Loading ...

Play interactive tourEdit tour

Analysis Report tn9jVPvlMSqAUX5.exe

Overview

General Information

Sample Name:tn9jVPvlMSqAUX5.exe
Analysis ID:319578
MD5:afd45440cb1c77e2ebe1f2247573d04a
SHA1:36b35c3ca9db092dd6a1cf157625475fa2226e05
SHA256:babf0fe64b0415f9eaabfa1aa91f1fbed20bc21ba93f3514f18fdc298d6cb54f
Tags:ESPexegeoNanoCoreRAT

Most interesting Screenshot:

Detection

Nanocore MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM_3
Yara detected MailPassView
Yara detected Nanocore RAT
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected WebBrowserPassView password recovery tool
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • tn9jVPvlMSqAUX5.exe (PID: 6228 cmdline: 'C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe' MD5: AFD45440CB1C77E2EBE1F2247573D04A)
    • schtasks.exe (PID: 4812 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\PEcoOLaILWJ' /XML 'C:\Users\user\AppData\Local\Temp\tmpECFC.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • tn9jVPvlMSqAUX5.exe (PID: 940 cmdline: {path} MD5: AFD45440CB1C77E2EBE1F2247573D04A)
      • vbc.exe (PID: 5852 cmdline: 'c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe' /shtml 'C:\Users\user\AppData\Local\Temp\43ogpuf5.fhl' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 2228 cmdline: 'c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe' /shtml 'C:\Users\user\AppData\Local\Temp\wsrpbxdq.ypo' MD5: C63ED21D5706A527419C9FBD730FFB2E)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000002.779662410.0000000000400000.00000040.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
    00000000.00000002.680469030.0000000004A3C000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x24525d:$x1: NanoCore.ClientPluginHost
    • 0x24529a:$x2: IClientNetworkHost
    • 0x248dcd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000000.00000002.680469030.0000000004A3C000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      00000000.00000002.680469030.0000000004A3C000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0x244fc5:$a: NanoCore
      • 0x244fd5:$a: NanoCore
      • 0x245209:$a: NanoCore
      • 0x24521d:$a: NanoCore
      • 0x24525d:$a: NanoCore
      • 0x245024:$b: ClientPlugin
      • 0x245226:$b: ClientPlugin
      • 0x245266:$b: ClientPlugin
      • 0x123e6f:$c: ProjectData
      • 0x24514b:$c: ProjectData
      • 0x124ba9:$d: DESCrypto
      • 0x245b52:$d: DESCrypto
      • 0x24d51e:$e: KeepAlive
      • 0x24b50c:$g: LogClientMessage
      • 0x247707:$i: get_Connected
      • 0x245e88:$j: #=q
      • 0x245eb8:$j: #=q
      • 0x245ed4:$j: #=q
      • 0x245f04:$j: #=q
      • 0x245f20:$j: #=q
      • 0x245f3c:$j: #=q
      00000000.00000002.679213235.00000000038CE000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        Click to see the 12 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        12.2.vbc.exe.400000.0.raw.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
          12.2.vbc.exe.400000.0.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
            13.2.vbc.exe.400000.0.raw.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
              13.2.vbc.exe.400000.0.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security

                Sigma Overview

                System Summary:

                barindex
                Sigma detected: NanoCoreShow sources
                Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe, ProcessId: 940, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                Sigma detected: Scheduled temp file as task from temp locationShow sources
                Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\PEcoOLaILWJ' /XML 'C:\Users\user\AppData\Local\Temp\tmpECFC.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\PEcoOLaILWJ' /XML 'C:\Users\user\AppData\Local\Temp\tmpECFC.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe' , ParentImage: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe, ParentProcessId: 6228, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\PEcoOLaILWJ' /XML 'C:\Users\user\AppData\Local\Temp\tmpECFC.tmp', ProcessId: 4812

                Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Yara detected Nanocore RATShow sources
                Source: Yara matchFile source: 00000000.00000002.680469030.0000000004A3C000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.679941870.000000000488D000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: tn9jVPvlMSqAUX5.exe PID: 6228, type: MEMORY
                Machine Learning detection for dropped fileShow sources
                Source: C:\Users\user\AppData\Roaming\PEcoOLaILWJ.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Roaming\PEcoOLaILWJ.exeJoe Sandbox ML: detected
                Machine Learning detection for sampleShow sources
                Source: tn9jVPvlMSqAUX5.exeJoe Sandbox ML: detected
                Source: tn9jVPvlMSqAUX5.exeJoe Sandbox ML: detected
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,12_2_00406EC3
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,12_2_00406EC3
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,13_2_00408441
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,13_2_00407E0E
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 4x nop then jmp 07D75F66h0_2_07D75204
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 4x nop then jmp 07D75F66h0_2_07D75204

                Networking:

                barindex
                Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49743 -> 23.105.131.229:4040
                Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49743 -> 23.105.131.229:4040
                Source: global trafficTCP traffic: 192.168.2.4:49737 -> 23.105.131.229:4040
                Source: global trafficTCP traffic: 192.168.2.4:49737 -> 23.105.131.229:4040
                Source: Joe Sandbox ViewASN Name: LEASEWEB-USA-NYC-11US LEASEWEB-USA-NYC-11US
                Source: Joe Sandbox ViewASN Name: LEASEWEB-USA-NYC-11US LEASEWEB-USA-NYC-11US
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.229
                Source: vbc.exe, 0000000D.00000002.779662410.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                Source: vbc.exe, 0000000D.00000002.779662410.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                Source: vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                Source: vbc.exe, 0000000D.00000003.779333133.0000000000AAE000.00000004.00000001.sdmpString found in binary or memory: ttps://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4421591https://consent.google.com/about:blankhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591 equals www.facebook.com (Facebook)
                Source: vbc.exe, 0000000D.00000003.779333133.0000000000AAE000.00000004.00000001.sdmpString found in binary or memory: ttps://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4421591https://consent.google.com/about:blankhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591 equals www.yahoo.com (Yahoo)
                Source: vbc.exe, 0000000D.00000002.779662410.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                Source: vbc.exe, 0000000D.00000002.779662410.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                Source: vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                Source: vbc.exe, 0000000D.00000003.779333133.0000000000AAE000.00000004.00000001.sdmpString found in binary or memory: ttps://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4421591https://consent.google.com/about:blankhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591 equals www.facebook.com (Facebook)
                Source: vbc.exe, 0000000D.00000003.779333133.0000000000AAE000.00000004.00000001.sdmpString found in binary or memory: ttps://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4421591https://consent.google.com/about:blankhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591 equals www.yahoo.com (Yahoo)
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.664377780.0000000005BB4000.00000004.00000001.sdmpString found in binary or memory: http://www.agfamonotype.c
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.658966784.0000000005BEE000.00000004.00000001.sdmp, tn9jVPvlMSqAUX5.exe, 00000000.00000003.659291239.0000000005BEE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.658966784.0000000005BEE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comC
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.658931796.0000000005BEE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTC
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.659131617.0000000005BEE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTC;
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.659016913.0000000005BEE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comhly
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.658966784.0000000005BEE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comic
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.658966784.0000000005BEE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comlay
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.658966784.0000000005BEE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comter;
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.658966784.0000000005BEE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comypo
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.659460402.0000000005BEE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comypoooM
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.664377780.0000000005BB4000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.664377780.0000000005BB4000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com.TTF
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.662728113.0000000005BEB000.00000004.00000001.sdmp, tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.664049989.0000000005BE9000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersC
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.662154281.0000000005BEB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designerse
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.661745512.0000000005BEB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersj
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.662779891.0000000005BE9000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersp
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.664193689.0000000005BE9000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designerss
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.662154281.0000000005BEB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designerst
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.664377780.0000000005BB4000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalsd
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.664377780.0000000005BB4000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.681755462.0000000005BB0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comm
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.664377780.0000000005BB4000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comtud
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.681755462.0000000005BB0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comzana
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.656517087.0000000005BCB000.00000004.00000001.sdmp, tn9jVPvlMSqAUX5.exe, 00000000.00000003.656388352.0000000005BCB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.656388352.0000000005BCB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comnte
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.656388352.0000000005BCB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comx
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.658175442.0000000005BED000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.658458272.0000000005BB4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.658458272.0000000005BB4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn3
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.658458272.0000000005BB4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnG
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.658175442.0000000005BED000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnl-p
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.665387814.0000000005BBD000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: vbc.exe, vbc.exe, 0000000D.00000002.779662410.0000000000400000.00000040.00000001.sdmp, vbc.exe, 0000000D.00000002.779579503.0000000000195000.00000004.00000010.sdmp, 43ogpuf5.fhl.12.dr, wsrpbxdq.ypo.13.drString found in binary or memory: http://www.nirsoft.net/
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.656319398.0000000005BCB000.00000004.00000001.sdmp, tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.656319398.0000000005BCB000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comuct
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.657584628.0000000005BB6000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr/c
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.657584628.0000000005BB6000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr=
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.657584628.0000000005BB6000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krndo:
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.656781448.0000000005BCB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comR
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.656687566.0000000005BCB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.coma
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.656781448.0000000005BCB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comc
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.664377780.0000000005BB4000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
                Source: vbc.exe, 0000000D.00000003.779333133.0000000000AAE000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4
                Source: vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.664377780.0000000005BB4000.00000004.00000001.sdmpString found in binary or memory: http://www.agfamonotype.c
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.658966784.0000000005BEE000.00000004.00000001.sdmp, tn9jVPvlMSqAUX5.exe, 00000000.00000003.659291239.0000000005BEE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.658966784.0000000005BEE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comC
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.658931796.0000000005BEE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTC
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.659131617.0000000005BEE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTC;
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.659016913.0000000005BEE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comhly
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.658966784.0000000005BEE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comic
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.658966784.0000000005BEE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comlay
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.658966784.0000000005BEE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comter;
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.658966784.0000000005BEE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comypo
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.659460402.0000000005BEE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comypoooM
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.664377780.0000000005BB4000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.664377780.0000000005BB4000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com.TTF
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.662728113.0000000005BEB000.00000004.00000001.sdmp, tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.664049989.0000000005BE9000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersC
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.662154281.0000000005BEB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designerse
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.661745512.0000000005BEB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersj
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.662779891.0000000005BE9000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersp
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.664193689.0000000005BE9000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designerss
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.662154281.0000000005BEB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designerst
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.664377780.0000000005BB4000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalsd
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.664377780.0000000005BB4000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.681755462.0000000005BB0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comm
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.664377780.0000000005BB4000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comtud
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.681755462.0000000005BB0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comzana
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.656517087.0000000005BCB000.00000004.00000001.sdmp, tn9jVPvlMSqAUX5.exe, 00000000.00000003.656388352.0000000005BCB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.656388352.0000000005BCB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comnte
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.656388352.0000000005BCB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comx
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.658175442.0000000005BED000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.658458272.0000000005BB4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.658458272.0000000005BB4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn3
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.658458272.0000000005BB4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnG
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.658175442.0000000005BED000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnl-p
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.665387814.0000000005BBD000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: vbc.exe, vbc.exe, 0000000D.00000002.779662410.0000000000400000.00000040.00000001.sdmp, vbc.exe, 0000000D.00000002.779579503.0000000000195000.00000004.00000010.sdmp, 43ogpuf5.fhl.12.dr, wsrpbxdq.ypo.13.drString found in binary or memory: http://www.nirsoft.net/
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.656319398.0000000005BCB000.00000004.00000001.sdmp, tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.656319398.0000000005BCB000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comuct
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.657584628.0000000005BB6000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr/c
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.657584628.0000000005BB6000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr=
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.657584628.0000000005BB6000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krndo:
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.656781448.0000000005BCB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comR
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.656687566.0000000005BCB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.coma
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.656781448.0000000005BCB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comc
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000003.664377780.0000000005BB4000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.683195015.0000000006B20000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
                Source: vbc.exe, 0000000D.00000003.779333133.0000000000AAE000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4
                Source: vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_0040AC8A GetTempPathA,GetWindowsDirectoryA,GetTempFileNameA,OpenClipboard,GetLastError,DeleteFileA,12_2_0040AC8A
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_0040AC8A GetTempPathA,GetWindowsDirectoryA,GetTempFileNameA,OpenClipboard,GetLastError,DeleteFileA,12_2_0040AC8A

                E-Banking Fraud:

                barindex
                Yara detected Nanocore RATShow sources
                Source: Yara matchFile source: 00000000.00000002.680469030.0000000004A3C000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.679941870.000000000488D000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: tn9jVPvlMSqAUX5.exe PID: 6228, type: MEMORY

                System Summary:

                barindex
                Malicious sample detected (through community Yara rule)Show sources
                Source: 00000000.00000002.680469030.0000000004A3C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                Source: 00000000.00000002.680469030.0000000004A3C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000000.00000002.679941870.000000000488D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                Source: 00000000.00000002.679941870.000000000488D000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                Source: Process Memory Space: tn9jVPvlMSqAUX5.exe PID: 6228, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                Source: Process Memory Space: tn9jVPvlMSqAUX5.exe PID: 6228, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000000.00000002.680469030.0000000004A3C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                Source: 00000000.00000002.680469030.0000000004A3C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000000.00000002.679941870.000000000488D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                Source: 00000000.00000002.679941870.000000000488D000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                Source: Process Memory Space: tn9jVPvlMSqAUX5.exe PID: 6228, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                Source: Process Memory Space: tn9jVPvlMSqAUX5.exe PID: 6228, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_07D016A6 NtQuerySystemInformation,0_2_07D016A6
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_07D016A6 NtQuerySystemInformation,0_2_07D016A6
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,13_2_00408836
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_03494F680_2_03494F68
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_03491D300_2_03491D30
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_03492BC80_2_03492BC8
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_034913C00_2_034913C0
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_03490BD80_2_03490BD8
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_03498AB00_2_03498AB0
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_03494B480_2_03494B48
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_03494F5A0_2_03494F5A
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_0349A3500_2_0349A350
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_03494D700_2_03494D70
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_03492B760_2_03492B76
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_034995080_2_03499508
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_03491D210_2_03491D21
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_03494B380_2_03494B38
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_034983C80_2_034983C8
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_034983D80_2_034983D8
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_03494D800_2_03494D80
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_034939800_2_03493980
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_034939900_2_03493990
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_034943900_2_03494390
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_034949A90_2_034949A9
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_034943A00_2_034943A0
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_034949B80_2_034949B8
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_034913B00_2_034913B0
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_03490BB20_2_03490BB2
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_034900990_2_03490099
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_03498E910_2_03498E91
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_034900A80_2_034900A8
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_03498AA10_2_03498AA1
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_03498EA00_2_03498EA0
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_03499CA00_2_03499CA0
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_07D73A8E0_2_07D73A8E
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_07D752040_2_07D75204
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_07D73AED0_2_07D73AED
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_07D73F4D0_2_07D73F4D
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_03494F680_2_03494F68
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_03491D300_2_03491D30
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_03492BC80_2_03492BC8
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_034913C00_2_034913C0
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_03490BD80_2_03490BD8
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_03498AB00_2_03498AB0
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_03494B480_2_03494B48
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_03494F5A0_2_03494F5A
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_0349A3500_2_0349A350
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_03494D700_2_03494D70
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_03492B760_2_03492B76
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_034995080_2_03499508
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_03491D210_2_03491D21
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_03494B380_2_03494B38
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_034983C80_2_034983C8
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_034983D80_2_034983D8
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_03494D800_2_03494D80
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_034939800_2_03493980
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_034939900_2_03493990
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_034943900_2_03494390
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_034949A90_2_034949A9
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_034943A00_2_034943A0
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_034949B80_2_034949B8
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_034913B00_2_034913B0
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_03490BB20_2_03490BB2
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_034900990_2_03490099
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_03498E910_2_03498E91
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_034900A80_2_034900A8
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_03498AA10_2_03498AA1
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_03498EA00_2_03498EA0
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_03499CA00_2_03499CA0
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_07D73A8E0_2_07D73A8E
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_07D752040_2_07D75204
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_07D73AED0_2_07D73AED
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_07D73F4D0_2_07D73F4D
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_00404DDB12_2_00404DDB
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_0040BD8A12_2_0040BD8A
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_00404E4C12_2_00404E4C
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_00404EBD12_2_00404EBD
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_00404F4E12_2_00404F4E
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_0040441913_2_00404419
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_0040451613_2_00404516
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_0041353813_2_00413538
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_004145A113_2_004145A1
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_0040E63913_2_0040E639
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_004337AF13_2_004337AF
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_004399B113_2_004399B1
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_0043DAE713_2_0043DAE7
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00405CF613_2_00405CF6
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00403F8513_2_00403F85
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00411F9913_2_00411F99
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00411538 appears 35 times
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413F8E appears 66 times
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413E2D appears 34 times
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00442A90 appears 36 times
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004141D6 appears 88 times
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00411538 appears 35 times
                Source: tn9jVPvlMSqAUX5.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: PEcoOLaILWJ.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: tn9jVPvlMSqAUX5.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: PEcoOLaILWJ.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: tn9jVPvlMSqAUX5.exeBinary or memory string: OriginalFilename vs tn9jVPvlMSqAUX5.exe
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.682572893.0000000006670000.00000002.00000001.sdmpBinary or memory string: originalfilename vs tn9jVPvlMSqAUX5.exe
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.682572893.0000000006670000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs tn9jVPvlMSqAUX5.exe
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.675653764.0000000000F72000.00000002.00020000.sdmpBinary or memory string: OriginalFilename. vs tn9jVPvlMSqAUX5.exe
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.685197261.0000000007CA0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameB2B.exe4 vs tn9jVPvlMSqAUX5.exe
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.681641092.0000000005B70000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMARCUS.dll4 vs tn9jVPvlMSqAUX5.exe
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.684337664.0000000007B20000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs tn9jVPvlMSqAUX5.exe
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.682504136.0000000006610000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs tn9jVPvlMSqAUX5.exe
                Source: tn9jVPvlMSqAUX5.exe, 00000004.00000000.674548463.0000000000DE2000.00000002.00020000.sdmpBinary or memory string: OriginalFilename. vs tn9jVPvlMSqAUX5.exe
                Source: tn9jVPvlMSqAUX5.exe, 00000004.00000003.808207077.0000000004A24000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs tn9jVPvlMSqAUX5.exe
                Source: tn9jVPvlMSqAUX5.exeBinary or memory string: OriginalFilename. vs tn9jVPvlMSqAUX5.exe
                Source: tn9jVPvlMSqAUX5.exeBinary or memory string: OriginalFilename vs tn9jVPvlMSqAUX5.exe
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.682572893.0000000006670000.00000002.00000001.sdmpBinary or memory string: originalfilename vs tn9jVPvlMSqAUX5.exe
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.682572893.0000000006670000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs tn9jVPvlMSqAUX5.exe
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.675653764.0000000000F72000.00000002.00020000.sdmpBinary or memory string: OriginalFilename. vs tn9jVPvlMSqAUX5.exe
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.685197261.0000000007CA0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameB2B.exe4 vs tn9jVPvlMSqAUX5.exe
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.681641092.0000000005B70000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMARCUS.dll4 vs tn9jVPvlMSqAUX5.exe
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.684337664.0000000007B20000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs tn9jVPvlMSqAUX5.exe
                Source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.682504136.0000000006610000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs tn9jVPvlMSqAUX5.exe
                Source: tn9jVPvlMSqAUX5.exe, 00000004.00000000.674548463.0000000000DE2000.00000002.00020000.sdmpBinary or memory string: OriginalFilename. vs tn9jVPvlMSqAUX5.exe
                Source: tn9jVPvlMSqAUX5.exe, 00000004.00000003.808207077.0000000004A24000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs tn9jVPvlMSqAUX5.exe
                Source: tn9jVPvlMSqAUX5.exeBinary or memory string: OriginalFilename. vs tn9jVPvlMSqAUX5.exe
                Source: 00000000.00000002.680469030.0000000004A3C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                Source: 00000000.00000002.680469030.0000000004A3C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                Source: 00000000.00000002.679941870.000000000488D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                Source: 00000000.00000002.679941870.000000000488D000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                Source: Process Memory Space: tn9jVPvlMSqAUX5.exe PID: 6228, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                Source: Process Memory Space: tn9jVPvlMSqAUX5.exe PID: 6228, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                Source: 00000000.00000002.680469030.0000000004A3C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                Source: 00000000.00000002.680469030.0000000004A3C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                Source: 00000000.00000002.679941870.000000000488D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                Source: 00000000.00000002.679941870.000000000488D000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                Source: Process Memory Space: tn9jVPvlMSqAUX5.exe PID: 6228, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                Source: Process Memory Space: tn9jVPvlMSqAUX5.exe PID: 6228, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@8/9@0/2
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00415AFD GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,13_2_00415AFD
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00415AFD GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,13_2_00415AFD
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_07D0152A AdjustTokenPrivileges,0_2_07D0152A
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_07D0152A AdjustTokenPrivileges,0_2_07D0152A
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00415F87 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,13_2_00415F87
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00415F87 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,13_2_00415F87
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00411196 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,CloseHandle,free,Process32NextW,CloseHandle,13_2_00411196
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00411196 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,CloseHandle,free,Process32NextW,CloseHandle,13_2_00411196
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_0040ED0B FindResourceA,SizeofResource,LoadResource,LockResource,12_2_0040ED0B
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_0040ED0B FindResourceA,SizeofResource,LoadResource,LockResource,12_2_0040ED0B
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeFile created: C:\Users\user\AppData\Roaming\PEcoOLaILWJ.exeJump to behavior
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeFile created: C:\Users\user\AppData\Roaming\PEcoOLaILWJ.exeJump to behavior
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5108:120:WilError_01
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeMutant created: \Sessions\1\BaseNamedObjects\dYrwJsHlWVJ
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{ffb0dc66-d99d-438c-a7fd-cb3d38408dcc}
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5108:120:WilError_01
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeMutant created: \Sessions\1\BaseNamedObjects\dYrwJsHlWVJ
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{ffb0dc66-d99d-438c-a7fd-cb3d38408dcc}
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeFile created: C:\Users\user\AppData\Local\Temp\tmpECFC.tmpJump to behavior
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeFile created: C:\Users\user\AppData\Local\Temp\tmpECFC.tmpJump to behavior
                Source: tn9jVPvlMSqAUX5.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: tn9jVPvlMSqAUX5.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSystem information queried: HandleInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSystem information queried: HandleInformationJump to behavior
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                Source: vbc.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                Source: vbc.exe, 0000000D.00000002.779662410.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                Source: vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                Source: vbc.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                Source: vbc.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                Source: vbc.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                Source: vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                Source: vbc.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                Source: vbc.exe, 0000000D.00000002.779662410.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                Source: vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                Source: vbc.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                Source: vbc.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                Source: vbc.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                Source: tn9jVPvlMSqAUX5.exeString found in binary or memory: icons8-Add-16
                Source: tn9jVPvlMSqAUX5.exeString found in binary or memory: ble> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle
                Source: tn9jVPvlMSqAUX5.exeString found in binary or memory: ble> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle
                Source: tn9jVPvlMSqAUX5.exeString found in binary or memory: es>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvail
                Source: tn9jVPvlMSqAUX5.exeString found in binary or memory: es>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvail
                Source: tn9jVPvlMSqAUX5.exeString found in binary or memory: icons8-Add-16k!
                Source: tn9jVPvlMSqAUX5.exeString found in binary or memory: icons8-Add-16
                Source: tn9jVPvlMSqAUX5.exeString found in binary or memory: ble> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle
                Source: tn9jVPvlMSqAUX5.exeString found in binary or memory: ble> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle
                Source: tn9jVPvlMSqAUX5.exeString found in binary or memory: es>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvail
                Source: tn9jVPvlMSqAUX5.exeString found in binary or memory: es>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvail
                Source: tn9jVPvlMSqAUX5.exeString found in binary or memory: icons8-Add-16k!
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeFile read: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeJump to behavior
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeFile read: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe 'C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe'
                Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\PEcoOLaILWJ' /XML 'C:\Users\user\AppData\Local\Temp\tmpECFC.tmp'
                Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe {path}
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe' /shtml 'C:\Users\user\AppData\Local\Temp\43ogpuf5.fhl'
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe' /shtml 'C:\Users\user\AppData\Local\Temp\wsrpbxdq.ypo'
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\PEcoOLaILWJ' /XML 'C:\Users\user\AppData\Local\Temp\tmpECFC.tmp'Jump to behavior
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeProcess created: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe {path}Jump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe 'C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe'
                Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\PEcoOLaILWJ' /XML 'C:\Users\user\AppData\Local\Temp\tmpECFC.tmp'
                Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe {path}
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe' /shtml 'C:\Users\user\AppData\Local\Temp\43ogpuf5.fhl'
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe' /shtml 'C:\Users\user\AppData\Local\Temp\wsrpbxdq.ypo'
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\PEcoOLaILWJ' /XML 'C:\Users\user\AppData\Local\Temp\tmpECFC.tmp'Jump to behavior
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeProcess created: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exe {path}Jump to behavior
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                Source: tn9jVPvlMSqAUX5.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: tn9jVPvlMSqAUX5.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: tn9jVPvlMSqAUX5.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                Source: tn9jVPvlMSqAUX5.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                Source: tn9jVPvlMSqAUX5.exeStatic file information: File size 1105920 > 1048576
                Source: tn9jVPvlMSqAUX5.exeStatic file information: File size 1105920 > 1048576
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
                Source: tn9jVPvlMSqAUX5.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x109a00
                Source: tn9jVPvlMSqAUX5.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x109a00
                Source: tn9jVPvlMSqAUX5.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                Source: tn9jVPvlMSqAUX5.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: tn9jVPvlMSqAUX5.exe, 00000004.00000003.808207077.0000000004A24000.00000004.00000001.sdmp, vbc.exe
                Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: vbc.exe
                Source: Binary string: mscorrc.pdb source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.684337664.0000000007B20000.00000002.00000001.sdmp
                Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: tn9jVPvlMSqAUX5.exe, 00000004.00000003.808207077.0000000004A24000.00000004.00000001.sdmp, vbc.exe
                Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: vbc.exe
                Source: Binary string: mscorrc.pdb source: tn9jVPvlMSqAUX5.exe, 00000000.00000002.684337664.0000000007B20000.00000002.00000001.sdmp
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_00403C3D LoadLibraryA,GetProcAddress,strcpy,12_2_00403C3D
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_00403C3D LoadLibraryA,GetProcAddress,strcpy,12_2_00403C3D
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_00F73DA0 push edx; iretd 0_2_00F73DA1
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_00F73185 pushad ; ret 0_2_00F731B4
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_00F72760 push ebx; retf 0_2_00F72772
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_00F75B4D push edx; retf 0_2_00F75B5C
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_00F73134 push eax; retf 0_2_00F73143
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_00F72333 push ecx; retf 0_2_00F72334
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_00F72A3F push esp; retf 0_2_00F72A40
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_00F7311E pushad ; ret 0_2_00F731B4
                Source: C:\Users\user\Desktop\tn9jVPvlMSqAUX5.exeCode function: 0_2_03491922 push ecx; iretd 0_2_03491924