Analysis Report tn9jVPvlMSqAUX5.exe

AV Detection:

Yara detected Nanocore RAT

Source: Yara match	File source: 00000000.00000002.680469030.0000000004A3C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.679941870.000000000488D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tn9jVPvlMSqAUX5.exe PID: 6228, type: MEMORY

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\PEcoOLaILWJ.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\PEcoOLaILWJ.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: tn9jVPvlMSqAUX5.exe	Joe Sandbox ML: detected
Source: tn9jVPvlMSqAUX5.exe	Joe Sandbox ML: detected

Spreading:

Contains functionality to enumerate / list files inside a directory

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 12_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,		12_2_00406EC3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 12_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,		12_2_00406EC3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,		13_2_00408441
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,		13_2_00407E0E

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 4x nop then jmp 07D75F66h		0_2_07D75204
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 4x nop then jmp 07D75F66h		0_2_07D75204

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49743 -> 23.105.131.229:4040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49743 -> 23.105.131.229:4040

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 23.105.131.229:4040
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 23.105.131.229:4040

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: LEASEWEB-USA-NYC-11US LEASEWEB-USA-NYC-11US
Source: Joe Sandbox View	ASN Name: LEASEWEB-USA-NYC-11US LEASEWEB-USA-NYC-11US

Connects to IPs without corresponding DNS lookups

Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.229

Found strings which match to known social media urls

Source: vbc.exe, 0000000D.00000002.779662410.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: vbc.exe, 0000000D.00000002.779662410.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: vbc.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: vbc.exe, 0000000D.00000003.779333133.0000000000AAE000.00000004.00000001.sdmp	String found in binary or memory: ttps://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4421591https://consent.google.com/about:blankhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591 equals www.facebook.com (Facebook)
Source: vbc.exe, 0000000D.00000003.779333133.0000000000AAE000.00000004.00000001.sdmp	String found in binary or memory: ttps://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4421591https://consent.google.com/about:blankhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591 equals www.yahoo.com (Yahoo)
Source: vbc.exe, 0000000D.00000002.779662410.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: vbc.exe, 0000000D.00000002.779662410.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: vbc.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: vbc.exe, 0000000D.00000003.779333133.0000000000AAE000.00000004.00000001.sdmp	String found in binary or memory: ttps://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4421591https://consent.google.com/about:blankhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591 equals www.facebook.com (Facebook)
Source: vbc.exe, 0000000D.00000003.779333133.0000000000AAE000.00000004.00000001.sdmp	String found in binary or memory: ttps://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4421591https://consent.google.com/about:blankhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591 equals www.yahoo.com (Yahoo)

Urls found in memory or binary data

Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.664377780.0000000005BB4000.00000004.00000001.sdmp	String found in binary or memory: http://www.agfamonotype.c
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.658966784.0000000005BEE000.00000004.00000001.sdmp, tn9jVPvlMSqAUX5.exe, 00000000.00000003.659291239.0000000005BEE000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.658966784.0000000005BEE000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comC
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.658931796.0000000005BEE000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comTC
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.659131617.0000000005BEE000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comTC;
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.659016913.0000000005BEE000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comhly
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.658966784.0000000005BEE000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comic
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.658966784.0000000005BEE000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comlay
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.658966784.0000000005BEE000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comter;
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.658966784.0000000005BEE000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comypo
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.659460402.0000000005BEE000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comypoooM
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.664377780.0000000005BB4000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.664377780.0000000005BB4000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com.TTF
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.662728113.0000000005BEB000.00000004.00000001.sdmp, tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.664049989.0000000005BE9000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersC
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.662154281.0000000005BEB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designerse
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.661745512.0000000005BEB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersj
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.662779891.0000000005BE9000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersp
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.664193689.0000000005BE9000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designerss
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.662154281.0000000005BEB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designerst
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.664377780.0000000005BB4000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comalsd
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.664377780.0000000005BB4000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comd
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.681755462.0000000005BB0000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comm
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.664377780.0000000005BB4000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comtud
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.681755462.0000000005BB0000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comzana
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.656517087.0000000005BCB000.00000004.00000001.sdmp, tn9jVPvlMSqAUX5.exe, 00000000.00000003.656388352.0000000005BCB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.656388352.0000000005BCB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comnte
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.656388352.0000000005BCB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comx
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.658175442.0000000005BED000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.658458272.0000000005BB4000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.658458272.0000000005BB4000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn3
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.658458272.0000000005BB4000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnG
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.658175442.0000000005BED000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnl-p
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.665387814.0000000005BBD000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: vbc.exe, vbc.exe, 0000000D.00000002.779662410.0000000000400000.00000040.00000001.sdmp, vbc.exe, 0000000D.00000002.779579503.0000000000195000.00000004.00000010.sdmp, 43ogpuf5.fhl.12.dr, wsrpbxdq.ypo.13.dr	String found in binary or memory: http://www.nirsoft.net/
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.656319398.0000000005BCB000.00000004.00000001.sdmp, tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.656319398.0000000005BCB000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.comuct
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.657584628.0000000005BB6000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr/c
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.657584628.0000000005BB6000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr=
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.657584628.0000000005BB6000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krndo:
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.656781448.0000000005BCB000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comR
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.656687566.0000000005BCB000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.coma
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.656781448.0000000005BCB000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comc
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.664377780.0000000005BB4000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.de
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: vbc.exe	String found in binary or memory: https://login.yahoo.com/config/login
Source: vbc.exe, 0000000D.00000003.779333133.0000000000AAE000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4
Source: vbc.exe	String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.664377780.0000000005BB4000.00000004.00000001.sdmp	String found in binary or memory: http://www.agfamonotype.c
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.658966784.0000000005BEE000.00000004.00000001.sdmp, tn9jVPvlMSqAUX5.exe, 00000000.00000003.659291239.0000000005BEE000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.658966784.0000000005BEE000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comC
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.658931796.0000000005BEE000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comTC
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.659131617.0000000005BEE000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comTC;
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.659016913.0000000005BEE000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comhly
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.658966784.0000000005BEE000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comic
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.658966784.0000000005BEE000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comlay
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.658966784.0000000005BEE000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comter;
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.658966784.0000000005BEE000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comypo
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.659460402.0000000005BEE000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comypoooM
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.664377780.0000000005BB4000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.664377780.0000000005BB4000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com.TTF
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.662728113.0000000005BEB000.00000004.00000001.sdmp, tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.664049989.0000000005BE9000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersC
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.662154281.0000000005BEB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designerse
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.661745512.0000000005BEB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersj
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.662779891.0000000005BE9000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersp
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.664193689.0000000005BE9000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designerss
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.662154281.0000000005BEB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designerst
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.664377780.0000000005BB4000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comalsd
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.664377780.0000000005BB4000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comd
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.681755462.0000000005BB0000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comm
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.664377780.0000000005BB4000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comtud
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.681755462.0000000005BB0000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comzana
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.656517087.0000000005BCB000.00000004.00000001.sdmp, tn9jVPvlMSqAUX5.exe, 00000000.00000003.656388352.0000000005BCB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.656388352.0000000005BCB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comnte
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.656388352.0000000005BCB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comx
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.658175442.0000000005BED000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.658458272.0000000005BB4000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.658458272.0000000005BB4000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn3
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.658458272.0000000005BB4000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnG
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.658175442.0000000005BED000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnl-p
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.665387814.0000000005BBD000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: vbc.exe, vbc.exe, 0000000D.00000002.779662410.0000000000400000.00000040.00000001.sdmp, vbc.exe, 0000000D.00000002.779579503.0000000000195000.00000004.00000010.sdmp, 43ogpuf5.fhl.12.dr, wsrpbxdq.ypo.13.dr	String found in binary or memory: http://www.nirsoft.net/
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.656319398.0000000005BCB000.00000004.00000001.sdmp, tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.656319398.0000000005BCB000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.comuct
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.657584628.0000000005BB6000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr/c
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.657584628.0000000005BB6000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr=
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.657584628.0000000005BB6000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krndo:
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.656781448.0000000005BCB000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comR
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.656687566.0000000005BCB000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.coma
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.656781448.0000000005BCB000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comc
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.664377780.0000000005BB4000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.de
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: vbc.exe	String found in binary or memory: https://login.yahoo.com/config/login
Source: vbc.exe, 0000000D.00000003.779333133.0000000000AAE000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4
Source: vbc.exe	String found in binary or memory: https://www.google.com/accounts/servicelogin

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality for read data from the clipboard

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 12_2_0040AC8A GetTempPathA,GetWindowsDirectoryA,GetTempFileNameA,OpenClipboard,GetLastError,DeleteFileA,		12_2_0040AC8A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 12_2_0040AC8A GetTempPathA,GetWindowsDirectoryA,GetTempFileNameA,OpenClipboard,GetLastError,DeleteFileA,		12_2_0040AC8A

E-Banking Fraud:

Yara detected Nanocore RAT

Source: Yara match	File source: 00000000.00000002.680469030.0000000004A3C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.679941870.000000000488D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tn9jVPvlMSqAUX5.exe PID: 6228, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.680469030.0000000004A3C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.680469030.0000000004A3C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.679941870.000000000488D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.679941870.000000000488D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: tn9jVPvlMSqAUX5.exe PID: 6228, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: tn9jVPvlMSqAUX5.exe PID: 6228, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.680469030.0000000004A3C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.680469030.0000000004A3C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.679941870.000000000488D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.679941870.000000000488D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: tn9jVPvlMSqAUX5.exe PID: 6228, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: tn9jVPvlMSqAUX5.exe PID: 6228, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Contains functionality to call native functions

Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_07D016A6 NtQuerySystemInformation,		0_2_07D016A6
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_07D016A6 NtQuerySystemInformation,		0_2_07D016A6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,		13_2_00408836

Detected potential crypto function

Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_03494F68		0_2_03494F68
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_03491D30		0_2_03491D30
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_03492BC8		0_2_03492BC8
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_034913C0		0_2_034913C0
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_03490BD8		0_2_03490BD8
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_03498AB0		0_2_03498AB0
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_03494B48		0_2_03494B48
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_03494F5A		0_2_03494F5A
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_0349A350		0_2_0349A350
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_03494D70		0_2_03494D70
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_03492B76		0_2_03492B76
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_03499508		0_2_03499508
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_03491D21		0_2_03491D21
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_03494B38		0_2_03494B38
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_034983C8		0_2_034983C8
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_034983D8		0_2_034983D8
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_03494D80		0_2_03494D80
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_03493980		0_2_03493980
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_03493990		0_2_03493990
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_03494390		0_2_03494390
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_034949A9		0_2_034949A9
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_034943A0		0_2_034943A0
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_034949B8		0_2_034949B8
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_034913B0		0_2_034913B0
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_03490BB2		0_2_03490BB2
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_03490099		0_2_03490099
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_03498E91		0_2_03498E91
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_034900A8		0_2_034900A8
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_03498AA1		0_2_03498AA1
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_03498EA0		0_2_03498EA0
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_03499CA0		0_2_03499CA0
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_07D73A8E		0_2_07D73A8E
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_07D75204		0_2_07D75204
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_07D73AED		0_2_07D73AED
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_07D73F4D		0_2_07D73F4D
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_03494F68		0_2_03494F68
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_03491D30		0_2_03491D30
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_03492BC8		0_2_03492BC8
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_034913C0		0_2_034913C0
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_03490BD8		0_2_03490BD8
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_03498AB0		0_2_03498AB0
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_03494B48		0_2_03494B48
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_03494F5A		0_2_03494F5A
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_0349A350		0_2_0349A350
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_03494D70		0_2_03494D70
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_03492B76		0_2_03492B76
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_03499508		0_2_03499508
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_03491D21		0_2_03491D21
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_03494B38		0_2_03494B38
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_034983C8		0_2_034983C8
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_034983D8		0_2_034983D8
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_03494D80		0_2_03494D80
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_03493980		0_2_03493980
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_03493990		0_2_03493990
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_03494390		0_2_03494390
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_034949A9		0_2_034949A9
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_034943A0		0_2_034943A0
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_034949B8		0_2_034949B8
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_034913B0		0_2_034913B0
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_03490BB2		0_2_03490BB2
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_03490099		0_2_03490099
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_03498E91		0_2_03498E91
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_034900A8		0_2_034900A8
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_03498AA1		0_2_03498AA1
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_03498EA0		0_2_03498EA0
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_03499CA0		0_2_03499CA0
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_07D73A8E		0_2_07D73A8E
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_07D75204		0_2_07D75204
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_07D73AED		0_2_07D73AED
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_07D73F4D		0_2_07D73F4D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 12_2_00404DDB		12_2_00404DDB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 12_2_0040BD8A		12_2_0040BD8A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 12_2_00404E4C		12_2_00404E4C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 12_2_00404EBD		12_2_00404EBD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 12_2_00404F4E		12_2_00404F4E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_00404419		13_2_00404419
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_00404516		13_2_00404516
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_00413538		13_2_00413538
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_004145A1		13_2_004145A1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_0040E639		13_2_0040E639
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_004337AF		13_2_004337AF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_004399B1		13_2_004399B1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_0043DAE7		13_2_0043DAE7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_00405CF6		13_2_00405CF6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_00403F85		13_2_00403F85
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_00411F99		13_2_00411F99

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 00411538 appears 35 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 00413F8E appears 66 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 00413E2D appears 34 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 00442A90 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 004141D6 appears 88 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 00411538 appears 35 times

PE file contains strange resources

Source: tn9jVPvlMSqAUX5.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PEcoOLaILWJ.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: tn9jVPvlMSqAUX5.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PEcoOLaILWJ.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: tn9jVPvlMSqAUX5.exe	Binary or memory string: OriginalFilename vs tn9jVPvlMSqAUX5.exe
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.682572893.0000000006670000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs tn9jVPvlMSqAUX5.exe
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.682572893.0000000006670000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs tn9jVPvlMSqAUX5.exe
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.675653764.0000000000F72000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename. vs tn9jVPvlMSqAUX5.exe
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.685197261.0000000007CA0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameB2B.exe4 vs tn9jVPvlMSqAUX5.exe
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.681641092.0000000005B70000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMARCUS.dll4 vs tn9jVPvlMSqAUX5.exe
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.684337664.0000000007B20000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs tn9jVPvlMSqAUX5.exe
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.682504136.0000000006610000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs tn9jVPvlMSqAUX5.exe
Source: tn9jVPvlMSqAUX5.exe, 00000004.00000000.674548463.0000000000DE2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename. vs tn9jVPvlMSqAUX5.exe
Source: tn9jVPvlMSqAUX5.exe, 00000004.00000003.808207077.0000000004A24000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamemailpv.exe< vs tn9jVPvlMSqAUX5.exe
Source: tn9jVPvlMSqAUX5.exe	Binary or memory string: OriginalFilename. vs tn9jVPvlMSqAUX5.exe
Source: tn9jVPvlMSqAUX5.exe	Binary or memory string: OriginalFilename vs tn9jVPvlMSqAUX5.exe
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.682572893.0000000006670000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs tn9jVPvlMSqAUX5.exe
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.682572893.0000000006670000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs tn9jVPvlMSqAUX5.exe
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.675653764.0000000000F72000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename. vs tn9jVPvlMSqAUX5.exe
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.685197261.0000000007CA0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameB2B.exe4 vs tn9jVPvlMSqAUX5.exe
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.681641092.0000000005B70000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMARCUS.dll4 vs tn9jVPvlMSqAUX5.exe
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.684337664.0000000007B20000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs tn9jVPvlMSqAUX5.exe
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.682504136.0000000006610000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs tn9jVPvlMSqAUX5.exe
Source: tn9jVPvlMSqAUX5.exe, 00000004.00000000.674548463.0000000000DE2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename. vs tn9jVPvlMSqAUX5.exe
Source: tn9jVPvlMSqAUX5.exe, 00000004.00000003.808207077.0000000004A24000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamemailpv.exe< vs tn9jVPvlMSqAUX5.exe
Source: tn9jVPvlMSqAUX5.exe	Binary or memory string: OriginalFilename. vs tn9jVPvlMSqAUX5.exe

Yara signature match

Source: 00000000.00000002.680469030.0000000004A3C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.680469030.0000000004A3C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.679941870.000000000488D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.679941870.000000000488D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: tn9jVPvlMSqAUX5.exe PID: 6228, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: tn9jVPvlMSqAUX5.exe PID: 6228, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.680469030.0000000004A3C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.680469030.0000000004A3C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.679941870.000000000488D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.679941870.000000000488D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: tn9jVPvlMSqAUX5.exe PID: 6228, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: tn9jVPvlMSqAUX5.exe PID: 6228, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Classification label

Source: classification engine

Classification label: mal100.phis.troj.spyw.evad.winEXE@8/9@0/2

Contains functionality for error logging

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_00415AFD GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,		13_2_00415AFD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_00415AFD GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,		13_2_00415AFD

Contains functionality to adjust token privileges (e.g. debug / backup)

Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_07D0152A AdjustTokenPrivileges,		0_2_07D0152A
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_07D0152A AdjustTokenPrivileges,		0_2_07D0152A

Contains functionality to check free disk space

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_00415F87 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,		13_2_00415F87
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_00415F87 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,		13_2_00415F87

Contains functionality to enum processes or threads

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_00411196 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,CloseHandle,free,Process32NextW,CloseHandle,		13_2_00411196
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_00411196 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,CloseHandle,free,Process32NextW,CloseHandle,		13_2_00411196

Contains functionality to load and extract PE file embedded resources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 12_2_0040ED0B FindResourceA,SizeofResource,LoadResource,LockResource,		12_2_0040ED0B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 12_2_0040ED0B FindResourceA,SizeofResource,LoadResource,LockResource,		12_2_0040ED0B

Creates files inside the user directory

Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	File created: C:\Users\user\AppData\Roaming\PEcoOLaILWJ.exe			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	File created: C:\Users\user\AppData\Roaming\PEcoOLaILWJ.exe			Jump to behavior

Creates mutexes

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5108:120:WilError_01
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Mutant created: \Sessions\1\BaseNamedObjects\dYrwJsHlWVJ
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{ffb0dc66-d99d-438c-a7fd-cb3d38408dcc}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5108:120:WilError_01
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Mutant created: \Sessions\1\BaseNamedObjects\dYrwJsHlWVJ
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{ffb0dc66-d99d-438c-a7fd-cb3d38408dcc}

Creates temporary files

Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	File created: C:\Users\user\AppData\Local\Temp\tmpECFC.tmp			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	File created: C:\Users\user\AppData\Local\Temp\tmpECFC.tmp			Jump to behavior

PE file has an executable .text section and no other executable section

Source: tn9jVPvlMSqAUX5.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: tn9jVPvlMSqAUX5.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Parts of this applications are using the .NET runtime (Probably coded in C#)

Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp			Jump to behavior

Queries a list of all open handles

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	System information queried: HandleInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	System information queried: HandleInformation			Jump to behavior

Reads ini files

Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	File read: C:\Users\user\Desktop\desktop.ini			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	File read: C:\Users\user\Desktop\desktop.ini			Jump to behavior

Reads software policies

Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers			Jump to behavior

SQL strings found in memory and binary data

Source: vbc.exe	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: vbc.exe	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: vbc.exe, 0000000D.00000002.779662410.0000000000400000.00000040.00000001.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: vbc.exe	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: vbc.exe	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: vbc.exe	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: vbc.exe	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: vbc.exe	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: vbc.exe	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: vbc.exe, 0000000D.00000002.779662410.0000000000400000.00000040.00000001.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: vbc.exe	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: vbc.exe	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: vbc.exe	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: vbc.exe	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Sample might require command line arguments

Source: tn9jVPvlMSqAUX5.exe	String found in binary or memory: icons8-Add-16
Source: tn9jVPvlMSqAUX5.exe	String found in binary or memory: ble> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle
Source: tn9jVPvlMSqAUX5.exe	String found in binary or memory: ble> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle
Source: tn9jVPvlMSqAUX5.exe	String found in binary or memory: es>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvail
Source: tn9jVPvlMSqAUX5.exe	String found in binary or memory: es>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvail
Source: tn9jVPvlMSqAUX5.exe	String found in binary or memory: icons8-Add-16k!
Source: tn9jVPvlMSqAUX5.exe	String found in binary or memory: icons8-Add-16
Source: tn9jVPvlMSqAUX5.exe	String found in binary or memory: ble> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle
Source: tn9jVPvlMSqAUX5.exe	String found in binary or memory: ble> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle
Source: tn9jVPvlMSqAUX5.exe	String found in binary or memory: es>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvail
Source: tn9jVPvlMSqAUX5.exe	String found in binary or memory: es>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvail
Source: tn9jVPvlMSqAUX5.exe	String found in binary or memory: icons8-Add-16k!

Sample reads its own file content

Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	File read: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	File read: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe			Jump to behavior

Spawns processes

Source: unknown	Process created: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe 'C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\PEcoOLaILWJ' /XML 'C:\Users\user\AppData\Local\Temp\tmpECFC.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe {path}
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe' /shtml 'C:\Users\user\AppData\Local\Temp\43ogpuf5.fhl'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe' /shtml 'C:\Users\user\AppData\Local\Temp\wsrpbxdq.ypo'
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\PEcoOLaILWJ' /XML 'C:\Users\user\AppData\Local\Temp\tmpECFC.tmp'			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process created: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe {path}			Jump to behavior
Source: unknown	Process created: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe 'C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\PEcoOLaILWJ' /XML 'C:\Users\user\AppData\Local\Temp\tmpECFC.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe {path}
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe' /shtml 'C:\Users\user\AppData\Local\Temp\43ogpuf5.fhl'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe' /shtml 'C:\Users\user\AppData\Local\Temp\wsrpbxdq.ypo'
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\PEcoOLaILWJ' /XML 'C:\Users\user\AppData\Local\Temp\tmpECFC.tmp'			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process created: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe {path}			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32			Jump to behavior

Uses Microsoft Silverlight

Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll			Jump to behavior

Checks if Microsoft Office is installed

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts			Jump to behavior

PE file contains a COM descriptor data directory

Source: tn9jVPvlMSqAUX5.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: tn9jVPvlMSqAUX5.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

PE file has a big code size

Source: tn9jVPvlMSqAUX5.exe	Static PE information: Virtual size of .text is bigger than: 0x100000
Source: tn9jVPvlMSqAUX5.exe	Static PE information: Virtual size of .text is bigger than: 0x100000

Submission file is bigger than most known malware samples

Source: tn9jVPvlMSqAUX5.exe	Static file information: File size 1105920 > 1048576
Source: tn9jVPvlMSqAUX5.exe	Static file information: File size 1105920 > 1048576

Uses new MSVCR Dlls

Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll			Jump to behavior

PE file has a big raw section

Source: tn9jVPvlMSqAUX5.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x109a00
Source: tn9jVPvlMSqAUX5.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x109a00

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: tn9jVPvlMSqAUX5.exe	Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: tn9jVPvlMSqAUX5.exe	Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:	Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: tn9jVPvlMSqAUX5.exe, 00000004.00000003.808207077.0000000004A24000.00000004.00000001.sdmp, vbc.exe
Source:	Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: vbc.exe
Source:	Binary string: mscorrc.pdb source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.684337664.0000000007B20000.00000002.00000001.sdmp
Source:	Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: tn9jVPvlMSqAUX5.exe, 00000004.00000003.808207077.0000000004A24000.00000004.00000001.sdmp, vbc.exe
Source:	Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: vbc.exe
Source:	Binary string: mscorrc.pdb source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.684337664.0000000007B20000.00000002.00000001.sdmp

Data Obfuscation:

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 12_2_00403C3D LoadLibraryA,GetProcAddress,strcpy,		12_2_00403C3D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 12_2_00403C3D LoadLibraryA,GetProcAddress,strcpy,		12_2_00403C3D

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_00F73DA0 push edx; iretd		0_2_00F73DA1
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_00F73185 pushad ; ret		0_2_00F731B4
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_00F72760 push ebx; retf		0_2_00F72772
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_00F75B4D push edx; retf		0_2_00F75B5C
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_00F73134 push eax; retf		0_2_00F73143
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_00F72333 push ecx; retf		0_2_00F72334
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_00F72A3F push esp; retf		0_2_00F72A40
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_00F7311E pushad ; ret		0_2_00F731B4
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_03491922 push ecx; iretd		0_2_03491924
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_03497290 push esi; iretd		0_2_0349729A
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_034922BE push edx; retf		0_2_034922C1
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_00F73DA0 push edx; iretd		0_2_00F73DA1
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_00F73185 pushad ; ret		0_2_00F731B4
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_00F72760 push ebx; retf		0_2_00F72772
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_00F75B4D push edx; retf		0_2_00F75B5C
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_00F73134 push eax; retf		0_2_00F73143
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_00F72333 push ecx; retf		0_2_00F72334
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_00F72A3F push esp; retf		0_2_00F72A40
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_00F7311E pushad ; ret		0_2_00F731B4
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_03491922 push ecx; iretd		0_2_03491924
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_03497290 push esi; iretd		0_2_0349729A
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Code function: 0_2_034922BE push edx; retf		0_2_034922C1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 12_2_00411879 push ecx; ret		12_2_00411889
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 12_2_004118A0 push eax; ret		12_2_004118B4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 12_2_004118A0 push eax; ret		12_2_004118DC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_00442871 push ecx; ret		13_2_00442881
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_00442A90 push eax; ret		13_2_00442AA4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_00442A90 push eax; ret		13_2_00442ACC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_00446E54 push eax; ret		13_2_00446E61

Binary may include packed or encrypted code

Source: initial sample	Static PE information: section name: .text entropy: 7.37322926627
Source: initial sample	Static PE information: section name: .text entropy: 7.37322926627
Source: initial sample	Static PE information: section name: .text entropy: 7.37322926627
Source: initial sample	Static PE information: section name: .text entropy: 7.37322926627

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	File created: C:\Users\user\AppData\Roaming\PEcoOLaILWJ.exe			Jump to dropped file
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	File created: C:\Users\user\AppData\Roaming\PEcoOLaILWJ.exe			Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\PEcoOLaILWJ' /XML 'C:\Users\user\AppData\Local\Temp\tmpECFC.tmp'
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\PEcoOLaILWJ' /XML 'C:\Users\user\AppData\Local\Temp\tmpECFC.tmp'

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	File opened: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe:Zone.Identifier read attributes | delete			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	File opened: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe:Zone.Identifier read attributes | delete			Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 12_2_0040F64B memset,strcpy,memset,strcpy,strcat,strcpy,strcat,GetModuleHandleA,LoadLibraryExA,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,		12_2_0040F64B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 12_2_0040F64B memset,strcpy,memset,strcpy,strcat,strcpy,strcat,GetModuleHandleA,LoadLibraryExA,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,		12_2_0040F64B

Disables application error messsages (SetErrorMode)

Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM_3

Source: Yara match	File source: 00000000.00000002.679213235.00000000038CE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tn9jVPvlMSqAUX5.exe PID: 6228, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.679846825.0000000003BB8000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLLX1
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.679846825.0000000003BB8000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.679846825.0000000003BB8000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.679846825.0000000003BB8000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAMEX1
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.679846825.0000000003BB8000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLLX1
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.679846825.0000000003BB8000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.679846825.0000000003BB8000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.679846825.0000000003BB8000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAMEX1

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}			Jump to behavior

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,		13_2_00408836
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,		13_2_00408836

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Window / User API: threadDelayed 565			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Window / User API: threadDelayed 521			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Window / User API: foregroundWindowGot 764			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Window / User API: foregroundWindowGot 627			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Window / User API: threadDelayed 565			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Window / User API: threadDelayed 521			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Window / User API: foregroundWindowGot 764			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Window / User API: foregroundWindowGot 627			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe TID: 6432	Thread sleep time: -41500s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe TID: 5760	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe TID: 5864	Thread sleep time: -1844674407370954s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe TID: 5732	Thread sleep time: -660000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe TID: 6432	Thread sleep time: -41500s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe TID: 5760	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe TID: 5864	Thread sleep time: -1844674407370954s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe TID: 5732	Thread sleep time: -660000s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Contains functionality to enumerate / list files inside a directory

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 12_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,		12_2_00406EC3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 12_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,		12_2_00406EC3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,		13_2_00408441
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,		13_2_00407E0E

Contains functionality to query system information

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_004161B0 memset,GetSystemInfo,		13_2_004161B0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_004161B0 memset,GetSystemInfo,		13_2_004161B0

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.679846825.0000000003BB8000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.679846825.0000000003BB8000.00000004.00000001.sdmp	Binary or memory string: vmwareX1
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.679846825.0000000003BB8000.00000004.00000001.sdmp	Binary or memory string: VMWARE|9
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.679846825.0000000003BB8000.00000004.00000001.sdmp	Binary or memory string: q#"SOFTWARE\VMware, Inc.\VMware ToolsX1
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.679846825.0000000003BB8000.00000004.00000001.sdmp	Binary or memory string: q&%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\X1
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.679846825.0000000003BB8000.00000004.00000001.sdmp	Binary or memory string: VMware|9
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.679846825.0000000003BB8000.00000004.00000001.sdmp	Binary or memory string: VMware |9
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.679846825.0000000003BB8000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIX1
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.679846825.0000000003BB8000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.679846825.0000000003BB8000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.679846825.0000000003BB8000.00000004.00000001.sdmp	Binary or memory string: VMWAREX1
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.679846825.0000000003BB8000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.679846825.0000000003BB8000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.679846825.0000000003BB8000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.679846825.0000000003BB8000.00000004.00000001.sdmp	Binary or memory string: QEMUX1
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.679846825.0000000003BB8000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.679846825.0000000003BB8000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.679846825.0000000003BB8000.00000004.00000001.sdmp	Binary or memory string: vmwareX1
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.679846825.0000000003BB8000.00000004.00000001.sdmp	Binary or memory string: VMWARE|9
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.679846825.0000000003BB8000.00000004.00000001.sdmp	Binary or memory string: q#"SOFTWARE\VMware, Inc.\VMware ToolsX1
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.679846825.0000000003BB8000.00000004.00000001.sdmp	Binary or memory string: q&%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\X1
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.679846825.0000000003BB8000.00000004.00000001.sdmp	Binary or memory string: VMware|9
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.679846825.0000000003BB8000.00000004.00000001.sdmp	Binary or memory string: VMware |9
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.679846825.0000000003BB8000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIX1
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.679846825.0000000003BB8000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.679846825.0000000003BB8000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.679846825.0000000003BB8000.00000004.00000001.sdmp	Binary or memory string: VMWAREX1
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.679846825.0000000003BB8000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.679846825.0000000003BB8000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.679846825.0000000003BB8000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.679846825.0000000003BB8000.00000004.00000001.sdmp	Binary or memory string: QEMUX1
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.679846825.0000000003BB8000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Queries a list of all running processes

Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information queried: ProcessInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process information queried: ProcessInformation			Jump to behavior

Anti Debugging:

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,		13_2_00408836
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,		13_2_00408836

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 12_2_00403C3D LoadLibraryA,GetProcAddress,strcpy,		12_2_00403C3D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 12_2_00403C3D LoadLibraryA,GetProcAddress,strcpy,		12_2_00403C3D

Enables debug privileges

Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process token adjusted: Debug			Jump to behavior

Creates guard pages, often used to prevent reverse engineering and debugging

Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Memory allocated: page read and write | page guard			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Memory allocated: page read and write | page guard			Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Memory written: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Memory written: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe base: 400000 value starts with: 4D5A			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\PEcoOLaILWJ' /XML 'C:\Users\user\AppData\Local\Temp\tmpECFC.tmp'			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process created: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe {path}			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\PEcoOLaILWJ' /XML 'C:\Users\user\AppData\Local\Temp\tmpECFC.tmp'			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Process created: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe {path}			Jump to behavior

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation			Jump to behavior

Contains functionality to query local / system time

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_0041604B GetSystemTime,memcpy,GetCurrentProcessId,memcpy,GetTickCount,memcpy,QueryPerformanceCounter,memcpy,		13_2_0041604B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_0041604B GetSystemTime,memcpy,GetCurrentProcessId,memcpy,GetTickCount,memcpy,QueryPerformanceCounter,memcpy,		13_2_0041604B

Contains functionality to query the account / user name

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 12_2_0040724C memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,		12_2_0040724C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 12_2_0040724C memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,		12_2_0040724C

Contains functionality to query windows version

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 12_2_00406278 GetVersionExA,		12_2_00406278
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 12_2_00406278 GetVersionExA,		12_2_00406278

Queries the cryptographic machine GUID

Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid			Jump to behavior
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid			Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

Stealing of Sensitive Information:

Yara detected MailPassView

Source: Yara match	File source: 0000000C.00000002.774211357.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.808207077.0000000004A24000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 5852, type: MEMORY
Source: Yara match	File source: Process Memory Space: tn9jVPvlMSqAUX5.exe PID: 940, type: MEMORY
Source: Yara match	File source: 12.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE

Yara detected Nanocore RAT

Source: Yara match	File source: 00000000.00000002.680469030.0000000004A3C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.679941870.000000000488D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tn9jVPvlMSqAUX5.exe PID: 6228, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data			Jump to behavior

Tries to steal Instant Messenger accounts or passwords

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt			Jump to behavior

Tries to steal Mail credentials (via file access)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail			Jump to behavior

Tries to steal Mail credentials (via file registry)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, PopPassword		12_2_00402D9A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, SMTPPassword		12_2_00402D9A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: ESMTPPassword		12_2_004033D7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, PopPassword		12_2_00402D9A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, SMTPPassword		12_2_00402D9A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: ESMTPPassword		12_2_004033D7

Yara detected WebBrowserPassView password recovery tool

Source: Yara match	File source: 0000000D.00000002.779662410.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2228, type: MEMORY
Source: Yara match	File source: 13.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.680469030.0000000004A3C000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.680469030.0000000004A3C000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost

Yara detected Nanocore RAT

Source: Yara match	File source: 00000000.00000002.680469030.0000000004A3C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.679941870.000000000488D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tn9jVPvlMSqAUX5.exe PID: 6228, type: MEMORY