210000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 33.2.INQUIRY.exe.2210000.1.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 33.2.INQUIRY.exe.2210000.1.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 27.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 27.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.INQUIRY.exe.21e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 1.2.INQUIRY.exe.21e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.INQUIRY.exe.2300000.3.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 1.2.INQUIRY.exe.2300000.3.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 33.2.INQUIRY.exe.2380000.3.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 33.2.INQUIRY.exe.2380000.3.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.2.INQUIRY.exe.2490000.3.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.2.INQUIRY.exe.2490000.3.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.INQUIRY.exe.25f0000.2.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.INQUIRY.exe.25f0000.2.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 28.2.INQUIRY.exe.7a0000.1.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 28.2.INQUIRY.exe.7a0000.1.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 32.2.INQUIRY.exe.2630000.2.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 32.2.INQUIRY.exe.2630000.2.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.2.INQUIRY.exe.22e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.2.INQUIRY.exe.22e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 27.2.INQUIRY.exe.25e0000.2.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 27.2.INQUIRY.exe.25e0000.2.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 33.2.INQUIRY.exe.22f0000.2.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 33.2.INQUIRY.exe.22f0000.2.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 28.2.INQUIRY.exe.2240000.2.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 28.2.INQUIRY.exe.2240000.2.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 28.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 28.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.2.INQUIRY.exe.2660000.3.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.2.INQUIRY.exe.2660000.3.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 1.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research

Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.cs	Base64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.cs	Base64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 1.2.INQUIRY.exe.2300000.3.unpack, Form1.cs	Base64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 1.2.INQUIRY.exe.400000.0.unpack, Form1.cs	Base64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 13.2.INQUIRY.exe.2660000.3.unpack, Form1.cs	Base64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 16.2.INQUIRY.exe.2370000.2.unpack, Form1.cs	Base64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 16.2.INQUIRY.exe.2490000.3.unpack, Form1.cs	Base64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 16.2.INQUIRY.exe.400000.0.unpack, Form1.cs	Base64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 27.2.INQUIRY.exe.2640000.3.unpack, Form1.cs	Base64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 28.2.INQUIRY.exe.22f0000.3.unpack, Form1.cs	Base64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 28.2.INQUIRY.exe.400000.0.unpack, Form1.cs	Base64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 28.2.INQUIRY.exe.2240000.2.unpack, Form1.cs	Base64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.cs	Base64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.cs	Base64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 1.2.INQUIRY.exe.2300000.3.unpack, Form1.cs	Base64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 1.2.INQUIRY.exe.400000.0.unpack, Form1.cs	Base64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 13.2.INQUIRY.exe.2660000.3.unpack, Form1.cs	Base64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 16.2.INQUIRY.exe.2370000.2.unpack, Form1.cs	Base64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 16.2.INQUIRY.exe.2490000.3.unpack, Form1.cs	Base64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 16.2.INQUIRY.exe.400000.0.unpack, Form1.cs	Base64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 27.2.INQUIRY.exe.2640000.3.unpack, Form1.cs	Base64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 28.2.INQUIRY.exe.22f0000.3.unpack, Form1.cs	Base64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 28.2.INQUIRY.exe.400000.0.unpack, Form1.cs	Base64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 28.2.INQUIRY.exe.2240000.2.unpack, Form1.cs	Base64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='

Source: 13.2.INQUIRY.exe.2660000.3.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.2.INQUIRY.exe.2300000.3.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 28.2.INQUIRY.exe.2240000.2.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.2.INQUIRY.exe.400000.0.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 28.2.INQUIRY.exe.22f0000.3.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 28.2.INQUIRY.exe.400000.0.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 16.2.INQUIRY.exe.2370000.2.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 16.2.INQUIRY.exe.400000.0.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 27.2.INQUIRY.exe.2640000.3.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 16.2.INQUIRY.exe.2490000.3.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 13.2.INQUIRY.exe.2660000.3.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.2.INQUIRY.exe.2300000.3.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 28.2.INQUIRY.exe.2240000.2.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.2.INQUIRY.exe.400000.0.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 28.2.INQUIRY.exe.22f0000.3.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 28.2.INQUIRY.exe.400000.0.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 16.2.INQUIRY.exe.2370000.2.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 16.2.INQUIRY.exe.400000.0.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 27.2.INQUIRY.exe.2640000.3.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 16.2.INQUIRY.exe.2490000.3.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()

Source: classification engine

Classification label: mal100.phis.troj.spyw.evad.winEXE@46/34@17/4

Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00420A80 GetLastError,FormatMessageA,		0_2_00420A80
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00420A80 GetLastError,FormatMessageA,		0_2_00420A80

Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00408B82 GetDiskFreeSpaceA,		0_2_00408B82
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00408B82 GetDiskFreeSpaceA,		0_2_00408B82

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00411196 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,CloseHandle,free,Process32NextW,CloseHandle,		6_2_00411196
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00411196 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,CloseHandle,free,Process32NextW,CloseHandle,		6_2_00411196

Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00417214 FindResourceA,LoadResource,SizeofResource,LockResource,		0_2_00417214
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00417214 FindResourceA,LoadResource,SizeofResource,LockResource,		0_2_00417214

Source: C:\Users\user\Desktop\INQUIRY.exe	File created: C:\Users\user\AppData\Roaming\pid.txt			Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	File created: C:\Users\user\AppData\Roaming\pid.txt			Jump to behavior

Source: C:\Users\user\Desktop\INQUIRY.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6808
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5896
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1364
Source: C:\Users\user\Desktop\INQUIRY.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6808
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5896
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1364

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WEREF38.tmp			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WEREF38.tmp			Jump to behavior

Source: C:\Users\user\Desktop\INQUIRY.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\INQUIRY.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\INQUIRY.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\INQUIRY.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\INQUIRY.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\INQUIRY.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\INQUIRY.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\INQUIRY.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\INQUIRY.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\INQUIRY.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Users\user\Desktop\INQUIRY.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\Desktop\INQUIRY.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\Desktop\INQUIRY.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\Desktop\INQUIRY.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\Desktop\INQUIRY.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\Desktop\INQUIRY.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\Desktop\INQUIRY.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\Desktop\INQUIRY.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\Desktop\INQUIRY.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\Desktop\INQUIRY.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\Desktop\INQUIRY.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\Desktop\INQUIRY.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\Desktop\INQUIRY.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\Desktop\INQUIRY.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\Desktop\INQUIRY.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\Desktop\INQUIRY.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\Desktop\INQUIRY.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\Desktop\INQUIRY.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	System information queried: HandleInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	System information queried: HandleInformation			Jump to behavior

Source: C:\Users\user\Desktop\INQUIRY.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\INQUIRY.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\INQUIRY.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\INQUIRY.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\INQUIRY.exe	Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers			Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers			Jump to behavior

Source: C:\Users\user\Desktop\INQUIRY.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\INQUIRY.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\INQUIRY.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\INQUIRY.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\INQUIRY.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\INQUIRY.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\INQUIRY.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\INQUIRY.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\INQUIRY.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\INQUIRY.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\INQUIRY.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\INQUIRY.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\INQUIRY.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\INQUIRY.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: INQUIRY.exe, vbc.exe, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: INQUIRY.exe, vbc.exe, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, INQUIRY.exe, 00000001.00000002.741822453.0000000003A41000.00000004.00000001.sdmp, vbc.exe, 00000006.00000002.695692485.0000000000400000.00000040.00000001.sdmp, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: INQUIRY.exe, vbc.exe, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: INQUIRY.exe, vbc.exe, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: INQUIRY.exe, vbc.exe, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: INQUIRY.exe, vbc.exe, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: INQUIRY.exe, vbc.exe, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: INQUIRY.exe, vbc.exe, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, INQUIRY.exe, 00000001.00000002.741822453.0000000003A41000.00000004.00000001.sdmp, vbc.exe, 00000006.00000002.695692485.0000000000400000.00000040.00000001.sdmp, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: INQUIRY.exe, vbc.exe, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: INQUIRY.exe, vbc.exe, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: INQUIRY.exe, vbc.exe, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: INQUIRY.exe, vbc.exe, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: INQUIRY.exe	Virustotal: Detection: 43%
Source: INQUIRY.exe	ReversingLabs: Detection: 41%
Source: INQUIRY.exe	Virustotal: Detection: 43%
Source: INQUIRY.exe	ReversingLabs: Detection: 41%

Source: C:\Users\user\Desktop\INQUIRY.exe	File read: C:\Users\user\Desktop\INQUIRY.exe			Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	File read: C:\Users\user\Desktop\INQUIRY.exe			Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe'
Source: unknown	Process created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe'
Source: unknown	Process created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe' 2 5896 5358953
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2308
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5896 -s 2216
Source: unknown	Process created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
Source: unknown	Process created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
Source: unknown	Process created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe' 2 6808 5404546
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2272
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6808 -s 2324
Source: unknown	Process created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
Source: unknown	Process created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
Source: unknown	Process created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe' 2 240 5445406
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2100
Source: unknown	Process created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
Source: unknown	Process created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
Source: unknown	Process created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe' 2 1364 5460187
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2284
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 2096
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe'	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe' 2 5896 5358953	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2308	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe' 2 6808 5404546	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2272
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe' 2 240 5445406
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2100
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe' 2 1364 5460187
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2284
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: unknown	Process created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe'
Source: unknown	Process created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe'
Source: unknown	Process created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe' 2 5896 5358953
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2308
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5896 -s 2216
Source: unknown	Process created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
Source: unknown	Process created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
Source: unknown	Process created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe' 2 6808 5404546
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2272
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6808 -s 2324
Source: unknown	Process created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
Source: unknown	Process created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
Source: unknown	Process created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe' 2 240 5445406
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2100
Source: unknown	Process created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
Source: unknown	Process created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
Source: unknown	Process created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe' 2 1364 5460187
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2284
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 2096
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe'	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe' 2 5896 5358953	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2308	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe' 2 6808 5404546	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2272
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe' 2 240 5445406
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2100
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe' 2 1364 5460187
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2284
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'

Source: C:\Users\user\Desktop\INQUIRY.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32			Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32			Jump to behavior

Source: Window Recorder	Window detected: More than 3 window changes detected
Source: Window Recorder	Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\INQUIRY.exe	File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll			Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts			Jump to behavior

Source: C:\Users\user\Desktop\INQUIRY.exe	File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll			Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll			Jump to behavior

Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdbE source: INQUIRY.exe, 00000010.00000002.833872332.00000000078DA000.00000004.00000010.sdmp
Source:	Binary string: rsaenh.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.pdbi source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb1 source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: wbemprox.pdbee source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000009.00000003.698848743.00000000049D4000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.777673272.0000000002E84000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: NapiNSP.pdbJhgiX source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: rasapi32.pdb$hAi source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wbemcomn.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: NapiNSP.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000009.00000003.711844278.0000000004EE0000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793745442.0000000005270000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb/ source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000009.00000003.698202871.0000000002BC1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.776011928.0000000002E7E000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdbkRi source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: cryptsp.pdb6hSi source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: winnsi.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: secur32.pdb] source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: cryptsp.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbd source: INQUIRY.exe, 00000001.00000002.738613444.00000000026F5000.00000004.00000040.sdmp, INQUIRY.exe, 00000010.00000002.826344655.0000000002455000.00000004.00000040.sdmp
Source:	Binary string: winrnr.pdbo source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000009.00000003.711844278.0000000004EE0000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793745442.0000000005270000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: cordacwks.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: CLBCatQ.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: schannel.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdbqa{ source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000009.00000003.699952597.0000000002BCD000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.776039564.0000000002E8A000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: INQUIRY.exe, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp
Source:	Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: INQUIRY.exe, vbc.exe, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000013.00000002.770041777.0000000000400000.00000040.00000001.sdmp
Source:	Binary string: sxs.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: rtutils.pdb? source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: mscoree.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: psapi.pdbk source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wbemcomn.pdbxi source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: Z[zTs5.pdb6 source: INQUIRY.exe, 00000010.00000001.752146287.00000000004D2000.00000040.00020000.sdmp
Source:	Binary string: cordacwks.pdb^hkiY source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.pdb@hmi source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: schannel.pdbG source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdbk source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: f:\binaries.x86ret\bin\i386\bbt\opt\bin\i386\diasymreader.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: nsi.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdbk source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb) source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: security.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: rlib.pdb source: INQUIRY.exe, 00000001.00000002.738613444.00000000026F5000.00000004.00000040.sdmp, INQUIRY.exe, 00000010.00000002.826344655.0000000002455000.00000004.00000040.sdmp
Source:	Binary string: dnsapi.pdb{ source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: nlaapi.pdbLhYiL source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdb source: INQUIRY.exe, 00000001.00000002.746818566.0000000007C7A000.00000004.00000010.sdmp, WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, INQUIRY.exe, 00000010.00000002.826344655.0000000002455000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: comctl32v582.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdbo source: INQUIRY.exe, 00000001.00000002.746818566.0000000007C7A000.00000004.00000010.sdmp
Source:	Binary string: sechost.pdbk source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: DWrite.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: System.Drawing.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: System.Management.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: version.pdb7 source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000009.00000003.698225687.0000000002BC7000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.777673272.0000000002E84000.00000004.00000001.sdmp
Source:	Binary string: indows\mscorlib.pdbpdblib.pdb source: INQUIRY.exe, 00000001.00000002.738613444.00000000026F5000.00000004.00000040.sdmp, INQUIRY.exe, 00000010.00000002.826344655.0000000002455000.00000004.00000040.sdmp
Source:	Binary string: secur32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: rasadhlp.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: System.pdb9 source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb&kpir source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: INQUIRY.exe, 00000001.00000002.738613444.00000000026F5000.00000004.00000040.sdmp, INQUIRY.exe, 00000010.00000002.826344655.0000000002455000.00000004.00000040.sdmp
Source:	Binary string: mscoreei.pdb(kji source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: pnrpnsp.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\mscorlib.pdb source: INQUIRY.exe, 00000001.00000002.738613444.00000000026F5000.00000004.00000040.sdmp, INQUIRY.exe, 00000010.00000002.826344655.0000000002455000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: cordacwks.pdb# source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: .pdb* source: INQUIRY.exe, 00000001.00000002.746818566.0000000007C7A000.00000004.00000010.sdmp, INQUIRY.exe, 00000010.00000002.833872332.00000000078DA000.00000004.00000010.sdmp
Source:	Binary string: secur32.pdbvi source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: nlaapi.pdb5 source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdb! source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdbe source: INQUIRY.exe, 00000001.00000002.738613444.00000000026F5000.00000004.00000040.sdmp, INQUIRY.exe, 00000010.00000002.826344655.0000000002455000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: msvcr80.i386.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: DWrite.pdbq source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb.h;i source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: rasadhlp.pdb"hOi source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdbk source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: dnsapi.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: rasapi32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: nlaapi.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: winhttp.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: mscorsec.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wmiutils.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: gdiplus.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: mscorwks.pdb% source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdbH source: INQUIRY.exe, 00000001.00000002.746818566.0000000007C7A000.00000004.00000010.sdmp, INQUIRY.exe, 00000010.00000002.833872332.00000000078DA000.00000004.00000010.sdmp
Source:	Binary string: rtutils.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000009.00000003.698202871.0000000002BC1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.776011928.0000000002E7E000.00000004.00000001.sdmp
Source:	Binary string: mscorwks.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb8hUi source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: f:\binaries.x86ret\bin\i386\Microsoft.VisualBasic.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: mscorjit.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: shfolder.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: culture.pdbe source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: WMINet_Utils.pdb_ source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: rasman.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: fastprox.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wbemsvc.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: winrnr.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: INQUIRY.exe, vbc.exe, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmp
Source:	Binary string: System.Runtime.Remoting.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wmswsock.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: version.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wintrust.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: System.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb- source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wmiutils.pdbbi source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: psapi.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: WMINet_Utils.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: fwpuclnt.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wbemcomn.pdbS source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: wbemprox.pdbee-c source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: mscoreei.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000009.00000003.699952597.0000000002BCD000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.776039564.0000000002E8A000.00000004.00000001.sdmp
Source:	Binary string: tsymbols\dll\mscorlib.pdb source: INQUIRY.exe, 00000001.00000002.746818566.0000000007C7A000.00000004.00000010.sdmp, INQUIRY.exe, 00000010.00000002.833872332.00000000078DA000.00000004.00000010.sdmp
Source:	Binary string: C:\Windows\assembly\GA.pdbmscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll source: INQUIRY.exe, 00000001.00000002.746818566.0000000007C7A000.00000004.00000010.sdmp, INQUIRY.exe, 00000010.00000002.833872332.00000000078DA000.00000004.00000010.sdmp
Source:	Binary string: combase.pdbk source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc.pdbThqia source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: 1_oC:\Windows\mscorlib.pdb source: INQUIRY.exe, 00000001.00000002.746818566.0000000007C7A000.00000004.00000010.sdmp, INQUIRY.exe, 00000010.00000002.833872332.00000000078DA000.00000004.00000010.sdmp
Source:	Binary string: bcryptprimitives.pdbk source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wbemprox.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: INQUIRY.exe, 00000001.00000002.738613444.00000000026F5000.00000004.00000040.sdmp, INQUIRY.exe, 00000010.00000002.826344655.0000000002455000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdbk source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: culture.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: crypt32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb; source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: edputil.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdbE source: INQUIRY.exe, 00000010.00000002.833872332.00000000078DA000.00000004.00000010.sdmp
Source:	Binary string: rsaenh.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.pdbi source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb1 source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: wbemprox.pdbee source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000009.00000003.698848743.00000000049D4000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.777673272.0000000002E84000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: NapiNSP.pdbJhgiX source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: rasapi32.pdb$hAi source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wbemcomn.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: NapiNSP.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000009.00000003.711844278.0000000004EE0000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793745442.0000000005270000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb/ source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000009.00000003.698202871.0000000002BC1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.776011928.0000000002E7E000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdbkRi source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: cryptsp.pdb6hSi source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: winnsi.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: secur32.pdb] source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: cryptsp.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbd source: INQUIRY.exe, 00000001.00000002.738613444.00000000026F5000.00000004.00000040.sdmp, INQUIRY.exe, 00000010.00000002.826344655.0000000002455000.00000004.00000040.sdmp
Source:	Binary string: winrnr.pdbo source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000009.00000003.711844278.0000000004EE0000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793745442.0000000005270000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: cordacwks.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: CLBCatQ.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: schannel.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdbqa{ source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000009.00000003.699952597.0000000002BCD000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.776039564.0000000002E8A000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: INQUIRY.exe, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp
Source:	Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: INQUIRY.exe, vbc.exe, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000013.00000002.770041777.0000000000400000.00000040.00000001.sdmp
Source:	Binary string: sxs.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: rtutils.pdb? source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: mscoree.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: psapi.pdbk source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wbemcomn.pdbxi source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: Z[zTs5.pdb6 source: INQUIRY.exe, 00000010.00000001.752146287.00000000004D2000.00000040.00020000.sdmp
Source:	Binary string: cordacwks.pdb^hkiY source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.pdb@hmi source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: schannel.pdbG source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdbk source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: f:\binaries.x86ret\bin\i386\bbt\opt\bin\i386\diasymreader.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: nsi.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdbk source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb) source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: security.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: rlib.pdb source: INQUIRY.exe, 00000001.00000002.738613444.00000000026F5000.00000004.00000040.sdmp, INQUIRY.exe, 00000010.00000002.826344655.0000000002455000.00000004.00000040.sdmp
Source:	Binary string: dnsapi.pdb{ source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: nlaapi.pdbLhYiL source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdb source: INQUIRY.exe, 00000001.00000002.746818566.0000000007C7A000.00000004.00000010.sdmp, WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, INQUIRY.exe, 00000010.00000002.826344655.0000000002455000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: comctl32v582.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdbo source: INQUIRY.exe, 00000001.00000002.746818566.0000000007C7A000.00000004.00000010.sdmp
Source:	Binary string: sechost.pdbk source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: DWrite.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: System.Drawing.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: System.Management.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: version.pdb7 source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000009.00000003.698225687.0000000002BC7000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.777673272.0000000002E84000.00000004.00000001.sdmp
Source:	Binary string: indows\mscorlib.pdbpdblib.pdb source: INQUIRY.exe, 00000001.00000002.738613444.00000000026F5000.00000004.00000040.sdmp, INQUIRY.exe, 00000010.00000002.826344655.0000000002455000.00000004.00000040.sdmp
Source:	Binary string: secur32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: rasadhlp.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: System.pdb9 source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb&kpir source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: INQUIRY.exe, 00000001.00000002.738613444.00000000026F5000.00000004.00000040.sdmp, INQUIRY.exe, 00000010.00000002.826344655.0000000002455000.00000004.00000040.sdmp
Source:	Binary string: mscoreei.pdb(kji source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: pnrpnsp.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\mscorlib.pdb source: INQUIRY.exe, 00000001.00000002.738613444.00000000026F5000.00000004.00000040.sdmp, INQUIRY.exe, 00000010.00000002.826344655.0000000002455000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: cordacwks.pdb# source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: .pdb* source: INQUIRY.exe, 00000001.00000002.746818566.0000000007C7A000.00000004.00000010.sdmp, INQUIRY.exe, 00000010.00000002.833872332.00000000078DA000.00000004.00000010.sdmp
Source:	Binary string: secur32.pdbvi source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: nlaapi.pdb5 source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdb! source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdbe source: INQUIRY.exe, 00000001.00000002.738613444.00000000026F5000.00000004.00000040.sdmp, INQUIRY.exe, 00000010.00000002.826344655.0000000002455000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: msvcr80.i386.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: DWrite.pdbq source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb.h;i source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: rasadhlp.pdb"hOi source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdbk source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: dnsapi.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: rasapi32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: nlaapi.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: winhttp.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: mscorsec.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wmiutils.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: gdiplus.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: mscorwks.pdb% source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdbH source: INQUIRY.exe, 00000001.00000002.746818566.0000000007C7A000.00000004.00000010.sdmp, INQUIRY.exe, 00000010.00000002.833872332.00000000078DA000.00000004.00000010.sdmp
Source:	Binary string: rtutils.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000009.00000003.698202871.0000000002BC1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.776011928.0000000002E7E000.00000004.00000001.sdmp
Source:	Binary string: mscorwks.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb8hUi source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: f:\binaries.x86ret\bin\i386\Microsoft.VisualBasic.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: mscorjit.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: shfolder.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: culture.pdbe source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: WMINet_Utils.pdb_ source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: rasman.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: fastprox.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wbemsvc.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: winrnr.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: INQUIRY.exe, vbc.exe, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmp
Source:	Binary string: System.Runtime.Remoting.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wmswsock.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: version.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wintrust.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: System.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb- source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wmiutils.pdbbi source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: psapi.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: WMINet_Utils.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: fwpuclnt.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wbemcomn.pdbS source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: wbemprox.pdbee-c source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: mscoreei.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000009.00000003.699952597.0000000002BCD000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.776039564.0000000002E8A000.00000004.00000001.sdmp
Source:	Binary string: tsymbols\dll\mscorlib.pdb source: INQUIRY.exe, 00000001.00000002.746818566.0000000007C7A000.00000004.00000010.sdmp, INQUIRY.exe, 00000010.00000002.833872332.00000000078DA000.00000004.00000010.sdmp
Source:	Binary string: C:\Windows\assembly\GA.pdbmscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll source: INQUIRY.exe, 00000001.00000002.746818566.0000000007C7A000.00000004.00000010.sdmp, INQUIRY.exe, 00000010.00000002.833872332.00000000078DA000.00000004.00000010.sdmp
Source:	Binary string: combase.pdbk source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc.pdbThqia source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: 1_oC:\Windows\mscorlib.pdb source: INQUIRY.exe, 00000001.00000002.746818566.0000000007C7A000.00000004.00000010.sdmp, INQUIRY.exe, 00000010.00000002.833872332.00000000078DA000.00000004.00000010.sdmp
Source:	Binary string: bcryptprimitives.pdbk source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: wbemprox.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: INQUIRY.exe, 00000001.00000002.738613444.00000000026F5000.00000004.00000040.sdmp, INQUIRY.exe, 00000010.00000002.826344655.0000000002455000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdbk source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: culture.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: crypt32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb; source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
Source:	Binary string: edputil.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp

Data Obfuscation:

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\INQUIRY.exe	Unpacked PE file: 1.2.INQUIRY.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
Source: C:\Users\user\Desktop\INQUIRY.exe	Unpacked PE file: 16.2.INQUIRY.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
Source: C:\Users\user\Desktop\INQUIRY.exe	Unpacked PE file: 28.2.INQUIRY.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
Source: C:\Users\user\Desktop\INQUIRY.exe	Unpacked PE file: 33.2.INQUIRY.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
Source: C:\Users\user\Desktop\INQUIRY.exe	Unpacked PE file: 1.2.INQUIRY.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
Source: C:\Users\user\Desktop\INQUIRY.exe	Unpacked PE file: 16.2.INQUIRY.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
Source: C:\Users\user\Desktop\INQUIRY.exe	Unpacked PE file: 28.2.INQUIRY.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
Source: C:\Users\user\Desktop\INQUIRY.exe	Unpacked PE file: 33.2.INQUIRY.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\INQUIRY.exe	Unpacked PE file: 1.2.INQUIRY.exe.2300000.3.unpack
Source: C:\Users\user\Desktop\INQUIRY.exe	Unpacked PE file: 16.2.INQUIRY.exe.2490000.3.unpack
Source: C:\Users\user\Desktop\INQUIRY.exe	Unpacked PE file: 33.2.INQUIRY.exe.2380000.3.unpack
Source: C:\Users\user\Desktop\INQUIRY.exe	Unpacked PE file: 1.2.INQUIRY.exe.2300000.3.unpack
Source: C:\Users\user\Desktop\INQUIRY.exe	Unpacked PE file: 16.2.INQUIRY.exe.2490000.3.unpack
Source: C:\Users\user\Desktop\INQUIRY.exe	Unpacked PE file: 33.2.INQUIRY.exe.2380000.3.unpack

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\INQUIRY.exe	Unpacked PE file: 1.2.INQUIRY.exe.400000.0.unpack
Source: C:\Users\user\Desktop\INQUIRY.exe	Unpacked PE file: 16.2.INQUIRY.exe.400000.0.unpack
Source: C:\Users\user\Desktop\INQUIRY.exe	Unpacked PE file: 28.2.INQUIRY.exe.400000.0.unpack
Source: C:\Users\user\Desktop\INQUIRY.exe	Unpacked PE file: 33.2.INQUIRY.exe.400000.0.unpack
Source: C:\Users\user\Desktop\INQUIRY.exe	Unpacked PE file: 1.2.INQUIRY.exe.400000.0.unpack
Source: C:\Users\user\Desktop\INQUIRY.exe	Unpacked PE file: 16.2.INQUIRY.exe.400000.0.unpack
Source: C:\Users\user\Desktop\INQUIRY.exe	Unpacked PE file: 28.2.INQUIRY.exe.400000.0.unpack
Source: C:\Users\user\Desktop\INQUIRY.exe	Unpacked PE file: 33.2.INQUIRY.exe.400000.0.unpack

.NET source code contains potential unpacker

Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.INQUIRY.exe.2300000.3.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.INQUIRY.exe.2300000.3.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.INQUIRY.exe.2300000.3.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.INQUIRY.exe.2300000.3.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.INQUIRY.exe.400000.0.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.INQUIRY.exe.400000.0.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.INQUIRY.exe.400000.0.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.INQUIRY.exe.400000.0.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.2.INQUIRY.exe.2660000.3.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.2.INQUIRY.exe.2660000.3.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.2.INQUIRY.exe.2660000.3.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.2.INQUIRY.exe.2660000.3.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.INQUIRY.exe.2370000.2.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.INQUIRY.exe.2370000.2.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.INQUIRY.exe.2370000.2.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.INQUIRY.exe.2370000.2.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.INQUIRY.exe.2490000.3.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.INQUIRY.exe.2490000.3.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.INQUIRY.exe.2490000.3.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.INQUIRY.exe.2490000.3.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.INQUIRY.exe.400000.0.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.INQUIRY.exe.400000.0.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.INQUIRY.exe.400000.0.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.INQUIRY.exe.400000.0.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 27.2.INQUIRY.exe.2640000.3.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 27.2.INQUIRY.exe.2640000.3.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 27.2.INQUIRY.exe.2640000.3.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 27.2.INQUIRY.exe.2640000.3.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 28.2.INQUIRY.exe.22f0000.3.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 28.2.INQUIRY.exe.22f0000.3.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 28.2.INQUIRY.exe.22f0000.3.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 28.2.INQUIRY.exe.22f0000.3.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 28.2.INQUIRY.exe.400000.0.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 28.2.INQUIRY.exe.400000.0.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 28.2.INQUIRY.exe.400000.0.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 28.2.INQUIRY.exe.400000.0.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 28.2.INQUIRY.exe.2240000.2.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 28.2.INQUIRY.exe.2240000.2.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 28.2.INQUIRY.exe.2240000.2.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 28.2.INQUIRY.exe.2240000.2.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.INQUIRY.exe.2300000.3.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.INQUIRY.exe.2300000.3.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.INQUIRY.exe.2300000.3.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.INQUIRY.exe.2300000.3.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.INQUIRY.exe.400000.0.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.INQUIRY.exe.400000.0.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.INQUIRY.exe.400000.0.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.INQUIRY.exe.400000.0.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.2.INQUIRY.exe.2660000.3.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.2.INQUIRY.exe.2660000.3.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.2.INQUIRY.exe.2660000.3.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.2.INQUIRY.exe.2660000.3.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.INQUIRY.exe.2370000.2.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.INQUIRY.exe.2370000.2.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.INQUIRY.exe.2370000.2.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.INQUIRY.exe.2370000.2.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.INQUIRY.exe.2490000.3.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.INQUIRY.exe.2490000.3.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.INQUIRY.exe.2490000.3.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.INQUIRY.exe.2490000.3.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.INQUIRY.exe.400000.0.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.INQUIRY.exe.400000.0.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.INQUIRY.exe.400000.0.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.INQUIRY.exe.400000.0.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 27.2.INQUIRY.exe.2640000.3.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 27.2.INQUIRY.exe.2640000.3.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 27.2.INQUIRY.exe.2640000.3.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 27.2.INQUIRY.exe.2640000.3.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 28.2.INQUIRY.exe.22f0000.3.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 28.2.INQUIRY.exe.22f0000.3.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 28.2.INQUIRY.exe.22f0000.3.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 28.2.INQUIRY.exe.22f0000.3.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 28.2.INQUIRY.exe.400000.0.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 28.2.INQUIRY.exe.400000.0.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 28.2.INQUIRY.exe.400000.0.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 28.2.INQUIRY.exe.400000.0.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 28.2.INQUIRY.exe.2240000.2.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 28.2.INQUIRY.exe.2240000.2.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 28.2.INQUIRY.exe.2240000.2.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 28.2.INQUIRY.exe.2240000.2.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_004414DC SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,		0_2_004414DC
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_004414DC SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,		0_2_004414DC

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00441B28 push 00441BB5h; ret	0_2_00441BAD
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0040C020 push 0040C098h; ret	0_2_0040C090
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00430030 push 0043005Ch; ret	0_2_00430054
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0040C09A push 0040C10Bh; ret	0_2_0040C103
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0040C09C push 0040C10Bh; ret	0_2_0040C103
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0040C17A push 0040C1A8h; ret	0_2_0040C1A0
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0040C17C push 0040C1A8h; ret	0_2_0040C1A0
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00430198 push 004301C4h; ret	0_2_004301BC
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_004101B0 push 00410211h; ret	0_2_00410209
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00410214 push 00410415h; ret	0_2_0041040D
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0040C2A4 push eax; retn 0040h	0_2_0040C2B9
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_004583D8 push 00458404h; ret	0_2_004583FC
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00410418 push 0041055Ch; ret	0_2_00410554
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00426524 push 004265F4h; ret	0_2_004265EC
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00410530 push 0041055Ch; ret	0_2_00410554
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0046A5E4 push ecx; mov dword ptr [esp], ecx	0_2_0046A5E8
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0040659E push 004065F1h; ret	0_2_004065E9
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_004065A0 push 004065F1h; ret	0_2_004065E9
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0041C6E4 push ecx; mov dword ptr [esp], edx	0_2_0041C6E9
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00406770 push 0040679Ch; ret	0_2_00406794
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00426704 push 00426730h; ret	0_2_00426728
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_004667D8 push 00466804h; ret	0_2_004667FC
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_004627D8 push ecx; mov dword ptr [esp], ecx	0_2_004627DD
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0040682C push 00406858h; ret	0_2_00406850
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0046A8F4 push 0046A91Ah; ret	0_2_0046A912
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0046A958 push 0046A984h; ret	0_2_0046A97C
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0041A978 push ecx; mov dword ptr [esp], edx	0_2_0041A97A
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_004269BC push 004269E8h; ret	0_2_004269E0
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00428A50 push 00428A7Ch; ret	0_2_00428A74
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00444A7C push 00444AA8h; ret	0_2_00444AA0
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00428A04 push 00428A45h; ret	0_2_00428A3D
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00441B28 push 00441BB5h; ret	0_2_00441BAD
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0040C020 push 0040C098h; ret	0_2_0040C090
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00430030 push 0043005Ch; ret	0_2_00430054
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0040C09A push 0040C10Bh; ret	0_2_0040C103
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0040C09C push 0040C10Bh; ret	0_2_0040C103
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0040C17A push 0040C1A8h; ret	0_2_0040C1A0
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0040C17C push 0040C1A8h; ret	0_2_0040C1A0
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00430198 push 004301C4h; ret	0_2_004301BC
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_004101B0 push 00410211h; ret	0_2_00410209
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00410214 push 00410415h; ret	0_2_0041040D
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0040C2A4 push eax; retn 0040h	0_2_0040C2B9
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_004583D8 push 00458404h; ret	0_2_004583FC
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00410418 push 0041055Ch; ret	0_2_00410554
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00426524 push 004265F4h; ret	0_2_004265EC
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00410530 push 0041055Ch; ret	0_2_00410554
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0046A5E4 push ecx; mov dword ptr [esp], ecx	0_2_0046A5E8
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0040659E push 004065F1h; ret	0_2_004065E9
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_004065A0 push 004065F1h; ret	0_2_004065E9
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0041C6E4 push ecx; mov dword ptr [esp], edx	0_2_0041C6E9
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00406770 push 0040679Ch; ret	0_2_00406794
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00426704 push 00426730h; ret	0_2_00426728
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_004667D8 push 00466804h; ret	0_2_004667FC
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_004627D8 push ecx; mov dword ptr [esp], ecx	0_2_004627DD
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0040682C push 00406858h; ret	0_2_00406850
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0046A8F4 push 0046A91Ah; ret	0_2_0046A912
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0046A958 push 0046A984h; ret	0_2_0046A97C
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0041A978 push ecx; mov dword ptr [esp], edx	0_2_0041A97A
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_004269BC push 004269E8h; ret	0_2_004269E0
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00428A50 push 00428A7Ch; ret	0_2_00428A74
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00444A7C push 00444AA8h; ret	0_2_00444AA0
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00428A04 push 00428A45h; ret	0_2_00428A3D

Hooking and other Techniques for Hiding and Protection:

Changes the view of files in windows explorer (hidden files and folders)

Source: C:\Users\user\Desktop\INQUIRY.exe	Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden			Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden			Jump to behavior

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00455880 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	0_2_00455880
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00456024 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,	0_2_00456024
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0043C658 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	0_2_0043C658
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00452974 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,	0_2_00452974
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0043CF3C IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	0_2_0043CF3C
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00427418 IsIconic,GetWindowPlacement,GetWindowRect,	0_2_00427418
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0043BDB0 IsIconic,GetCapture,	0_2_0043BDB0
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00455F74 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,	0_2_00455F74
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00455880 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	0_2_00455880
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00456024 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,	0_2_00456024
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0043C658 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	0_2_0043C658
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00452974 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,	0_2_00452974
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0043CF3C IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	0_2_0043CF3C
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00427418 IsIconic,GetWindowPlacement,GetWindowRect,	0_2_00427418
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0043BDB0 IsIconic,GetCapture,	0_2_0043BDB0
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00455F74 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,	0_2_00455F74
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_2_00455880 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	2_2_00455880
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_2_00456024 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,	2_2_00456024
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_2_0043C658 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	2_2_0043C658
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_2_00452974 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,	2_2_00452974
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_2_0043CF3C IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	2_2_0043CF3C
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_2_00427418 IsIconic,GetWindowPlacement,GetWindowRect,	2_2_00427418
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_2_0043BDB0 IsIconic,GetCapture,	2_2_0043BDB0
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_2_00455F74 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,	2_2_00455F74

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_004414DC SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,		0_2_004414DC
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_004414DC SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,		0_2_004414DC

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\INQUIRY.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\Desktop\INQUIRY.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Stores large binary data to the registry

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363} DeviceTicket			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363} DeviceTicket			Jump to behavior

Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00430D08	0_2_00430D08
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00430D08	0_2_00430D08
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_2_00430D08	2_2_00430D08

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\INQUIRY.exe	File opened / queried: C:\Windows\system32\drivers\VBoxMouse.sys
Source: C:\Users\user\Desktop\INQUIRY.exe	File opened / queried: C:\Windows\system32\drivers\vmmouse.sys
Source: C:\Users\user\Desktop\INQUIRY.exe	File opened / queried: C:\Windows\system32\drivers\VBoxGuest.sys
Source: C:\Users\user\Desktop\INQUIRY.exe	File opened / queried: C:\Windows\system32\drivers\vmhgfs.sys
Source: C:\Users\user\Desktop\INQUIRY.exe	File opened / queried: C:\Windows\system32\drivers\VBoxMouse.sys
Source: C:\Users\user\Desktop\INQUIRY.exe	File opened / queried: C:\Windows\system32\drivers\vmmouse.sys
Source: C:\Users\user\Desktop\INQUIRY.exe	File opened / queried: C:\Windows\system32\drivers\VBoxGuest.sys
Source: C:\Users\user\Desktop\INQUIRY.exe	File opened / queried: C:\Windows\system32\drivers\vmhgfs.sys

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,		6_2_00408836
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,		6_2_00408836

Contains functionality to detect sandboxes (mouse cursor move detection)

Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,	0_2_00454E54
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,	0_2_00454E54
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,	2_2_00454E54

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\INQUIRY.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\INQUIRY.exe	Thread delayed: delay time: 300000
Source: C:\Users\user\Desktop\INQUIRY.exe	Thread delayed: delay time: 180000
Source: C:\Users\user\Desktop\INQUIRY.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\INQUIRY.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\INQUIRY.exe	Thread delayed: delay time: 300000
Source: C:\Users\user\Desktop\INQUIRY.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\INQUIRY.exe	Thread delayed: delay time: 300000
Source: C:\Users\user\Desktop\INQUIRY.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\INQUIRY.exe	Thread delayed: delay time: 300000
Source: C:\Users\user\Desktop\INQUIRY.exe	Thread delayed: delay time: 180000
Source: C:\Users\user\Desktop\INQUIRY.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\INQUIRY.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\INQUIRY.exe	Thread delayed: delay time: 300000
Source: C:\Users\user\Desktop\INQUIRY.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\INQUIRY.exe	Thread delayed: delay time: 300000

May check if the current machine is a sandbox (GetTickCount - Sleep)

Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00430D08		0_2_00430D08
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_2_00430D08		2_2_00430D08

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6680	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6756	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 4780	Thread sleep time: -140000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6820	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6780	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -99860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -99750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -99656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -98906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -98797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -98703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -98610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -98500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -98360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -98250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -98156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -98047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -97953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -97860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -97703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -97610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -97500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -97406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -97297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -97156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -97047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -96953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -96860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 4476	Thread sleep count: 213 > 30	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6152	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6432	Thread sleep time: -120000s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6444	Thread sleep time: -140000s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6292	Thread sleep time: -300000s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5900	Thread sleep time: -180000s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -99906s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -99812s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -99656s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -99562s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -99453s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -99359s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -99250s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -99109s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -99000s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -98906s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -98812s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -98703s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -98562s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -98453s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -98359s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -98250s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -98156s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -98062s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -97906s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -97812s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -97703s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -97609s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -97500s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -97359s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -97250s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6600	Thread sleep count: 150 > 30
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 612	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 7136	Thread sleep time: -120000s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6320	Thread sleep time: -140000s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6328	Thread sleep time: -300000s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 1548	Thread sleep count: 51 > 30
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5260	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5492	Thread sleep time: -120000s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5560	Thread sleep time: -140000s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5508	Thread sleep time: -300000s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5956	Thread sleep count: 99 > 30
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6680	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6756	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 4780	Thread sleep time: -140000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6820	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6780	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -99860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -99750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -99656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -98906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -98797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -98703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -98610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -98500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -98360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -98250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -98156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -98047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -97953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -97860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -97703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -97610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -97500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -97406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -97297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -97156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -97047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -96953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980	Thread sleep time: -96860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 4476	Thread sleep count: 213 > 30	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6152	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6432	Thread sleep time: -120000s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6444	Thread sleep time: -140000s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6292	Thread sleep time: -300000s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5900	Thread sleep time: -180000s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -99906s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -99812s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -99656s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -99562s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -99453s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -99359s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -99250s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -99109s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -99000s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -98906s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -98812s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -98703s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -98562s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -98453s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -98359s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -98250s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -98156s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -98062s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -97906s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -97812s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -97703s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -97609s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -97500s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -97359s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848	Thread sleep time: -97250s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6600	Thread sleep count: 150 > 30
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 612	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 7136	Thread sleep time: -120000s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6320	Thread sleep time: -140000s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6328	Thread sleep time: -300000s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 1548	Thread sleep count: 51 > 30
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5260	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5492	Thread sleep time: -120000s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5560	Thread sleep time: -140000s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5508	Thread sleep time: -300000s >= -30000s
Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5956	Thread sleep count: 99 > 30

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File opened: PhysicalDrive0			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File opened: PhysicalDrive0			Jump to behavior

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Desktop\INQUIRY.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\INQUIRY.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\INQUIRY.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\INQUIRY.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\Desktop\INQUIRY.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\INQUIRY.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\INQUIRY.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\INQUIRY.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_004089B8 FindFirstFileA,GetLastError,	0_2_004089B8
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00405AE8 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	0_2_00405AE8
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_004089B8 FindFirstFileA,GetLastError,	0_2_004089B8
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00405AE8 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	0_2_00405AE8
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_2_004089B8 FindFirstFileA,GetLastError,	2_2_004089B8
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_2_00405AE8 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	2_2_00405AE8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 5_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,	5_2_00406EC3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,	6_2_00408441
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,	6_2_00407E0E

Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00421010 GetSystemInfo,		0_2_00421010
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00421010 GetSystemInfo,		0_2_00421010

Source: INQUIRY.exe, 00000001.00000002.745763676.0000000007230000.00000002.00000001.sdmp, WerFault.exe, 00000009.00000002.731103149.0000000004F00000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.832980202.0000000006970000.00000002.00000001.sdmp, WerFault.exe, 00000016.00000002.819145650.0000000004EC0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 00000016.00000002.818731802.0000000004BCC000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW\|p
Source: WerFault.exe, 00000009.00000002.730528117.000000000481B000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.818731802.0000000004BCC000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: INQUIRY.exe, 00000001.00000002.745763676.0000000007230000.00000002.00000001.sdmp, WerFault.exe, 00000009.00000002.731103149.0000000004F00000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.832980202.0000000006970000.00000002.00000001.sdmp, WerFault.exe, 00000016.00000002.819145650.0000000004EC0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: INQUIRY.exe, 00000001.00000002.745763676.0000000007230000.00000002.00000001.sdmp, WerFault.exe, 00000009.00000002.731103149.0000000004F00000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.832980202.0000000006970000.00000002.00000001.sdmp, WerFault.exe, 00000016.00000002.819145650.0000000004EC0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WerFault.exe, 00000009.00000002.730528117.000000000481B000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWonic0Local Area Connection* 7
Source: INQUIRY.exe, 00000010.00000002.825594692.0000000000852000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: INQUIRY.exe, 00000001.00000002.745763676.0000000007230000.00000002.00000001.sdmp, WerFault.exe, 00000009.00000002.731103149.0000000004F00000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.832980202.0000000006970000.00000002.00000001.sdmp, WerFault.exe, 00000016.00000002.819145650.0000000004EC0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: INQUIRY.exe, 00000001.00000002.745763676.0000000007230000.00000002.00000001.sdmp, WerFault.exe, 00000009.00000002.731103149.0000000004F00000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.832980202.0000000006970000.00000002.00000001.sdmp, WerFault.exe, 00000016.00000002.819145650.0000000004EC0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 00000016.00000002.818731802.0000000004BCC000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW\|p
Source: WerFault.exe, 00000009.00000002.730528117.000000000481B000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.818731802.0000000004BCC000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: INQUIRY.exe, 00000001.00000002.745763676.0000000007230000.00000002.00000001.sdmp, WerFault.exe, 00000009.00000002.731103149.0000000004F00000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.832980202.0000000006970000.00000002.00000001.sdmp, WerFault.exe, 00000016.00000002.819145650.0000000004EC0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: INQUIRY.exe, 00000001.00000002.745763676.0000000007230000.00000002.00000001.sdmp, WerFault.exe, 00000009.00000002.731103149.0000000004F00000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.832980202.0000000006970000.00000002.00000001.sdmp, WerFault.exe, 00000016.00000002.819145650.0000000004EC0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WerFault.exe, 00000009.00000002.730528117.000000000481B000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWonic0Local Area Connection* 7
Source: INQUIRY.exe, 00000010.00000002.825594692.0000000000852000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: INQUIRY.exe, 00000001.00000002.745763676.0000000007230000.00000002.00000001.sdmp, WerFault.exe, 00000009.00000002.731103149.0000000004F00000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.832980202.0000000006970000.00000002.00000001.sdmp, WerFault.exe, 00000016.00000002.819145650.0000000004EC0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\INQUIRY.exe	Process information queried: ProcessInformation			Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information queried: ProcessInformation			Jump to behavior

Anti Debugging:

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugFlags	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugFlags	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugFlags	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugPort
Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugPort
Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugFlags
Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugObjectHandle
Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugFlags
Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugObjectHandle
Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugPort
Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugPort
Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugFlags
Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugObjectHandle
Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugFlags
Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugObjectHandle
Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugPort
Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugFlags
Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugObjectHandle
Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugFlags	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugFlags	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugFlags	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugPort
Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugPort
Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugFlags
Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugObjectHandle
Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugFlags
Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugObjectHandle
Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugPort
Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugPort
Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugFlags
Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugObjectHandle
Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugFlags
Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugObjectHandle
Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugPort
Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugFlags
Source: C:\Users\user\Desktop\INQUIRY.exe	Process queried: DebugObjectHandle

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_0048B6F3 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		1_2_0048B6F3
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_0048B6F3 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		1_2_0048B6F3

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,		6_2_00408836
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,		6_2_00408836

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_004414DC SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,		0_2_004414DC
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_004414DC SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,		0_2_004414DC

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_0048F412 mov eax, dword ptr fs:[00000030h]	1_2_0048F412
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_0048F4D0 mov eax, dword ptr fs:[00000030h]	1_2_0048F4D0
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_0048F412 mov eax, dword ptr fs:[00000030h]	1_2_0048F412
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_0048F4D0 mov eax, dword ptr fs:[00000030h]	1_2_0048F4D0

Enables debug privileges

Source: C:\Users\user\Desktop\INQUIRY.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WerFault.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\INQUIRY.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\INQUIRY.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WerFault.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\INQUIRY.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WerFault.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\INQUIRY.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\INQUIRY.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WerFault.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_0048B6F3 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_0048B6F3
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_0048A746 SetUnhandledExceptionFilter,	1_2_0048A746
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_0048BBB5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_0048BBB5
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_0048DD7F __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_0048DD7F
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_0048B6F3 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_0048B6F3
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_0048A746 SetUnhandledExceptionFilter,	1_2_0048A746
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_0048BBB5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_0048BBB5
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_0048DD7F __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_0048DD7F

Source: C:\Users\user\Desktop\INQUIRY.exe	Memory protected: page read and write \| page guard			Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory protected: page read and write \| page guard			Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

.NET source code references suspicious native API functions

Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 0.2.INQUIRY.exe.2640000.3.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 1.2.INQUIRY.exe.2270000.2.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 1.2.INQUIRY.exe.2300000.3.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 1.2.INQUIRY.exe.2300000.3.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 1.2.INQUIRY.exe.400000.0.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 1.2.INQUIRY.exe.400000.0.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 13.2.INQUIRY.exe.2660000.3.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 13.2.INQUIRY.exe.2660000.3.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 16.2.INQUIRY.exe.2370000.2.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 16.2.INQUIRY.exe.2370000.2.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 16.2.INQUIRY.exe.2490000.3.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 16.2.INQUIRY.exe.2490000.3.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 16.2.INQUIRY.exe.400000.0.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 16.2.INQUIRY.exe.400000.0.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 27.2.INQUIRY.exe.2640000.3.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 27.2.INQUIRY.exe.2640000.3.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 28.2.INQUIRY.exe.22f0000.3.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 28.2.INQUIRY.exe.22f0000.3.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 28.2.INQUIRY.exe.400000.0.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 28.2.INQUIRY.exe.400000.0.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 28.2.INQUIRY.exe.2240000.2.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 28.2.INQUIRY.exe.2240000.2.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 0.2.INQUIRY.exe.2640000.3.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 1.2.INQUIRY.exe.2270000.2.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 1.2.INQUIRY.exe.2300000.3.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 1.2.INQUIRY.exe.2300000.3.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 1.2.INQUIRY.exe.400000.0.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 1.2.INQUIRY.exe.400000.0.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 13.2.INQUIRY.exe.2660000.3.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 13.2.INQUIRY.exe.2660000.3.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 16.2.INQUIRY.exe.2370000.2.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 16.2.INQUIRY.exe.2370000.2.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 16.2.INQUIRY.exe.2490000.3.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 16.2.INQUIRY.exe.2490000.3.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 16.2.INQUIRY.exe.400000.0.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 16.2.INQUIRY.exe.400000.0.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 27.2.INQUIRY.exe.2640000.3.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 27.2.INQUIRY.exe.2640000.3.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 28.2.INQUIRY.exe.22f0000.3.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 28.2.INQUIRY.exe.22f0000.3.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 28.2.INQUIRY.exe.400000.0.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 28.2.INQUIRY.exe.400000.0.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 28.2.INQUIRY.exe.2240000.2.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 28.2.INQUIRY.exe.2240000.2.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\INQUIRY.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\INQUIRY.exe	Section loaded: unknown target: C:\Users\user\Desktop\INQUIRY.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Section loaded: unknown target: C:\Users\user\Desktop\INQUIRY.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Section loaded: unknown target: C:\Users\user\Desktop\INQUIRY.exe protection: execute and read and write
Source: C:\Users\user\Desktop\INQUIRY.exe	Section loaded: unknown target: C:\Users\user\Desktop\INQUIRY.exe protection: execute and read and write
Source: C:\Users\user\Desktop\INQUIRY.exe	Section loaded: unknown target: C:\Users\user\Desktop\INQUIRY.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Section loaded: unknown target: C:\Users\user\Desktop\INQUIRY.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Section loaded: unknown target: C:\Users\user\Desktop\INQUIRY.exe protection: execute and read and write
Source: C:\Users\user\Desktop\INQUIRY.exe	Section loaded: unknown target: C:\Users\user\Desktop\INQUIRY.exe protection: execute and read and write

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\INQUIRY.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
Source: C:\Users\user\Desktop\INQUIRY.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
Source: C:\Users\user\Desktop\INQUIRY.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
Source: C:\Users\user\Desktop\INQUIRY.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
Source: C:\Users\user\Desktop\INQUIRY.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
Source: C:\Users\user\Desktop\INQUIRY.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
Source: C:\Users\user\Desktop\INQUIRY.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
Source: C:\Users\user\Desktop\INQUIRY.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000

Writes to foreign memory regions

Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000
Source: C:\Users\user\Desktop\INQUIRY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe'	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2308	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2272
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2100
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2284
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe'	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2308	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2272
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2100
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2284
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'

Language, Device and Operating System Detection:

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	0_2_00405CA0
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: GetLocaleInfoA,GetACP,	0_2_0040AD50
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: GetLocaleInfoA,	0_2_004099D4
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: GetLocaleInfoA,	0_2_00409A20
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	0_2_00405DAC
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	0_2_00405CA0
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: GetLocaleInfoA,GetACP,	0_2_0040AD50
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: GetLocaleInfoA,	0_2_004099D4
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: GetLocaleInfoA,	0_2_00409A20
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	0_2_00405DAC
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: GetLocaleInfoA,	1_2_0048EA4A
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	2_2_00405CA0
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: GetLocaleInfoA,GetACP,	2_2_0040AD50
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: GetLocaleInfoA,	2_2_004099D4
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: GetLocaleInfoA,	2_2_00409A20
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	2_2_00405DAC

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0040697A GetSystemTime,		0_2_0040697A
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_0040697A GetSystemTime,		0_2_0040697A

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 5_2_0040724C memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,		5_2_0040724C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 5_2_0040724C memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,		5_2_0040724C

Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00441B28 GetVersion,		0_2_00441B28
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 0_2_00441B28 GetVersion,		0_2_00441B28

Source: C:\Users\user\Desktop\INQUIRY.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid			Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid			Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

AV process strings found (often used to terminate AV products)

Source: INQUIRY.exe, 00000011.00000002.835872619.000000000019D000.00000004.00000010.sdmp	Binary or memory string: avp.exe
Source: INQUIRY.exe, 00000010.00000002.825678890.00000000008CC000.00000004.00000020.sdmp	Binary or memory string: r\MsMpeng.exe
Source: INQUIRY.exe, 00000010.00000002.825678890.00000000008CC000.00000004.00000020.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: INQUIRY.exe, 00000011.00000002.835872619.000000000019D000.00000004.00000010.sdmp	Binary or memory string: avp.exe
Source: INQUIRY.exe, 00000010.00000002.825678890.00000000008CC000.00000004.00000020.sdmp	Binary or memory string: r\MsMpeng.exe
Source: INQUIRY.exe, 00000010.00000002.825678890.00000000008CC000.00000004.00000020.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Desktop\INQUIRY.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\INQUIRY.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\Desktop\INQUIRY.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\INQUIRY.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\Desktop\INQUIRY.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\INQUIRY.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\Desktop\INQUIRY.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\INQUIRY.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\Desktop\INQUIRY.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\INQUIRY.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\Desktop\INQUIRY.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\INQUIRY.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\Desktop\INQUIRY.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\INQUIRY.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\Desktop\INQUIRY.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\INQUIRY.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information:

Yara detected HawkEye Keylogger

Source: Yara match	File source: 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.923851920.0000000002210000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000001.752146287.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.875783315.0000000002717000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.859116925.00000000007A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.735055042.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.858712668.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.849214765.00000000026D7000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.919336144.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.875508614.0000000002682000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.735183511.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000001.871375197.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.736771009.00000000021E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000001.839775376.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.858806395.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.863200098.0000000002DDA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.826009202.0000000002372000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.927425340.0000000002382000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.757155287.00000000026F7000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.924535204.00000000022F2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.849044012.0000000002642000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.863232173.0000000002DE0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.824784026.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.737371268.0000000002302000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.859836497.0000000002242000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.919755783.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.656369760.00000000026D7000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.826605147.0000000002492000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.860072694.00000000022F2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.824923724.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.928494489.0000000002A21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.820474176.0000000005470000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: WerFault.exe PID: 6776, type: MEMORY
Source: Yara match	File source: Process Memory Space: INQUIRY.exe PID: 6808, type: MEMORY
Source: Yara match	File source: Process Memory Space: INQUIRY.exe PID: 5896, type: MEMORY
Source: Yara match	File source: Process Memory Space: INQUIRY.exe PID: 6076, type: MEMORY
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB44.tmp.mdmp, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B59.tmp.mdmp, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER7CAE.tmp.mdmp, type: DROPPED
Source: Yara match	File source: 16.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INQUIRY.exe.21e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.INQUIRY.exe.7a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.INQUIRY.exe.22e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INQUIRY.exe.2270000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.INQUIRY.exe.2680000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.INQUIRY.exe.2370000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.INQUIRY.exe.22f0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.INQUIRY.exe.2210000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.INQUIRY.exe.2210000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INQUIRY.exe.21e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INQUIRY.exe.2300000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.INQUIRY.exe.2380000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.INQUIRY.exe.2490000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INQUIRY.exe.25f0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.INQUIRY.exe.7a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.INQUIRY.exe.2630000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.INQUIRY.exe.22e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.INQUIRY.exe.25e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.INQUIRY.exe.22f0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.INQUIRY.exe.2240000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.INQUIRY.exe.2660000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE

Yara detected MailPassView

Source: Yara match	File source: 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.741822453.0000000003A41000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.770041777.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.929210977.0000000003A21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.923851920.0000000002210000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000001.752146287.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.875783315.0000000002717000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.859116925.00000000007A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.735055042.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.858712668.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.849214765.00000000026D7000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.919336144.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.875508614.0000000002682000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.735183511.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000001.871375197.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.863445427.0000000003961000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.736771009.00000000021E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000001.839775376.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.858806395.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.888584585.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.826009202.0000000002372000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.927425340.0000000002382000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.757155287.00000000026F7000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.924535204.00000000022F2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.849044012.0000000002642000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.829490755.0000000003E11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.824784026.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.737371268.0000000002302000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.859836497.0000000002242000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.919755783.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.656369760.00000000026D7000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.826605147.0000000002492000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.860072694.00000000022F2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.824923724.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: INQUIRY.exe PID: 6808, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 5684, type: MEMORY
Source: Yara match	File source: Process Memory Space: INQUIRY.exe PID: 5896, type: MEMORY
Source: Yara match	File source: Process Memory Space: INQUIRY.exe PID: 6076, type: MEMORY
Source: Yara match	File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INQUIRY.exe.21e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.INQUIRY.exe.7a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.INQUIRY.exe.22e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INQUIRY.exe.2270000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.INQUIRY.exe.2680000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.INQUIRY.exe.2370000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.INQUIRY.exe.22f0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.INQUIRY.exe.2210000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.INQUIRY.exe.2210000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INQUIRY.exe.21e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INQUIRY.exe.2300000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.INQUIRY.exe.2380000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.INQUIRY.exe.2490000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INQUIRY.exe.25f0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.INQUIRY.exe.7a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.INQUIRY.exe.2630000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.INQUIRY.exe.22e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.INQUIRY.exe.25e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.INQUIRY.exe.22f0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.INQUIRY.exe.2240000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.INQUIRY.exe.2660000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data

Tries to steal Instant Messenger accounts or passwords

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt

Tries to steal Mail credentials (via file access)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail

Tries to steal Mail credentials (via file registry)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, PopPassword	5_2_00402D9A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, SMTPPassword	5_2_00402D9A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: ESMTPPassword	5_2_004033D7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, PopPassword	5_2_00402D9A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, SMTPPassword	5_2_00402D9A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: ESMTPPassword	5_2_004033D7

Yara detected WebBrowserPassView password recovery tool

Source: Yara match	File source: 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.741822453.0000000003A41000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.894159498.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.929210977.0000000003A21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.923851920.0000000002210000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000001.752146287.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.875783315.0000000002717000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.859116925.00000000007A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.735055042.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.858712668.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.849214765.00000000026D7000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.919336144.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.875508614.0000000002682000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.735183511.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.863445427.0000000003961000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.695692485.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.736771009.00000000021E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000001.839775376.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.858806395.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.826009202.0000000002372000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.927425340.0000000002382000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.757155287.00000000026F7000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.924535204.00000000022F2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.849044012.0000000002642000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.829490755.0000000003E11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.824784026.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.737371268.0000000002302000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.859836497.0000000002242000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.919755783.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.656369760.00000000026D7000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.826605147.0000000002492000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.860072694.00000000022F2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.824923724.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 6700, type: MEMORY
Source: Yara match	File source: Process Memory Space: INQUIRY.exe PID: 6808, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 4184, type: MEMORY
Source: Yara match	File source: Process Memory Space: INQUIRY.exe PID: 5896, type: MEMORY
Source: Yara match	File source: Process Memory Space: INQUIRY.exe PID: 6076, type: MEMORY
Source: Yara match	File source: 16.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INQUIRY.exe.21e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.INQUIRY.exe.7a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.INQUIRY.exe.22e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INQUIRY.exe.2270000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.INQUIRY.exe.2680000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.INQUIRY.exe.2370000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.INQUIRY.exe.22f0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.INQUIRY.exe.2210000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.INQUIRY.exe.2210000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INQUIRY.exe.21e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INQUIRY.exe.2300000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.INQUIRY.exe.2380000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.INQUIRY.exe.2490000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INQUIRY.exe.25f0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.INQUIRY.exe.7a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.INQUIRY.exe.2630000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.INQUIRY.exe.22e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.INQUIRY.exe.25e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.INQUIRY.exe.22f0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.INQUIRY.exe.2240000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.INQUIRY.exe.2660000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected HawkEye Rat

Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp	String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp	String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger \| Execution Confirmed \|
Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp	String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger \| Stealer Records \|
Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp	String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: INQUIRY.exe	String found in binary or memory: HawkEye_Keylogger_Stealer_Records_
Source: INQUIRY.exe	String found in binary or memory: HawkEyeKeylogger
Source: INQUIRY.exe	String found in binary or memory: HawkEye_Keylogger_Keylog_Records_
Source: INQUIRY.exe	String found in binary or memory: HawkEye_Keylogger_Execution_Confirmed_
Source: INQUIRY.exe, 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp	String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: INQUIRY.exe, 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp	String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger \| Execution Confirmed \|
Source: INQUIRY.exe, 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp	String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger \| Stealer Records \|
Source: INQUIRY.exe, 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp	String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: INQUIRY.exe, 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp	String found in binary or memory: q'&HawkEye_Keylogger_Execution_Confirmed_
Source: INQUIRY.exe, 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp	String found in binary or memory: q#"HawkEye_Keylogger_Stealer_Records_
Source: WerFault.exe, 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp	String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: WerFault.exe, 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp	String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger \| Execution Confirmed \|
Source: WerFault.exe, 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp	String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger \| Stealer Records \|
Source: WerFault.exe, 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp	String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp	String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp	String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger \| Execution Confirmed \|
Source: INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp	String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger \| Stealer Records \|
Source: INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp	String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp	String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp	String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger \| Execution Confirmed \|
Source: INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp	String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger \| Stealer Records \|
Source: INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp	String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: INQUIRY.exe, 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmp	String found in binary or memory: HawkEyeKeylogger
Source: INQUIRY.exe, 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmp	String found in binary or memory: q'&HawkEye_Keylogger_Execution_Confirmed_
Source: INQUIRY.exe, 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmp	String found in binary or memory: q#"HawkEye_Keylogger_Stealer_Records_
Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp	String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp	String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger \| Execution Confirmed \|
Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp	String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger \| Stealer Records \|
Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp	String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: INQUIRY.exe	String found in binary or memory: HawkEye_Keylogger_Stealer_Records_
Source: INQUIRY.exe	String found in binary or memory: HawkEyeKeylogger
Source: INQUIRY.exe	String found in binary or memory: HawkEye_Keylogger_Keylog_Records_
Source: INQUIRY.exe	String found in binary or memory: HawkEye_Keylogger_Execution_Confirmed_
Source: INQUIRY.exe, 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp	String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: INQUIRY.exe, 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp	String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger \| Execution Confirmed \|
Source: INQUIRY.exe, 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp	String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger \| Stealer Records \|
Source: INQUIRY.exe, 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp	String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: INQUIRY.exe, 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp	String found in binary or memory: q'&HawkEye_Keylogger_Execution_Confirmed_
Source: INQUIRY.exe, 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp	String found in binary or memory: q#"HawkEye_Keylogger_Stealer_Records_
Source: WerFault.exe, 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp	String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: WerFault.exe, 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp	String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger \| Execution Confirmed \|
Source: WerFault.exe, 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp	String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger \| Stealer Records \|
Source: WerFault.exe, 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp	String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp	String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp	String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger \| Execution Confirmed \|
Source: INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp	String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger \| Stealer Records \|
Source: INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp	String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp	String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp	String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger \| Execution Confirmed \|
Source: INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp	String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger \| Stealer Records \|
Source: INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp	String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: INQUIRY.exe, 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmp	String found in binary or memory: HawkEyeKeylogger
Source: INQUIRY.exe, 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmp	String found in binary or memory: q'&HawkEye_Keylogger_Execution_Confirmed_
Source: INQUIRY.exe, 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmp	String found in binary or memory: q#"HawkEye_Keylogger_Stealer_Records_

Yara detected HawkEye Keylogger

Source: Yara match	File source: 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.923851920.0000000002210000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000001.752146287.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.875783315.0000000002717000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.859116925.00000000007A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.735055042.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.858712668.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.849214765.00000000026D7000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.919336144.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.875508614.0000000002682000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.735183511.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000001.871375197.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.736771009.00000000021E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000001.839775376.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.858806395.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.863200098.0000000002DDA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.826009202.0000000002372000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.927425340.0000000002382000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.757155287.00000000026F7000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.924535204.00000000022F2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.849044012.0000000002642000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.863232173.0000000002DE0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.824784026.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.737371268.0000000002302000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.859836497.0000000002242000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.919755783.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.656369760.00000000026D7000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.826605147.0000000002492000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.860072694.00000000022F2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.824923724.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.928494489.0000000002A21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.820474176.0000000005470000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: WerFault.exe PID: 6776, type: MEMORY
Source: Yara match	File source: Process Memory Space: INQUIRY.exe PID: 6808, type: MEMORY
Source: Yara match	File source: Process Memory Space: INQUIRY.exe PID: 5896, type: MEMORY
Source: Yara match	File source: Process Memory Space: INQUIRY.exe PID: 6076, type: MEMORY
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB44.tmp.mdmp, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B59.tmp.mdmp, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER7CAE.tmp.mdmp, type: DROPPED
Source: Yara match	File source: 16.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INQUIRY.exe.21e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.INQUIRY.exe.7a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.INQUIRY.exe.22e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INQUIRY.exe.2270000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.INQUIRY.exe.2680000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.INQUIRY.exe.2370000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.INQUIRY.exe.22f0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.INQUIRY.exe.2210000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.INQUIRY.exe.2210000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INQUIRY.exe.21e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INQUIRY.exe.2300000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.INQUIRY.exe.2380000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.INQUIRY.exe.2490000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INQUIRY.exe.25f0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.INQUIRY.exe.7a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.INQUIRY.exe.2630000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.INQUIRY.exe.22e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.INQUIRY.exe.25e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.INQUIRY.exe.22f0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.INQUIRY.exe.2240000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.INQUIRY.exe.2660000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE

ID:	319686
Product:	CloudBasic
Start time:	15:00:58
Start date:	18.11.2020
Sample:	INQUIRY.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	0b940145d7d02e5b1b975c99dd5197a4
SHA1:	53ae0b576f7b362b90a25ace1470d33068db4490
SHA256:	bf487ff7cdbbd998b633b1858a939d8c808bcce65ab9937695475b39deea70a8
Filetype:	Win32 Executable (generic) a (10002005/4) 99.66%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_INQUIRY.exe_9acf60ae8258c649d949998398a696799dd6ab7_31a5ab7c_0466ea22\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	C8F2F641B01A44390EE72AB0291023BB	73DD3194D00A241D6506AC88E94A31C0872AAD9E	253F7456400E5CD904BCCB71A341A89DDED83968C28A9ECDED505C38833040EE
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_INQUIRY.exe_9acf60ae8258c649d949998398a696799dd6ab7_31a5ab7c_1a2a4622\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	0F2339E59B1382CFEBA7C65E0204DB37	869CD3F293F945FE0B794C50EF4899CCC318B52C	EBD1A41084A86F927C8E65CD72B32DC6B9A5E16C62205A82F52EC9B364A79947
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_inquiry.exe_e6c573bafb277a8e53b04fdad891cf6b8aba558_00000000_009f3881\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	FBCEA239031271D5FC498B4CCFF7FFC5	A317C75282FB18400F1DA04EE684D29A375F5919	96D8D97D8A8C4F15EE1E0D1B75A78F8BEEBF3845EDD82E72E8D46F7F92F6B92E
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_inquiry.exe_e6c573bafb277a8e53b04fdad891cf6b8aba558_00000000_18bf7163\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	5856CBF6D7376E0047754E49722CDE9A	051FCA316BE423B3D5475C843573239C084BB0AE	AC6415AD3FD401C7E0B4547121023266CF2ABBC2F75A35FCCB2763DB2B36AEF3
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_inquiry.exe_e6c573bafb277a8e53b04fdad891cf6b8aba558_00000000_1a860a22\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	BEA478764A49288FAE5D2C58DEA9E7F7	8601AF0DC1CFDBA1A6FD96882B78E44800F059AF	D55EC04B23C4335716973DD1BE81A228576593188597B2FF2422E7CA596DAC57
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_inquiry.exe_e6c573bafb277a8e53b04fdad891cf6b8aba558_00000000_1b4a9849\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	4E9027E389CF59A8E643336BC538513A	5FC1F51DA07FA44C69EF4DC8C46AF896176E76F0	5E35F7BEAF0E442F1923D24380FE8A32309325B08F6C6815AC221527631AEBEF
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B59.tmp.mdmp	Mini DuMP crash report, 14 streams, Wed Nov 18 14:02:15 2020, 0x60521 type	B959EB0600252402A18BFCF647E10552	0626EAF638F4FEF2920A77E3BC56740E52E126C5	92E8F1B478C7EB956AD40A33A3739229D6C1ACB0793A32A327CF426C6CCE2A77
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2E55.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	878E1942EA193A0986BDC8426E80F69E	D47C31FC7B12BA957F6D61AB8E0C5FFDCE2585D6	B31B2972C250517AF12D08CD15DE379C47B1FAA215DF97926D7227400370543A
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3043.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	3ACCC42FCA2CB02425C8B5FEB60C324D	2EF2A521BF4C9A6F3FA58C56A803D919B985BBE7	2ECDDEC9C38A915BD80665FAFBE7779795C1342454EA3C57D8D682FA52A2089E
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3106.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	A8469566DD777304B6389CE1094F7028	E5C9D56772A35FD2D8DCA937B993B3F4C092F9B9	507E6016E8640ECE9E662D46F13B0C0322C64175A78028E65A471791CF7EB03D
C:\ProgramData\Microsoft\Windows\WER\Temp\WER310F.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	E90B24327D824129769567901CF443FD	136452E7C618931A5D39470F24C97B3CE9FB8858	27C78A3143AFDA038D4939AED93E3CB8B249CC9032C6568D01BAC4B57B298BAE
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6231.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	0EF540DE4DBDF43FBCFEE50AB55FA136	7ECED9AE0FCF5AAC17BF09D4114C09D2285FC38E	8DAEF505D2FE71360A1544D35C3E1ACBE7AE5A4EFF9617AC844B591E55E9DCB1
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6389.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	2ABC6F088DE2C790C718E4B5C042A11F	663A6B84DE9F3B0284CB8F8F56F68836D59199BA	B78C0C1912AF53D5A3855576A4F1759E27E916D0CDDEA8F9ECD6B179302BB31D
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7CAE.tmp.mdmp	Mini DuMP crash report, 14 streams, Wed Nov 18 14:03:43 2020, 0x60521 type	FEAD06C9C1479F402088C5790CB54810	98E6C5DBB08872323131736E654FA53615B587B4	E5C77118B53DF48454D8706ADB3AA5E603848B19056510A90343E9C8229EEBC6
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8867.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	443C182B00527E31B1E4AD64BFFA8241	F1D745B2744B4224FD43AE752DAA83B8E7FB10E8	25D2AD246A4ACEB2DBF6DD75A5DD3B06CC824F525D990939B860A4E259E71E64
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8933.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	52FC903ED30F5B61BA8F727424907241	40816AF32399226225A46FA9841CC819A894B75A	CD4FF732AB018C9AAC4D92F681006C0FB246283D3ADC6A040F8CA7B31F48FF38
C:\ProgramData\Microsoft\Windows\WER\Temp\WER89A3.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	B3060F69B30CC0B7BE8A0EEBBC0F66AE	14ED5EC297764359163C1F4AF27BA5D9CD96F73B	E42AE8026F9C077C31416C917B6B9EBE48907C17E9D392B0B900FA94CB1F7121
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8B0B.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	18F66061D1D492E5837EDA572C603EF7	09D9099E03FF5F8A1A481E9C16C706253EF312C8	40F6DA190C8F79EA3E49E49A4FF2165C43FDFA39C281EE54BEC83B22ABAD4810
C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB44.tmp.mdmp	Mini DuMP crash report, 14 streams, Wed Nov 18 14:02:53 2020, 0x60521 type	727EDE66BE753BF43CC3BB8AD0424846	6D36C62C3F02AC08483F5C46ECAE760987320DCF	790BA9AF55C3D758F27EF0D7863D6CB9A56EAFA041302FF6E05DD97CF97AC35F
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC3AF.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	5D356EEFFF6F12474642A2400398FCD4	51D9FB907FDCABE46A83942DF50444C241FC8F63	53E30E0481710B622CD95CFADFD2017035084D91E8EFDF6D2BF3EEDF642EF4F5
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC6FC.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	4433E23608B8B2A3855C267846E81EA3	20A828E188264B443EC9BF44921A81DADFD4B472	9632AC9115185AB53965AF43D06F0E22DC58CA6013D9DC82F82F636370757E73
C:\ProgramData\Microsoft\Windows\WER\Temp\WEREF38.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	ACACA69C6A291286C08D46EDABFF5680	D7B1662B910D8FD7961E37DB9E444921E4639EA4	8EEB4DDDCF0548A987BD4BF9FE0C06E0B2C14C390D2F0F99C49CD1C5C541F745
C:\ProgramData\Microsoft\Windows\WER\Temp\WEREFF4.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	DF582E1905AE5003E6954E4AD881502D	CA58F2D441FEA0F0EDB1918239EA99A9E579DE90	DA6CA008EF7A7B3630E4B663CB2A6E8CE38BCC4E32E7E416950FAB100EA1F2FB
C:\Users\user\AppData\Local\Temp\holderwb.txt	Little-endian UTF-16 Unicode text, with no line terminators	F3B25701FE362EC84616A93A45CE9998	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
C:\Users\user\AppData\Roaming\pid.txt	ASCII text, with no line terminators	EFFC299A1ADDB07E7089F9B269C31F2F	6AFB24DE207D2E6952BA43F0E5B20BCDF0596CE5	50E9A8665B62C8D68BCCC77C7C92431A1AA26CCBD38ED4BBA8DD7422A3A4AB70
C:\Users\user\AppData\Roaming\pidloc.txt	ASCII text, with no line terminators	4FA80C1B433C83F339F774D6347C74D8	B5F7CA62EFB43F9A32A112C991CE22C07A8908D2	25E8C1425C844373EBE82F274167A8ADEA6581F5A4F3ABC6B5F4BD0E5AE80092

Analysis Report INQUIRY.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs