Loading ...

Play interactive tourEdit tour

Analysis Report RXk6PjNTN8

Overview

General Information

Sample Name:RXk6PjNTN8 (renamed file extension from none to exe)
Analysis ID:317419
MD5:2867b3c9e16f2be5bbcb595d8cf90676
SHA1:4a0c9a455cc240ac71c125be97019923965f1ad5
SHA256:1f7bf2479afee06220c111e8f642334cd4659ca96a2c3a523401e5362ac59b84

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected HawkEye Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
AutoIt script contains suspicious strings
Binary is likely a compiled AutoIt script file
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to inject code into remote processes
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
May check the online IP address of the machine
Sample uses process hollowing technique
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to simulate keystroke presses
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains strange resources
Potential key logger detected (key state polling based)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • RXk6PjNTN8.exe (PID: 6440 cmdline: 'C:\Users\user\Desktop\RXk6PjNTN8.exe' MD5: 2867B3C9E16F2BE5BBCB595D8CF90676)
    • RegAsm.exe (PID: 6344 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe MD5: 529695608EAFBED00ACA9E61EF333A7C)
      • vbc.exe (PID: 5820 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 6580 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["Mail PassView", "mailpv", "WebBrowserPassView"], "Version": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.696029669.0000000000400000.00000040.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
    00000001.00000002.936657047.0000000003AA1000.00000004.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
      00000001.00000002.936657047.0000000003AA1000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
        00000000.00000003.670997192.00000000044B0000.00000004.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
        • 0x7b8da:$key: HawkEyeKeylogger
        • 0x7dacc:$salt: 099u787978786
        • 0x7bee7:$string1: HawkEye_Keylogger
        • 0x7cd3a:$string1: HawkEye_Keylogger
        • 0x7da2c:$string1: HawkEye_Keylogger
        • 0x7c2d0:$string2: holdermail.txt
        • 0x7c2f0:$string2: holdermail.txt
        • 0x7c212:$string3: wallet.dat
        • 0x7c22a:$string3: wallet.dat
        • 0x7c240:$string3: wallet.dat
        • 0x7d60e:$string4: Keylog Records
        • 0x7d926:$string4: Keylog Records
        • 0x7db24:$string5: do not script -->
        • 0x7b8c2:$string6: \pidloc.txt
        • 0x7b91c:$string7: BSPLIT
        • 0x7b92c:$string7: BSPLIT
        00000000.00000003.670997192.00000000044B0000.00000004.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
          Click to see the 24 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          2.2.vbc.exe.400000.0.raw.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
            2.2.vbc.exe.400000.0.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
              3.2.vbc.exe.400000.0.raw.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                3.2.vbc.exe.400000.0.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                  0.3.RXk6PjNTN8.exe.45c0000.0.unpackRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
                  • 0x7b8ba:$key: HawkEyeKeylogger
                  • 0x7daac:$salt: 099u787978786
                  • 0x7bec7:$string1: HawkEye_Keylogger
                  • 0x7cd1a:$string1: HawkEye_Keylogger
                  • 0x7da0c:$string1: HawkEye_Keylogger
                  • 0x7c2b0:$string2: holdermail.txt
                  • 0x7c2d0:$string2: holdermail.txt
                  • 0x7c1f2:$string3: wallet.dat
                  • 0x7c20a:$string3: wallet.dat
                  • 0x7c220:$string3: wallet.dat
                  • 0x7d5ee:$string4: Keylog Records
                  • 0x7d906:$string4: Keylog Records
                  • 0x7db04:$string5: do not script -->
                  • 0x7b8a2:$string6: \pidloc.txt
                  • 0x7b8fc:$string7: BSPLIT
                  • 0x7b90c:$string7: BSPLIT
                  Click to see the 9 entries

                  Sigma Overview

                  No Sigma rule has matched

                  Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Antivirus / Scanner detection for submitted sampleShow sources
                  Source: RXk6PjNTN8.exeAvira: detected
                  Source: RXk6PjNTN8.exeAvira: detected
                  Found malware configurationShow sources
                  Source: RegAsm.exe.6344.1.memstrMalware Configuration Extractor: HawkEye {"Modules": ["Mail PassView", "mailpv", "WebBrowserPassView"], "Version": ""}
                  Source: RegAsm.exe.6344.1.memstrMalware Configuration Extractor: HawkEye {"Modules": ["Mail PassView", "mailpv", "WebBrowserPassView"], "Version": ""}
                  Source: 0.0.RXk6PjNTN8.exe.da0000.0.unpackAvira: Label: DR/AutoIt.Gen8
                  Source: 1.2.RegAsm.exe.820000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                  Source: 1.2.RegAsm.exe.820000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                  Source: 0.2.RXk6PjNTN8.exe.da0000.0.unpackAvira: Label: DR/AutoIt.Gen8
                  Source: 0.3.RXk6PjNTN8.exe.45c0000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                  Source: 0.3.RXk6PjNTN8.exe.45c0000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                  Source: 0.0.RXk6PjNTN8.exe.da0000.0.unpackAvira: Label: DR/AutoIt.Gen8
                  Source: 1.2.RegAsm.exe.820000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                  Source: 1.2.RegAsm.exe.820000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                  Source: 0.2.RXk6PjNTN8.exe.da0000.0.unpackAvira: Label: DR/AutoIt.Gen8
                  Source: 0.3.RXk6PjNTN8.exe.45c0000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                  Source: 0.3.RXk6PjNTN8.exe.45c0000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                  Source: RXk6PjNTN8.exe, 00000000.00000003.670997192.00000000044B0000.00000004.00000001.sdmpBinary or memory string: autorun.inf
                  Source: RXk6PjNTN8.exe, 00000000.00000003.670997192.00000000044B0000.00000004.00000001.sdmpBinary or memory string: [autorun]
                  Source: RegAsm.exe, 00000001.00000002.934955544.0000000000822000.00000020.00000001.sdmpBinary or memory string: autorun.inf
                  Source: RegAsm.exe, 00000001.00000002.934955544.0000000000822000.00000020.00000001.sdmpBinary or memory string: [autorun]
                  Source: RXk6PjNTN8.exe, 00000000.00000003.670997192.00000000044B0000.00000004.00000001.sdmpBinary or memory string: autorun.inf
                  Source: RXk6PjNTN8.exe, 00000000.00000003.670997192.00000000044B0000.00000004.00000001.sdmpBinary or memory string: [autorun]
                  Source: RegAsm.exe, 00000001.00000002.934955544.0000000000822000.00000020.00000001.sdmpBinary or memory string: autorun.inf
                  Source: RegAsm.exe, 00000001.00000002.934955544.0000000000822000.00000020.00000001.sdmpBinary or memory string: [autorun]
                  Source: C:\Users\user\Desktop\RXk6PjNTN8.exeCode function: 0_2_00E04696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00E04696
                  Source: C:\Users\user\Desktop\RXk6PjNTN8.exeCode function: 0_2_00E04696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00E04696
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,2_2_00406EC3
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,3_2_00408441
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,3_2_00407E0E
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4x nop then call 04CB1B20h1_2_04CB7AFD
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]1_2_04CB7AFD
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]1_2_04CB14C0
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]1_2_04CB17F8
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4x nop then jmp 04CB1A73h1_2_04CB19A0
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4x nop then jmp 04CB1A73h1_2_04CB19B0
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]1_2_04CB5B70
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]1_2_04CB0728
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4x nop then mov esp, ebp1_2_04CB482F
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]1_2_04CB6038
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4x nop then call 04CB1B20h1_2_04CB7AFD
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]1_2_04CB7AFD
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]1_2_04CB14C0
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]1_2_04CB17F8
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4x nop then jmp 04CB1A73h1_2_04CB19A0
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4x nop then jmp 04CB1A73h1_2_04CB19B0
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]1_2_04CB5B70
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]1_2_04CB0728
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4x nop then mov esp, ebp1_2_04CB482F
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]1_2_04CB6038

                  Networking:

                  barindex
                  May check the online IP address of the machineShow sources
                  Source: unknownDNS query: name: whatismyipaddress.com
                  Source: unknownDNS query: name: whatismyipaddress.com
                  Source: unknownDNS query: name: whatismyipaddress.com
                  Source: unknownDNS query: name: whatismyipaddress.com
                  Source: unknownDNS query: name: whatismyipaddress.com
                  Source: unknownDNS query: name: whatismyipaddress.com
                  Source: unknownDNS query: name: whatismyipaddress.com
                  Source: unknownDNS query: name: whatismyipaddress.com
                  Source: unknownDNS query: name: whatismyipaddress.com
                  Source: unknownDNS query: name: whatismyipaddress.com
                  Source: unknownDNS query: name: whatismyipaddress.com
                  Source: unknownDNS query: name: whatismyipaddress.com
                  Source: unknownDNS query: name: whatismyipaddress.com
                  Source: unknownDNS query: name: whatismyipaddress.com
                  Source: unknownDNS query: name: whatismyipaddress.com
                  Source: unknownDNS query: name: whatismyipaddress.com
                  Source: unknownDNS query: name: whatismyipaddress.com
                  Source: unknownDNS query: name: whatismyipaddress.com
                  Source: unknownDNS query: name: whatismyipaddress.com
                  Source: unknownDNS query: name: whatismyipaddress.com
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 104.16.155.36 104.16.155.36
                  Source: Joe Sandbox ViewIP Address: 104.16.155.36 104.16.155.36
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_025AA09A recv,1_2_025AA09A
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_025AA09A recv,1_2_025AA09A
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                  Source: RXk6PjNTN8.exe, 00000000.00000003.670997192.00000000044B0000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.936657047.0000000003AA1000.00000004.00000001.sdmp, vbc.exe, 00000003.00000002.696029669.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                  Source: RXk6PjNTN8.exe, 00000000.00000003.670997192.00000000044B0000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.936657047.0000000003AA1000.00000004.00000001.sdmp, vbc.exe, 00000003.00000002.696029669.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                  Source: vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                  Source: vbc.exe, 00000003.00000003.695567116.000000000094E000.00000004.00000001.sdmpString found in binary or memory: ttps://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4421591https://consent.google.com/about:blankhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591 equals www.facebook.com (Facebook)
                  Source: vbc.exe, 00000003.00000003.695567116.000000000094E000.00000004.00000001.sdmpString found in binary or memory: ttps://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4421591https://consent.google.com/about:blankhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591 equals www.yahoo.com (Yahoo)
                  Source: RXk6PjNTN8.exe, 00000000.00000003.670997192.00000000044B0000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.936657047.0000000003AA1000.00000004.00000001.sdmp, vbc.exe, 00000003.00000002.696029669.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                  Source: RXk6PjNTN8.exe, 00000000.00000003.670997192.00000000044B0000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.936657047.0000000003AA1000.00000004.00000001.sdmp, vbc.exe, 00000003.00000002.696029669.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                  Source: vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                  Source: vbc.exe, 00000003.00000003.695567116.000000000094E000.00000004.00000001.sdmpString found in binary or memory: ttps://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4421591https://consent.google.com/about:blankhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591 equals www.facebook.com (Facebook)
                  Source: vbc.exe, 00000003.00000003.695567116.000000000094E000.00000004.00000001.sdmpString found in binary or memory: ttps://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4421591https://consent.google.com/about:blankhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591 equals www.yahoo.com (Yahoo)
                  Source: unknownDNS traffic detected: queries for: 153.43.2.0.in-addr.arpa
                  Source: unknownDNS traffic detected: queries for: 153.43.2.0.in-addr.arpa
                  Source: RXk6PjNTN8.exe, 00000000.00000003.670997192.00000000044B0000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.936657047.0000000003AA1000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
                  Source: RegAsm.exe, 00000001.00000002.937304146.0000000005380000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                  Source: RXk6PjNTN8.exe, 00000000.00000003.670997192.00000000044B0000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.936657047.0000000003AA1000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                  Source: RegAsm.exe, 00000001.00000002.936088295.0000000002AA1000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com
                  Source: RegAsm.exe, 00000001.00000002.936088295.0000000002AA1000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/
                  Source: RXk6PjNTN8.exe, 00000000.00000003.670997192.00000000044B0000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.934955544.0000000000822000.00000020.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/-
                  Source: RegAsm.exe, 00000001.00000002.937304146.0000000005380000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: RegAsm.exe, 00000001.00000003.674729227.0000000005213000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comandRga
                  Source: RegAsm.exe, 00000001.00000002.937304146.0000000005380000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                  Source: RegAsm.exe, 00000001.00000002.937304146.0000000005380000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                  Source: RegAsm.exe, 00000001.00000003.679728717.0000000005246000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000003.676756871.0000000005246000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000003.676435331.0000000005246000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                  Source: RegAsm.exe, 00000001.00000003.675959889.0000000005240000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000003.675905058.0000000005240000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
                  Source: RegAsm.exe, 00000001.00000002.937304146.0000000005380000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                  Source: RegAsm.exe, 00000001.00000002.937304146.0000000005380000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                  Source: RegAsm.exe, 00000001.00000002.937304146.0000000005380000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                  Source: RegAsm.exe, 00000001.00000002.937304146.0000000005380000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                  Source: RegAsm.exe, 00000001.00000002.937304146.0000000005380000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                  Source: RegAsm.exe, 00000001.00000003.679768865.0000000005246000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersB
                  Source: RegAsm.exe, 00000001.00000003.675959889.0000000005240000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersF
                  Source: RegAsm.exe, 00000001.00000002.937304146.0000000005380000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                  Source: RegAsm.exe, 00000001.00000003.676412231.0000000005246000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersP
                  Source: RegAsm.exe, 00000001.00000003.677782251.0000000005246000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersb
                  Source: RegAsm.exe, 00000001.00000003.676340431.0000000005246000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designerst
                  Source: RegAsm.exe, 00000001.00000003.676340431.0000000005246000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersw
                  Source: RegAsm.exe, 00000001.00000002.937213670.0000000005210000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
                  Source: RegAsm.exe, 00000001.00000002.937213670.0000000005210000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comic
                  Source: RegAsm.exe, 00000001.00000002.937213670.0000000005210000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comion
                  Source: RegAsm.exe, 00000001.00000002.937304146.0000000005380000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                  Source: RegAsm.exe, 00000001.00000002.937304146.0000000005380000.00000002.00000001.sdmp, RegAsm.exe, 00000001.00000003.673284518.0000000005223000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                  Source: RegAsm.exe, 00000001.00000002.937304146.0000000005380000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                  Source: RegAsm.exe, 00000001.00000002.937304146.0000000005380000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                  Source: RegAsm.exe, 00000001.00000003.673366940.0000000005240000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cns-el
                  Source: RegAsm.exe, 00000001.00000003.673366940.0000000005240000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnu-rD
                  Source: RegAsm.exe, 00000001.00000002.937304146.0000000005380000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                  Source: RegAsm.exe, 00000001.00000002.937304146.0000000005380000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                  Source: RegAsm.exe, 00000001.00000002.937304146.0000000005380000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                  Source: RegAsm.exe, 00000001.00000002.937304146.0000000005380000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                  Source: RegAsm.exe, 00000001.00000003.674729227.0000000005213000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/.l
                  Source: RegAsm.exe, 00000001.00000003.674729227.0000000005213000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/8
                  Source: RegAsm.exe, 00000001.00000003.674729227.0000000005213000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Hl
                  Source: RegAsm.exe, 00000001.00000003.674729227.0000000005213000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Verd
                  Source: RegAsm.exe, 00000001.00000003.674919766.0000000005215000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Wk
                  Source: RegAsm.exe, 00000001.00000003.674729227.0000000005213000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
                  Source: RegAsm.exe, 00000001.00000003.674729227.0000000005213000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                  Source: RegAsm.exe, 00000001.00000003.674445047.000000000521A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/.l
                  Source: RegAsm.exe, 00000001.00000003.674445047.000000000521A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/k
                  Source: RegAsm.exe, 00000001.00000003.674919766.0000000005215000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/u
                  Source: RegAsm.exe, 00000001.00000003.674729227.0000000005213000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/x
                  Source: RegAsm.exe, 00000001.00000003.674111615.0000000005213000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/~l
                  Source: vbc.exe, vbc.exe, 00000003.00000002.696029669.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
                  Source: RegAsm.exe, 00000001.00000002.937304146.0000000005380000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                  Source: RegAsm.exe, 00000001.00000002.937304146.0000000005380000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                  Source: RegAsm.exe, 00000001.00000002.937304146.0000000005380000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                  Source: RegAsm.exe, 00000001.00000002.936088295.0000000002AA1000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
                  Source: RegAsm.exe, 00000001.00000002.937304146.0000000005380000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                  Source: RegAsm.exe, 00000001.00000002.937304146.0000000005380000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                  Source: RegAsm.exe, 00000001.00000002.937304146.0000000005380000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                  Source: RegAsm.exe, 00000001.00000002.937304146.0000000005380000.00000002.00000001.sdmp, RegAsm.exe, 00000001.00000003.673685379.000000000521C000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                  Source: RegAsm.exe, 00000001.00000003.673685379.000000000521C000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnITA
                  Source: RegAsm.exe, 00000001.00000003.673685379.000000000521C000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnida
                  Source: RegAsm.exe, 00000001.00000003.673685379.000000000521C000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cno
                  Source: vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
                  Source: RegAsm.exe, 00000001.00000002.936088295.0000000002AA1000.00000004.00000001.sdmpString found in binary or memory: https://whatismyipaddress.com/
                  Source: RegAsm.exe, 00000001.00000002.936088295.0000000002AA1000.00000004.00000001.sdmpString found in binary or memory: https://whatismyipaddress.comx&
                  Source: vbc.exe, 00000003.00000003.695567116.000000000094E000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4
                  Source: vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                  Source: RXk6PjNTN8.exe, 00000000.00000003.670997192.00000000044B0000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.936657047.0000000003AA1000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
                  Source: RegAsm.exe, 00000001.00000002.937304146.0000000005380000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                  Source: RXk6PjNTN8.exe, 00000000.00000003.670997192.00000000044B0000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.936657047.0000000003AA1000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                  Source: RegAsm.exe, 00000001.00000002.936088295.0000000002AA1000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com
                  Source: RegAsm.exe, 00000001.00000002.936088295.0000000002AA1000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/
                  Source: RXk6PjNTN8.exe, 00000000.00000003.670997192.00000000044B0000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.934955544.0000000000822000.00000020.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/-
                  Source: RegAsm.exe, 00000001.00000002.937304146.0000000005380000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: RegAsm.exe, 00000001.00000003.674729227.0000000005213000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comandRga
                  Source: RegAsm.exe, 00000001.00000002.937304146.0000000005380000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                  Source: RegAsm.exe, 00000001.00000002.937304146.0000000005380000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                  Source: RegAsm.exe, 00000001.00000003.679728717.0000000005246000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000003.676756871.0000000005246000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000003.676435331.0000000005246000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                  Source: RegAsm.exe, 00000001.00000003.675959889.0000000005240000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000003.675905058.0000000005240000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
                  Source: RegAsm.exe, 00000001.00000002.937304146.0000000005380000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                  Source: RegAsm.exe, 00000001.00000002.937304146.0000000005380000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                  Source: RegAsm.exe, 00000001.00000002.937304146.0000000005380000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                  Source: RegAsm.exe, 00000001.00000002.937304146.0000000005380000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                  Source: RegAsm.exe, 00000001.00000002.937304146.0000000005380000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                  Source: RegAsm.exe, 00000001.00000003.679768865.0000000005246000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersB
                  Source: RegAsm.exe, 00000001.00000003.675959889.0000000005240000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersF
                  Source: RegAsm.exe, 00000001.00000002.937304146.0000000005380000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                  Source: RegAsm.exe, 00000001.00000003.676412231.0000000005246000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersP
                  Source: RegAsm.exe, 00000001.00000003.677782251.0000000005246000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersb
                  Source: RegAsm.exe, 00000001.00000003.676340431.0000000005246000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designerst
                  Source: RegAsm.exe, 00000001.00000003.676340431.0000000005246000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersw
                  Source: RegAsm.exe, 00000001.00000002.937213670.0000000005210000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
                  Source: RegAsm.exe, 00000001.00000002.937213670.0000000005210000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comic
                  Source: RegAsm.exe, 00000001.00000002.937213670.0000000005210000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comion
                  Source: RegAsm.exe, 00000001.00000002.937304146.0000000005380000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                  Source: RegAsm.exe, 00000001.00000002.937304146.0000000005380000.00000002.00000001.sdmp, RegAsm.exe, 00000001.00000003.673284518.0000000005223000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                  Source: RegAsm.exe, 00000001.00000002.937304146.0000000005380000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                  Source: RegAsm.exe, 00000001.00000002.937304146.0000000005380000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                  Source: RegAsm.exe, 00000001.00000003.673366940.0000000005240000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cns-el
                  Source: RegAsm.exe, 00000001.00000003.673366940.0000000005240000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnu-rD
                  Source: RegAsm.exe, 00000001.00000002.937304146.0000000005380000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                  Source: RegAsm.exe, 00000001.00000002.937304146.0000000005380000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                  Source: RegAsm.exe, 00000001.00000002.937304146.0000000005380000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                  Source: RegAsm.exe, 00000001.00000002.937304146.0000000005380000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                  Source: RegAsm.exe, 00000001.00000003.674729227.0000000005213000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/.l
                  Source: RegAsm.exe, 00000001.00000003.674729227.0000000005213000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/8
                  Source: RegAsm.exe, 00000001.00000003.674729227.0000000005213000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Hl
                  Source: RegAsm.exe, 00000001.00000003.674729227.0000000005213000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Verd
                  Source: RegAsm.exe, 00000001.00000003.674919766.0000000005215000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Wk
                  Source: RegAsm.exe, 00000001.00000003.674729227.0000000005213000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
                  Source: RegAsm.exe, 00000001.00000003.674729227.0000000005213000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                  Source: RegAsm.exe, 00000001.00000003.674445047.000000000521A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/.l
                  Source: RegAsm.exe, 00000001.00000003.674445047.000000000521A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/k
                  Source: RegAsm.exe, 00000001.00000003.674919766.0000000005215000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/u
                  Source: RegAsm.exe, 00000001.00000003.674729227.0000000005213000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/x
                  Source: RegAsm.exe, 00000001.00000003.674111615.0000000005213000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/~l
                  Source: vbc.exe, vbc.exe, 00000003.00000002.696029669.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
                  Source: RegAsm.exe, 00000001.00000002.937304146.0000000005380000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                  Source: RegAsm.exe, 00000001.00000002.937304146.0000000005380000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                  Source: RegAsm.exe, 00000001.00000002.937304146.0000000005380000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                  Source: RegAsm.exe, 00000001.00000002.936088295.0000000002AA1000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
                  Source: RegAsm.exe, 00000001.00000002.937304146.0000000005380000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                  Source: RegAsm.exe, 00000001.00000002.937304146.0000000005380000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                  Source: RegAsm.exe, 00000001.00000002.937304146.0000000005380000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                  Source: RegAsm.exe, 00000001.00000002.937304146.0000000005380000.00000002.00000001.sdmp, RegAsm.exe, 00000001.00000003.673685379.000000000521C000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                  Source: RegAsm.exe, 00000001.00000003.673685379.000000000521C000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnITA
                  Source: RegAsm.exe, 00000001.00000003.673685379.000000000521C000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnida
                  Source: RegAsm.exe, 00000001.00000003.673685379.000000000521C000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cno
                  Source: vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
                  Source: RegAsm.exe, 00000001.00000002.936088295.0000000002AA1000.00000004.00000001.sdmpString found in binary or memory: https://whatismyipaddress.com/
                  Source: RegAsm.exe, 00000001.00000002.936088295.0000000002AA1000.00000004.00000001.sdmpString found in binary or memory: https://whatismyipaddress.comx&
                  Source: vbc.exe, 00000003.00000003.695567116.000000000094E000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4
                  Source: vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735

                  Key, Mouse, Clipboard, Microphone and Screen Capturing:

                  barindex
                  Yara detected HawkEye KeyloggerShow sources
                  Source: Yara matchFile source: 00000000.00000003.670997192.00000000044B0000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.934955544.0000000000822000.00000020.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.936088295.0000000002AA1000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.670680746.00000000045C2000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6344, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RXk6PjNTN8.exe PID: 6440, type: MEMORY
                  Source: Yara matchFile source: 0.3.RXk6PjNTN8.exe.45c0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegAsm.exe.820000.0.unpack, type: UNPACKEDPE
                  Contains functionality to log keystrokes (.Net Source)Show sources
                  Source: 0.3.RXk6PjNTN8.exe.45c0000.0.unpack, Form1.cs.Net Code: HookKeyboard
                  Source: 1.2.RegAsm.exe.820000.0.unpack, Form1.cs.Net Code: HookKeyboard
                  Source: 0.3.RXk6PjNTN8.exe.45c0000.0.unpack, Form1.cs.Net Code: HookKeyboard
                  Source: 1.2.RegAsm.exe.820000.0.unpack, Form1.cs.Net Code: HookKeyboard
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_0040AC8A GetTempPathA,GetWindowsDirectoryA,GetTempFileNameA,OpenClipboard,GetLastError,DeleteFileA,2_2_0040AC8A
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_0040AC8A GetTempPathA,GetWindowsDirectoryA,GetTempFileNameA,OpenClipboard,GetLastError,DeleteFileA,2_2_0040AC8A
                  Source: C:\Users\user\Desktop\RXk6PjNTN8.exeCode function: 0_2_00DA2344 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW,0_2_00DA2344
                  Source: C:\Users\user\Desktop\RXk6PjNTN8.exeCode function: 0_2_00DA2344 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW,0_2_00DA2344
                  Source: C:\Users\user\Desktop\RXk6PjNTN8.exeCode function: 0_2_00E2CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00E2CDAC
                  Source: C:\Users\user\Desktop\RXk6PjNTN8.exeCode function: 0_2_00E2CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00E2CDAC

                  System Summary:

                  barindex
                  Malicious sample detected (through community Yara rule)Show sources
                  Source: 00000000.00000003.670997192.00000000044B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 00000000.00000003.670997192.00000000044B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 00000001.00000002.934955544.0000000000822000.00000020.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 00000001.00000002.934955544.0000000000822000.00000020.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 00000001.00000002.936088295.0000000002AA1000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 00000000.00000003.670680746.00000000045C2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 00000000.00000003.670680746.00000000045C2000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 0.3.RXk6PjNTN8.exe.45c0000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 0.3.RXk6PjNTN8.exe.45c0000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 1.2.RegAsm.exe.820000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 1.2.RegAsm.exe.820000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 00000000.00000003.670997192.00000000044B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 00000000.00000003.670997192.00000000044B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 00000001.00000002.934955544.0000000000822000.00000020.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 00000001.00000002.934955544.0000000000822000.00000020.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 00000001.00000002.936088295.0000000002AA1000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 00000000.00000003.670680746.00000000045C2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 00000000.00000003.670680746.00000000045C2000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 0.3.RXk6PjNTN8.exe.45c0000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 0.3.RXk6PjNTN8.exe.45c0000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 1.2.RegAsm.exe.820000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 1.2.RegAsm.exe.820000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  AutoIt script contains suspicious stringsShow sources
                  Source: RXk6PjNTN8.exeAutoIt Script: 7 = 53323455 THEN $BIN_SHELLCODE &= UPXLIRRERCMY (MB
                  Source: RXk6PjNTN8.exeAutoIt Script: ("x0165744" ) ) , $LPSHELLCODE + UPXLIRRERCMY (MBL
                  Source: RXk6PjNTN8.exeAutoIt Script: 7 = 53323455 THEN $BIN_SHELLCODE &= UPXLIRRERCMY (MB
                  Source: RXk6PjNTN8.exeAutoIt Script: ("x0165744" ) ) , $LPSHELLCODE + UPXLIRRERCMY (MBL
                  Binary is likely a compiled AutoIt script fileShow sources
                  Source: C:\Users\user\Desktop\RXk6PjNTN8.exeCode function: This is a third-party compiled AutoIt script.0_2_00DA3B4C
                  Source: RXk6PjNTN8.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                  Source: C:\Users\user\Desktop\RXk6PjNTN8.exeCode function: This is a third-party compiled AutoIt script.0_2_00DA3B4C
                  Source: RXk6PjNTN8.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                  Source: RXk6PjNTN8.exe, 00000000.00000000.667219414.0000000000E55000.00000002.00020000.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
                  Source: RXk6PjNTN8.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                  Source: RXk6PjNTN8.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_04D35C8A NtWriteVirtualMemory,1_2_04D35C8A
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_04D35BE2 NtResumeThread,1_2_04D35BE2
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_04D35B3A NtQuerySystemInformation,1_2_04D35B3A
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_04D35AF6 NtQuerySystemInformation,1_2_04D35AF6
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_04D35C5D NtWriteVirtualMemory,1_2_04D35C5D
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_04D35C8A NtWriteVirtualMemory,1_2_04D35C8A
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_04D35BE2 NtResumeThread,1_2_04D35BE2
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_04D35B3A NtQuerySystemInformation,1_2_04D35B3A
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_04D35AF6 NtQuerySystemInformation,1_2_04D35AF6
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_04D35C5D NtWriteVirtualMemory,1_2_04D35C5D
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,3_2_00408836
                  Source: C:\Users\user\Desktop\RXk6PjNTN8.exeCode function: 0_2_00DC33C70_2_00DC33C7
                  Source: C:\Users\user\Desktop\RXk6PjNTN8.exeCode function: 0_2_00DAFE400_2_00DAFE40
                  Source: C:\Users\user\Desktop\RXk6PjNTN8.exeCode function: 0_2_00DB68430_2_00DB6843
                  Source: C:\Users\user\Desktop\RXk6PjNTN8.exeCode function: 0_2_00DD70060_2_00DD7006
                  Source: C:\Users\user\Desktop\RXk6PjNTN8.exeCode function: 0_2_00DC283A0_2_00DC283A
                  Source: C:\Users\user\Desktop\RXk6PjNTN8.exeCode function: 0_2_00DB31900_2_00DB3190
                  Source: C:\Users\user\Desktop\RXk6PjNTN8.exeCode function: 0_2_00DB710E0_2_00DB710E
                  Source: C:\Users\user\Desktop\RXk6PjNTN8.exeCode function: 0_2_00DA12870_2_00DA1287
                  Source: C:\Users\user\Desktop\RXk6PjNTN8.exeCode function: 0_2_00DC1BB80_2_00DC1BB8
                  Source: C:\Users\user\Desktop\RXk6PjNTN8.exeCode function: 0_2_00DC63610_2_00DC6361
                  Source: C:\Users\user\Desktop\RXk6PjNTN8.exeCode function: 0_2_00DCF4190_2_00DCF419
                  Source: C:\Users\user\Desktop\RXk6PjNTN8.exeCode function: 0_2_00DC24050_2_00DC2405
                  Source: C:\Users\user\Desktop\RXk6PjNTN8.exeCode function: 0_2_00DCCD610_2_00DCCD61
                  Source: C:\Users\user\Desktop\RXk6PjNTN8.exeCode function: 0_2_00DD65220_2_00DD6522
                  Source: C:\Users\user\Desktop\RXk6PjNTN8.exeCode function: 0_2_00DC1FD00_2_00DC1FD0
                  Source: C:\Users\user\Desktop\RXk6PjNTN8.exeCode function: 0_2_00DCBFE60_2_00DCBFE6
                  Source: C:\Users\user\Desktop\RXk6PjNTN8.exeCode function: 0_2_00DC33C70_2_00DC33C7
                  Source: C:\Users\user\Desktop\RXk6PjNTN8.exeCode function: 0_2_00DAFE400_2_00DAFE40
                  Source: C:\Users\user\Desktop\RXk6PjNTN8.exeCode function: 0_2_00DB68430_2_00DB6843
                  Source: C:\Users\user\Desktop\RXk6PjNTN8.exeCode function: 0_2_00DD70060_2_00DD7006
                  Source: C:\Users\user\Desktop\RXk6PjNTN8.exeCode function: 0_2_00DC283A0_2_00DC283A
                  Source: C:\Users\user\Desktop\RXk6PjNTN8.exeCode function: 0_2_00DB31900_2_00DB3190
                  Source: C:\Users\user\Desktop\RXk6PjNTN8.exeCode function: 0_2_00DB710E0_2_00DB710E
                  Source: C:\Users\user\Desktop\RXk6PjNTN8.exeCode function: 0_2_00DA12870_2_00DA1287
                  Source: C:\Users\user\Desktop\RXk6PjNTN8.exeCode function: 0_2_00DC1BB80_2_00DC1BB8
                  Source: C:\Users\user\Desktop\RXk6PjNTN8.exeCode function: 0_2_00DC63610_2_00DC6361
                  Source: C:\Users\user\Desktop\RXk6PjNTN8.exeCode function: 0_2_00DCF4190_2_00DCF419
                  Source: C:\Users\user\Desktop\RXk6PjNTN8.exeCode function: 0_2_00DC24050_2_00DC2405
                  Source: C:\Users\user\Desktop\RXk6PjNTN8.exeCode function: 0_2_00DCCD610_2_00DCCD61
                  Source: C:\Users\user\Desktop\RXk6PjNTN8.exeCode function: 0_2_00DD65220_2_00DD6522
                  Source: C:\Users\user\Desktop\RXk6PjNTN8.exeCode function: 0_2_00DC1FD00_2_00DC1FD0
                  Source: C:\Users\user\Desktop\RXk6PjNTN8.exeCode function: 0_2_00DCBFE60_2_00DCBFE6
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_025A28A41_2_025A28A4
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_04CB7DC81_2_04CB7DC8
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_04CB7AFD1_2_04CB7AFD
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_04CB60481_2_04CB6048
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_04CB57581_2_04CB5758
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_04CB70881_2_04CB7088
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_04CB70981_2_04CB7098
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_04CB1D981_2_04CB1D98
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_04CB1DA81_2_04CB1DA8
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_00404DDB2_2_00404DDB
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_0040BD8A2_2_0040BD8A
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_00404E4C2_2_00404E4C
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_00404EBD2_2_00404EBD
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_00404F4E2_2_00404F4E
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_004044193_2_00404419
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_004045163_2_00404516
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_004135383_2_00413538
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_004145A13_2_004145A1
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_0040E6393_2_0040E639
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_004337AF3_2_004337AF
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_004399B13_2_004399B1
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_0043DAE73_2_0043DAE7
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00405CF63_2_00405CF6
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00403F853_2_00403F85
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00411F993_2_00411F99
                  Source: C:\Users\user\Desktop\RXk6PjNTN8.exeCode function: String function: 00DC8B40 appears 31 times
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413F8E appears 66 times
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413E2D appears 34 times
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00442A90 appears 36 times
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004141D6 appears 88 times
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00411538 appears 35 times
                  Source: C:\Users\user\Desktop\RXk6PjNTN8.exeCode function: String function: 00DC8B40 appears 31 times
                  Source: RXk6PjNTN8.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: RXk6PjNTN8.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: RXk6PjNTN8.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: RXk6PjNTN8.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: RXk6PjNTN8.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: RXk6PjNTN8.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: RXk6PjNTN8.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: RXk6PjNTN8.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: RXk6PjNTN8.exe, 00000000.00000003.670786200.0000000004642000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs RXk6PjNTN8.exe
                  Source: RXk6PjNTN8.exe, 00000000.00000003.670997192.00000000044B0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs RXk6PjNTN8.exe
                  Source: RXk6PjNTN8.exe, 00000000.00000003.670997192.00000000044B0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs RXk6PjNTN8.exe
                  Source: RXk6PjNTN8.exe, 00000000.00000003.670997192.00000000044B0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs RXk6PjNTN8.exe
                  Source: RXk6PjNTN8.exe, 00000000.00000003.670786200.0000000004642000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs RXk6PjNTN8.exe
                  Source: RXk6PjNTN8.exe, 00000000.00000003.670997192.00000000044B0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs RXk6PjNTN8.exe
                  Source: RXk6PjNTN8.exe, 00000000.00000003.670997192.00000000044B0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs RXk6PjNTN8.exe
                  Source: RXk6PjNTN8.exe, 00000000.00000003.670997192.00000000044B0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs RXk6PjNTN8.exe
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: security.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: security.dllJump to behavior
                  Source: 00000000.00000003.670997192.00000000044B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                  Source: 00000000.00000003.670997192.00000000044B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: 00000001.00000002.934955544.0000000000822000.00000020.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                  Source: 00000001.00000002.934955544.0000000000822000.00000020.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: 00000001.00000002.936088295.0000000002AA1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: 00000000.00000003.670680746.00000000045C2000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                  Source: 00000000.00000003.670680746.00000000045C2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: 0.3.RXk6PjNTN8.exe.45c0000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                  Source: 0.3.RXk6PjNTN8.exe.45c0000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: 1.2.RegAsm.exe.820000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                  Source: 1.2.RegAsm.exe.820000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: 00000000.00000003.670997192.00000000044B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                  Source: 00000000.00000003.670997192.00000000044B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: 00000001.00000002.934955544.0000000000822000.00000020.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                  Source: 00000001.00000002.934955544.0000000000822000.00000020.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: 00000001.00000002.936088295.0000000002AA1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: 00000000.00000003.670680746.00000000045C2000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                  Source: 00000000.00000003.670680746.00000000045C2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: 0.3.RXk6PjNTN8.exe.45c0000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                  Source: 0.3.RXk6PjNTN8.exe.45c0000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: 1.2.RegAsm.exe.820000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                  Source: 1.2.RegAsm.exe.820000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: 0.3.RXk6PjNTN8.exe.45c0000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                  Source: 0.3.RXk6PjNTN8.exe.45c0000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                  Source: 0.3.RXk6PjNTN8.exe.45c0000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                  Source: 0.3.RXk6PjNTN8.exe.45c0000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
                  Source: 1.2.RegAsm.exe.820000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                  Source: 1.2.RegAsm.exe.820000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                  Source: 1.2.RegAsm.exe.820000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                  Source: 1.2.RegAsm.exe.820000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.3.RXk6PjNTN8.exe.45c0000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                  Source: 0.3.RXk6PjNTN8.exe.45c0000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                  Source: 0.3.RXk6PjNTN8.exe.45c0000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                  Source: 0.3.RXk6PjNTN8.exe.45c0000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
                  Source: 1.2.RegAsm.exe.820000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                  Source: 1.2.RegAsm.exe.820000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                  Source: 1.2.RegAsm.exe.820000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                  Source: 1.2.RegAsm.exe.820000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.3.RXk6PjNTN8.exe.45c0000.0.unpack, Form1.csBase64 encoded string: '+RXmnKSZ5/18J4a6wZiA2J+0/+twqkUfyaLrnv0ZKHQnqV5dis8BOKe8PtY7cXZm', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                  Source: 1.2.RegAsm.exe.820000.0.unpack, Form1.csBase64 encoded string: '+RXmnKSZ5/18J4a6wZiA2J+0/+twqkUfyaLrnv0ZKHQnqV5dis8BOKe8PtY7cXZm', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                  Source: 0.3.RXk6PjNTN8.exe.45c0000.0.unpack, Form1.csBase64 encoded string: '+RXmnKSZ5/18J4a6wZiA2J+0/+twqkUfyaLrnv0ZKHQnqV5dis8BOKe8PtY7cXZm', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                  Source: 1.2.RegAsm.exe.820000.0.unpack, Form1.csBase64 encoded string: '+RXmnKSZ5/18J4a6wZiA2J+0/+twqkUfyaLrnv0ZKHQnqV5dis8BOKe8PtY7cXZm', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                  Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@7/3@4/2
                  Source: C:\Users\user\Desktop\RXk6PjNTN8.exeCode function: 0_2_00E0A2D5 GetLastError,FormatMessageW,0_2_00E0A2D5
                  Source: C:\Users\user\Desktop\RXk6PjNTN8.exeCode function: 0_2_00E0A2D5 GetLastError,FormatMessageW,0_2_00E0A2D5
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_04D3404A AdjustTokenPrivileges,1_2_04D3404A
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_04D34013 AdjustTokenPrivileges,1_2_04D34013
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_04D3404A AdjustTokenPrivileges,1_2_04D3404A
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_04D34013 AdjustTokenPrivileges,1_2_04D34013
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00415F87 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,3_2_00415F87
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00415F87 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,3_2_00415F87
                  Source: C:\Users\user\Desktop\RXk6PjNTN8.exeCode function: 0_2_00E03E91 PeekMessageW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00E03E91
                  Source: C:\Users\user\Desktop\RXk6PjNTN8.exeCode function: 0_2_00E03E91 PeekMessageW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00E03E91
                  Source: C:\Users\user\Desktop\RXk6PjNTN8.exeCode function: 0_2_00DA4FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00DA4FE9
                  Source: C:\Users\user\Desktop\RXk6PjNTN8.exeCode function: 0_2_00DA4FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00DA4FE9
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile created: C:\Users\user\AppData\Roaming\pid.txtJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile created: C:\Users\user\AppData\Roaming\pid.txtJump to behavior
                  Source: C:\Users\user\Desktop\RXk6PjNTN8.exeMutant created: \Sessions\1\BaseNamedObjects\verclsid
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                  Source: C:\Users\user\Desktop\RXk6PjNTN8.exeMutant created: \Sessions\1\BaseNamedObjects\verclsid
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile created: C:\Users\user\AppData\Local\Temp\holdermail.txtJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile created: C:\Users\user\AppData\Local\Temp\holdermail.txtJump to behavior
                  Source: RXk6PjNTN8.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: RXk6PjNTN8.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSystem information queried: HandleInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSystem information queried: HandleInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\RXk6PjNTN8.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C:\Users\user\Desktop\RXk6PjNTN8.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: RXk6PjNTN8.exe, 00000000.00000003.670997192.00000000044B0000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                  Source: RXk6PjNTN8.exe, 00000000.00000003.670997192.00000000044B0000.00000004.00000001.sdmp, vbc.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                  Source: RXk6PjNTN8.exe, 00000000.00000003.670997192.00000000044B0000.00000004.00000001.sdmp, vbc.exe, 00000003.00000002.696029669.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                  Source: RXk6PjNTN8.exe, 00000000.00000003.670997192.00000000044B0000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                  Source: RXk6PjNTN8.exe, 00000000.00000003.670997192.00000000044B0000.00000004.00000001.sdmp, vbc.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                  Source: RXk6PjNTN8.exe, 00000000.00000003.670997192.00000000044B0000.00000004.00000001.sdmp, vbc.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                  Source: RXk6PjNTN8.exe, 00000000.00000003.670997192.00000000044B0000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                  Source: RXk6PjNTN8.exe, 00000000.00000003.670997192.00000000044B0000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                  Source: RXk6PjNTN8.exe, 00000000.00000003.670997192.00000000044B0000.00000004.00000001.sdmp, vbc.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                  Source: RXk6PjNTN8.exe, 00000000.00000003.670997192.00000000044B0000.00000004.00000001.sdmp, vbc.exe, 00000003.00000002.696029669.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                  Source: RXk6PjNTN8.exe, 00000000.00000003.670997192.00000000044B0000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                  Source: RXk6PjNTN8.exe, 00000000.00000003.670997192.00000000044B0000.00000004.00000001.sdmp, vbc.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                  Source: RXk6PjNTN8.exe, 00000000.00000003.670997192.00000000044B0000.00000004.00000001.sdmp, vbc.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                  Source: RXk6PjNTN8.exe, 00000000.00000003.670997192.00000000044B0000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                  Source: unknownProcess created: C:\Users\user\Desktop\RXk6PjNTN8.exe 'C:\Users\user\Desktop\RXk6PjNTN8.exe'
                  Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                  Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                  Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                  Source: C:\Users\user\Desktop\RXk6PjNTN8.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'Jump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\RXk6PjNTN8.exe 'C:\Users\user\Desktop\RXk6PjNTN8.exe'
                  Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                  Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                  Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                  Source: C:\Users\user\Desktop\RXk6PjNTN8.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW64