Loading ...

Play interactive tourEdit tour

Analysis Report Versanddetails.exe

Overview

General Information

Sample Name:Versanddetails.exe
MD5:aea450382b48ccd99595f52e0b40ff30
SHA1:d679f8e4b4e5bb3f2835fd914e4e778d67f4de30
SHA256:2584a16131adc10eaecbb452ac6e0bd01690c4e6419dae4acb352e442485e5c3

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected HawkEye Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Contains functionality to register a low level keyboard hook
Installs a global keyboard hook
Maps a DLL or memory area into another process
Yara detected WebBrowserPassView password recovery tool
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Versanddetails.exe (PID: 3804 cmdline: 'C:\Users\user\Desktop\Versanddetails.exe' MD5: AEA450382B48CCD99595F52E0B40FF30)
    • RegAsm.exe (PID: 4024 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
    • RegAsm.exe (PID: 4176 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
      • WerFault.exe (PID: 4032 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4176 -s 1972 MD5: 80E91E3C0F5563E4049B62FCAF5D67AC)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.1164841949.0000000003AF5000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
    00000003.00000002.1162714830.0000000002A90000.00000004.00000001.sdmpHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
    • 0x3a568:$hawkstr1: HawkEye Keylogger
    • 0x3e1f4:$hawkstr1: HawkEye Keylogger
    • 0x3e5c4:$hawkstr1: HawkEye Keylogger
    • 0x5f824:$hawkstr1: HawkEye Keylogger
    • 0x3a020:$hawkstr2: Dear HawkEye Customers!
    • 0x3e254:$hawkstr2: Dear HawkEye Customers!
    • 0x3e624:$hawkstr2: Dear HawkEye Customers!
    • 0x3a14e:$hawkstr3: HawkEye Logger Details:
    00000000.00000002.1548299036.0000000005B31000.00000004.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
    • 0x7b937:$key: HawkEyeKeylogger
    • 0x7dba1:$salt: 099u787978786
    • 0x7bf78:$string1: HawkEye_Keylogger
    • 0x7cdcb:$string1: HawkEye_Keylogger
    • 0x7db01:$string1: HawkEye_Keylogger
    • 0x7c361:$string2: holdermail.txt
    • 0x7c381:$string2: holdermail.txt
    • 0x7c2a3:$string3: wallet.dat
    • 0x7c2bb:$string3: wallet.dat
    • 0x7c2d1:$string3: wallet.dat
    • 0x7d6c5:$string4: Keylog Records
    • 0x7d9dd:$string4: Keylog Records
    • 0x7dbf9:$string5: do not script -->
    • 0x7b91f:$string6: \pidloc.txt
    • 0x7b9ad:$string7: BSPLIT
    • 0x7b9bd:$string7: BSPLIT
    00000000.00000002.1548299036.0000000005B31000.00000004.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
      00000000.00000002.1548299036.0000000005B31000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
        Click to see the 19 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        3.2.RegAsm.exe.400000.0.unpackRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
        • 0x7b917:$key: HawkEyeKeylogger
        • 0x7db81:$salt: 099u787978786
        • 0x7bf58:$string1: HawkEye_Keylogger
        • 0x7cdab:$string1: HawkEye_Keylogger
        • 0x7dae1:$string1: HawkEye_Keylogger
        • 0x7c341:$string2: holdermail.txt
        • 0x7c361:$string2: holdermail.txt
        • 0x7c283:$string3: wallet.dat
        • 0x7c29b:$string3: wallet.dat
        • 0x7c2b1:$string3: wallet.dat
        • 0x7d6a5:$string4: Keylog Records
        • 0x7d9bd:$string4: Keylog Records
        • 0x7dbd9:$string5: do not script -->
        • 0x7b8ff:$string6: \pidloc.txt
        • 0x7b98d:$string7: BSPLIT
        • 0x7b99d:$string7: BSPLIT
        3.2.RegAsm.exe.400000.0.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
          3.2.RegAsm.exe.400000.0.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
            3.2.RegAsm.exe.400000.0.unpackHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
            • 0x7bfb0:$hawkstr1: HawkEye Keylogger
            • 0x7cdf1:$hawkstr1: HawkEye Keylogger
            • 0x7d120:$hawkstr1: HawkEye Keylogger
            • 0x7d27b:$hawkstr1: HawkEye Keylogger
            • 0x7d3de:$hawkstr1: HawkEye Keylogger
            • 0x7d67d:$hawkstr1: HawkEye Keylogger
            • 0x7bb3e:$hawkstr2: Dear HawkEye Customers!
            • 0x7d173:$hawkstr2: Dear HawkEye Customers!
            • 0x7d2ca:$hawkstr2: Dear HawkEye Customers!
            • 0x7d431:$hawkstr2: Dear HawkEye Customers!
            • 0x7bc5f:$hawkstr3: HawkEye Logger Details:
            0.2.Versanddetails.exe.6140000.2.unpackRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
            • 0x7b917:$key: HawkEyeKeylogger
            • 0x7db81:$salt: 099u787978786
            • 0x7bf58:$string1: HawkEye_Keylogger
            • 0x7cdab:$string1: HawkEye_Keylogger
            • 0x7dae1:$string1: HawkEye_Keylogger
            • 0x7c341:$string2: holdermail.txt
            • 0x7c361:$string2: holdermail.txt
            • 0x7c283:$string3: wallet.dat
            • 0x7c29b:$string3: wallet.dat
            • 0x7c2b1:$string3: wallet.dat
            • 0x7d6a5:$string4: Keylog Records
            • 0x7d9bd:$string4: Keylog Records
            • 0x7dbd9:$string5: do not script -->
            • 0x7b8ff:$string6: \pidloc.txt
            • 0x7b98d:$string7: BSPLIT
            • 0x7b99d:$string7: BSPLIT
            Click to see the 3 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus / Scanner detection for submitted sampleShow sources
            Source: Versanddetails.exeAvira: detected
            Multi AV Scanner detection for submitted fileShow sources
            Source: Versanddetails.exeVirustotal: Detection: 48%Perma Link
            Source: Versanddetails.exeReversingLabs: Detection: 52%
            Source: 3.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
            Source: 3.2.RegAsm.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
            Source: 0.2.Versanddetails.exe.6140000.2.unpackAvira: Label: TR/AD.MExecute.lzrac
            Source: 0.2.Versanddetails.exe.6140000.2.unpackAvira: Label: SPR/Tool.MailPassView.473

            Source: Versanddetails.exe, 00000000.00000002.1548299036.0000000005B31000.00000004.00000001.sdmpBinary or memory string: autorun.inf
            Source: Versanddetails.exe, 00000000.00000002.1548299036.0000000005B31000.00000004.00000001.sdmpBinary or memory string: [autorun]
            Source: RegAsm.exe, 00000003.00000002.1160948173.0000000000402000.00000040.00000001.sdmpBinary or memory string: autorun.inf
            Source: RegAsm.exe, 00000003.00000002.1160948173.0000000000402000.00000040.00000001.sdmpBinary or memory string: [autorun]

            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]3_2_077AB708
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]3_2_077A7ED0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]3_2_077AA6D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]3_2_077AB865

            Source: unknownDNS traffic detected: query: 56.14.11.0.in-addr.arpa replaycode: Name error (3)
            Source: Versanddetails.exe, 00000000.00000002.1548299036.0000000005B31000.00000004.00000001.sdmp, RegAsm.exe, 00000003.00000002.1164841949.0000000003AF5000.00000004.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
            Source: Versanddetails.exe, 00000000.00000002.1548299036.0000000005B31000.00000004.00000001.sdmp, RegAsm.exe, 00000003.00000002.1164841949.0000000003AF5000.00000004.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
            Source: unknownDNS traffic detected: queries for: 56.14.11.0.in-addr.arpa
            Source: Versanddetails.exe, 00000000.00000002.1548299036.0000000005B31000.00000004.00000001.sdmp, RegAsm.exe, 00000003.00000002.1164841949.0000000003AF5000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
            Source: RegAsm.exe, 00000003.00000002.1168092313.0000000005C86000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: Versanddetails.exe, 00000000.00000002.1548299036.0000000005B31000.00000004.00000001.sdmp, RegAsm.exe, 00000003.00000002.1164841949.0000000003AF5000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
            Source: RegAsm.exe, 00000003.00000002.1162714830.0000000002A90000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: Versanddetails.exe, 00000000.00000002.1548299036.0000000005B31000.00000004.00000001.sdmp, RegAsm.exe, 00000003.00000002.1160948173.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/-
            Source: RegAsm.exe, 00000003.00000002.1168092313.0000000005C86000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: RegAsm.exe, 00000003.00000002.1168092313.0000000005C86000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: RegAsm.exe, 00000003.00000002.1168092313.0000000005C86000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: RegAsm.exe, 00000003.00000002.1168092313.0000000005C86000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: RegAsm.exe, 00000003.00000002.1168092313.0000000005C86000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: RegAsm.exe, 00000003.00000002.1168092313.0000000005C86000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: RegAsm.exe, 00000003.00000002.1168092313.0000000005C86000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: RegAsm.exe, 00000003.00000002.1168092313.0000000005C86000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: RegAsm.exe, 00000003.00000002.1164713286.0000000003A90000.00000004.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
            Source: RegAsm.exe, 00000003.00000002.1168092313.0000000005C86000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: RegAsm.exe, 00000003.00000002.1168092313.0000000005C86000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: RegAsm.exe, 00000003.00000002.1168092313.0000000005C86000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: RegAsm.exe, 00000003.00000002.1163444066.0000000002C5F000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
            Source: RegAsm.exe, 00000003.00000002.1168092313.0000000005C86000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: RegAsm.exe, 00000003.00000002.1168092313.0000000005C86000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: RegAsm.exe, 00000003.00000002.1168092313.0000000005C86000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: Versanddetails.exeString found in binary or memory: https://in.appcenter.ms
            Source: Versanddetails.exeString found in binary or memory: https://in.appcenter.ms./logs?api-version=1.0.0

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Contains functionality to log keystrokes (.Net Source)Show sources
            Source: 0.2.Versanddetails.exe.6140000.2.unpack, Form1.cs.Net Code: HookKeyboard
            Source: 3.2.RegAsm.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
            Contains functionality to register a low level keyboard hookShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_077A679C SetWindowsHookExA 0000000D,00000000,?,?3_2_077A679C
            Installs a global keyboard hookShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
            Source: Versanddetails.exe, 00000000.00000002.1546235828.0000000001790000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 00000003.00000002.1162714830.0000000002A90000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.1548299036.0000000005B31000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000000.00000002.1548299036.0000000005B31000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.1548489794.0000000006142000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000000.00000002.1548489794.0000000006142000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 00000003.00000002.1160948173.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000003.00000002.1160948173.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.1546624783.00000000043E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000000.00000002.1546624783.00000000043E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 00000003.00000002.1163444066.0000000002C5F000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 0.2.Versanddetails.exe.6140000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0.2.Versanddetails.exe.6140000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: C:\Users\user\Desktop\Versanddetails.exeCode function: 0_2_033600AD NtOpenSection,NtMapViewOfSection,0_2_033600AD
            Source: C:\Users\user\Desktop\Versanddetails.exeCode function: 0_2_03361C09 CreateProcessW,NtQueryInformationProcess,NtReadVirtualMemory,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtTerminateProcess,NtUnmapViewOfSection,NtWriteVirtualMemory,NtGetContextThread,NtSetContextThread,NtResumeThread,0_2_03361C09
            Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\Windows\AppCompat\Programs\Amcache.hve.tmpJump to behavior
            Source: C:\Users\user\Desktop\Versanddetails.exeCode function: 0_2_00FB566A0_2_00FB566A
            Source: C:\Users\user\Desktop\Versanddetails.exeCode function: 0_2_00FB252C0_2_00FB252C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06EF00403_2_06EF0040
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_077A9F803_2_077A9F80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_077AA6D83_2_077AA6D8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_077A5EB83_2_077A5EB8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_077A55E83_2_077A55E8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_077A9B503_2_077A9B50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_077A92E83_2_077A92E8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_077A9F713_2_077A9F71
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_077A9B403_2_077A9B40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_077A52A03_2_077A52A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_077A001F3_2_077A001F
            Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4176 -s 1972
            Source: Versanddetails.exe, 00000000.00000002.1548299036.0000000005B31000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs Versanddetails.exe
            Source: Versanddetails.exe, 00000000.00000002.1548299036.0000000005B31000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs Versanddetails.exe
            Source: Versanddetails.exe, 00000000.00000002.1548299036.0000000005B31000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs Versanddetails.exe
            Source: Versanddetails.exe, 00000000.00000002.1548299036.0000000005B31000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs Versanddetails.exe
            Source: Versanddetails.exe, 00000000.00000002.1548108722.0000000005820000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameuZYruFgPNjXpoMFV.river.exe4 vs Versanddetails.exe
            Source: Versanddetails.exe, 00000000.00000002.1546235828.0000000001790000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Versanddetails.exe
            Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dllJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
            Source: 00000003.00000002.1162714830.0000000002A90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 00000000.00000002.1548299036.0000000005B31000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 00000000.00000002.1548299036.0000000005B31000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 00000000.00000002.1548489794.0000000006142000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 00000000.00000002.1548489794.0000000006142000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 00000003.00000002.1160948173.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 00000003.00000002.1160948173.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 00000000.00000002.1546624783.00000000043E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 00000000.00000002.1546624783.00000000043E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 00000003.00000002.1163444066.0000000002C5F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 0.2.Versanddetails.exe.6140000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 0.2.Versanddetails.exe.6140000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 0.2.Versanddetails.exe.6140000.2.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
            Source: 0.2.Versanddetails.exe.6140000.2.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
            Source: 0.2.Versanddetails.exe.6140000.2.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
            Source: 0.2.Versanddetails.exe.6140000.2.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
            Source: 3.2.RegAsm.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
            Source: 3.2.RegAsm.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
            Source: 3.2.RegAsm.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
            Source: 3.2.RegAsm.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
            Source: 0.2.Versanddetails.exe.6140000.2.unpack, Form1.csBase64 encoded string: 'Ta2Jfga3JLt9/E73uK1VhbUkk6jqZCdloIN2u06AJMoTMeKiapqOoCfJFBjcj+Ok8ojK3Xa4zTJPtjgAWPgTDA==', 'qV6RbSlp+AMZw5SKvXWylN1rCuU8c5wmPAh3Hdmo0Ki+cXj7F0pWkNOaz5xvcV8/1lMVIeZ7DPLAHupVS+LnUQ==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
            Source: 3.2.RegAsm.exe.400000.0.unpack, Form1.csBase64 encoded string: 'Ta2Jfga3JLt9/E73uK1VhbUkk6jqZCdloIN2u06AJMoTMeKiapqOoCfJFBjcj+Ok8ojK3Xa4zTJPtjgAWPgTDA==', 'qV6RbSlp+AMZw5SKvXWylN1rCuU8c5wmPAh3Hdmo0Ki+cXj7F0pWkNOaz5xvcV8/1lMVIeZ7DPLAHupVS+LnUQ==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/6@1/0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Roaming\pid.txtJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4176
            Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER91DC.tmpJump to behavior
            Source: Versanddetails.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\Versanddetails.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\Desktop\Versanddetails.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: Versanddetails.exe, 00000000.00000002.1548299036.0000000005B31000.00000004.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
            Source: Versanddetails.exe, 00000000.00000002.1548299036.0000000005B31000.00000004.00000001.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
            Source: Versanddetails.exe, 00000000.00000002.1548299036.0000000005B31000.00000004.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
            Source: Versanddetails.exe, 00000000.00000002.1548299036.0000000005B31000.00000004.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
            Source: Versanddetails.exe, 00000000.00000002.1548299036.0000000005B31000.00000004.00000001.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
            Source: Versanddetails.exe, 00000000.00000002.1548299036.0000000005B31000.00000004.00000001.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
            Source: Versanddetails.exe, 00000000.00000002.1548299036.0000000005B31000.00000004.00000001.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
            Source: Versanddetails.exeVirustotal: Detection: 48%
            Source: Versanddetails.exeReversingLabs: Detection: 52%
            Source: unknownProcess created: C:\Users\user\Desktop\Versanddetails.exe 'C:\Users\user\Desktop\Versanddetails.exe'
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4176 -s 1972
            Source: C:\Users\user\Desktop\Versanddetails.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
            Source: C:\Users\user\Desktop\Versanddetails.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: Versanddetails.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: Versanddetails.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: C:\Windows\mscorlib.pdb source: RegAsm.exe, 00000003.00000002.1172173616.00000000082EA000.00000004.00000010.sdmp
            Source: Binary string: System.Xml.ni.pdb source: WER91DC.tmp.dmp.6.dr
            Source: Binary string: System.Runtime.Remoting.pdb8 source: WER91DC.tmp.dmp.6.dr
            Source: Binary string: symbols\dll\mscorlib.pdb source: RegAsm.exe, 00000003.00000002.1172173616.00000000082EA000.00000004.00000010.sdmp
            Source: Binary string: Accessibility.pdb source: WER91DC.tmp.dmp.6.dr
            Source: Binary string: System.ni.pdbRSDS source: WER91DC.tmp.dmp.6.dr
            Source: Binary string: Accessibility.pdbLk^i source: WER91DC.tmp.dmp.6.dr
            Source: Binary string: System.Management.ni.pdbRSDSJ source: WER91DC.tmp.dmp.6.dr
            Source: Binary string: System.Configuration.ni.pdb source: WER91DC.tmp.dmp.6.dr
            Source: Binary string: mscorlib.ni.pdbRSDS source: WER91DC.tmp.dmp.6.dr
            Source: Binary string: (P"j0C:\Windows\mscorlib.pdbpdblib.pdb source: RegAsm.exe, 00000003.00000002.1172173616.00000000082EA000.00000004.00000010.sdmp
            Source: Binary string: mscorlib.pdbBTM\TM NTM_CorDllMainmscoree.dll source: RegAsm.exe, 00000003.00000002.1170788205.00000000077C0000.00000004.00000001.sdmp
            Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: Versanddetails.exe, 00000000.00000002.1548299036.0000000005B31000.00000004.00000001.sdmp, RegAsm.exe, 00000003.00000002.1164841949.0000000003AF5000.00000004.00000001.sdmp
            Source: Binary string: System.Runtime.Remoting.pdb source: WER91DC.tmp.dmp.6.dr
            Source: Binary string: System.Configuration.pdb source: WER91DC.tmp.dmp.6.dr
            Source: Binary string: System.Xml.pdb source: WER91DC.tmp.dmp.6.dr
            Source: Binary string: System.pdb source: WER91DC.tmp.dmp.6.dr
            Source: Binary string: Microsoft.VisualBasic.pdb source: WER91DC.tmp.dmp.6.dr
            Source: Binary string: System.Core.ni.pdb source: WER91DC.tmp.dmp.6.dr
            Source: Binary string: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.PDB"jH source: RegAsm.exe, 00000003.00000002.1172173616.00000000082EA000.00000004.00000010.sdmp
            Source: Binary string: System.Windows.Forms.pdb source: WER91DC.tmp.dmp.6.dr
            Source: Binary string: mscorlib.pdb source: RegAsm.exe, 00000003.00000002.1172173616.00000000082EA000.00000004.00000010.sdmp, WER91DC.tmp.dmp.6.dr
            Source: Binary string: System.Drawing.pdb source: WER91DC.tmp.dmp.6.dr
            Source: Binary string: System.Management.pdb source: WER91DC.tmp.dmp.6.dr
            Source: Binary string: t .pdb0 source: RegAsm.exe, 00000003.00000002.1172173616.00000000082EA000.00000004.00000010.sdmp
            Source: Binary string: System.Drawing.pdb8 source: WER91DC.tmp.dmp.6.dr
            Source: Binary string: mscorlib.ni.pdb source: WER91DC.tmp.dmp.6.dr
            Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: Versanddetails.exe, 00000000.00000002.1548299036.0000000005B31000.00000004.00000001.sdmp, RegAsm.exe, 00000003.00000002.1170276988.0000000006EC0000.00000004.00000001.sdmp
            Source: Binary string: System.Management.ni.pdb source: WER91DC.tmp.dmp.6.dr
            Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER91DC.tmp.dmp.6.dr
            Source: Binary string: System.Core.pdb source: WER91DC.tmp.dmp.6.dr
            Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: Versanddetails.exe, 00000000.00000002.1548299036.0000000005B31000.00000004.00000001.sdmp, RegAsm.exe, 00000003.00000002.1164713286.0000000003A90000.00000004.00000001.sdmp
            Source: Binary string: mscorlib.pdb(r@ source: WER91DC.tmp.dmp.6.dr
            Source: Binary string: System.Windows.Forms.pdb0* source: WER91DC.tmp.dmp.6.dr
            Source: Binary string: Microsoft.VisualBasic.pdbXp source: WER91DC.tmp.dmp.6.dr
            Source: Binary string: System.Xml.ni.pdbRSDS source: WER91DC.tmp.dmp.6.dr
            Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb+ source: RegAsm.exe, 00000003.00000002.1172173616.00000000082EA000.00000004.00000010.sdmp
            Source: Binary string: System.Xml.pdb@ source: WER91DC.tmp.dmp.6.dr
            Source: Binary string: System.ni.pdb source: WER91DC.tmp.dmp.6.dr
            Source: Binary string: System.Core.ni.pdbRSDS source: WER91DC.tmp.dmp.6.dr
            Source: Binary string: mscorlib.pdb.x source: RegAsm.exe, 00000003.00000002.1172173616.00000000082EA000.00000004.00000010.sdmp

            Data Obfuscation:

            barindex
            .NET source code contains potential unpackerShow sources
            Source: 0.2.Versanddetails.exe.6140000.2.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 0.2.Versanddetails.exe.6140000.2.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 0.2.Versanddetails.exe.6140000.2.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 0.2.Versanddetails.exe.6140000.2.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 3.2.RegAsm.exe.400000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 3.2.RegAsm.exe.400000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 3.2.RegAsm.exe.400000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 3.2.RegAsm.exe.400000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: C:\Users\user\Desktop\Versanddetails.exeCode function: 0_2_00FB4CF8 push 72040000h; retf 0018h0_2_00FB4CF4
            Source: C:\Users\user\Desktop\Versanddetails.exeCode function: 0_2_00FB4CF8 push 72040000h; retf 0018h0_2_00FB4E31
            Source: C:\Users\user\Desktop\Versanddetails.exeCode function: 0_2_00FE055F push cs; ret 0_2_00FE05CF
            Source: C:\Users\user\Desktop\Versanddetails.exeCode function: 0_2_00FB4ED1 push 72040000h; retf 0018h0_2_00FB4ED8
            Source: C:\Users\user\Desktop\Versanddetails.exeCode function: 0_2_00FB4AAB push 72040000h; retf 0018h0_2_00FB4CF4
            Source: C:\Users\user\Desktop\Versanddetails.exeCode function: 0_2_00FB4AAB push 72040000h; retf 0018h0_2_00FB4E31
            Source: C:\Users\user\Desktop\Versanddetails.exeCode function: 0_2_00FB4AAB push 72040000h; retf 0018h0_2_00FB4FD8
            Source: initial sampleStatic PE information: section name: .text entropy: 7.08687897081

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Changes the view of files in windows explorer (hidden files and folders)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HiddenJump to behavior
            Source: C:\Users\user\Desktop\Versanddetails.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Versanddetails.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Versanddetails.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Versanddetails.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Versanddetails.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Versanddetails.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Versanddetails.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Versanddetails.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Versanddetails.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Versanddetails.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Versanddetails.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Versanddetails.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Versanddetails.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Versanddetails.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Source: C:\Users\user\Desktop\Versanddetails.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 300000Jump to behavior
            Source: C:\Users\user\Desktop\Versanddetails.exe TID: 5360Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1788Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1612Thread sleep time: -120000s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3364Thread sleep time: -140000s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2400Thread sleep time: -300000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeFile opened: PhysicalDrive0Jump to behavior
            Source: RegAsm.exe, 00000003.00000002.1162211434.0000000000E57000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information queried: ProcessInformationJump to behavior

            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_077ABD40 LdrInitializeThunk,3_2_077ABD40
            Source: C:\Users\user\Desktop\Versanddetails.exeCode function: 0_2_033600AD mov ecx, dword ptr fs:[00000030h]0_2_033600AD
            Source: C:\Users\user\Desktop\Versanddetails.exeCode function: 0_2_033600AD mov eax, dword ptr fs:[00000030h]0_2_033600AD
            Source: C:\Users\user\Desktop\Versanddetails.exeCode function: 0_2_033601CB mov eax, dword ptr fs:[00000030h]0_2_033601CB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\Versanddetails.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            .NET source code references suspicious native API functionsShow sources
            Source: 0.2.Versanddetails.exe.6140000.2.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
            Source: 0.2.Versanddetails.exe.6140000.2.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
            Source: 3.2.RegAsm.exe.400000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
            Source: 3.2.RegAsm.exe.400000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
            Maps a DLL or memory area into another processShow sources
            Source: C:\Users\user\Desktop\Versanddetails.exeSection loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\Versanddetails.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
            Source: C:\Users\user\Desktop\Versanddetails.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
            Source: Versanddetails.exe, 00000000.00000002.1546451742.0000000001DE0000.00000002.00000001.sdmpBinary or memory string: Program Manager
            Source: Versanddetails.exe, 00000000.00000002.1546451742.0000000001DE0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: Versanddetails.exe, 00000000.00000002.1546451742.0000000001DE0000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: Versanddetails.exe, 00000000.00000002.1546451742.0000000001DE0000.00000002.00000001.sdmpBinary or memory string: Progmanlock

            Source: C:\Users\user\Desktop\Versanddetails.exeQueries volume information: C:\Users\user\Desktop\Versanddetails.exe VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

            Stealing of Sensitive Information:

            barindex
            Yara detected MailPassViewShow sources
            Source: Yara matchFile source: 00000000.00000002.1548299036.0000000005B31000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1548489794.0000000006142000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.1164713286.0000000003A90000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.1160948173.0000000000402000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1546624783.00000000043E0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Versanddetails.exe PID: 3804, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4176, type: MEMORY
            Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Versanddetails.exe.6140000.2.unpack, type: UNPACKEDPE
            Yara detected WebBrowserPassView password recovery toolShow sources
            Source: Yara matchFile source: 00000003.00000002.1164841949.0000000003AF5000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1548299036.0000000005B31000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1548489794.0000000006142000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.1160948173.0000000000402000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1546624783.00000000043E0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Versanddetails.exe PID: 3804, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4176, type: MEMORY
            Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Versanddetails.exe.6140000.2.unpack, type: UNPACKEDPE

            Remote Access Functionality:

            barindex
            Detected HawkEye RatShow sources
            Source: Versanddetails.exe, 00000000.00000002.1548299036.0000000005B31000.00000004.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
            Source: Versanddetails.exe, 00000000.00000002.1548299036.0000000005B31000.00000004.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
            Source: Versanddetails.exe, 00000000.00000002.1548299036.0000000005B31000.00000004.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
            Source: Versanddetails.exe, 00000000.00000002.1548299036.0000000005B31000.00000004.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
            Source: RegAsm.exe, 00000003.00000002.1162714830.0000000002A90000.00000004.00000001.sdmpString found in binary or memory: HawkEyeKeylogger
            Source: RegAsm.exe, 00000003.00000002.1162714830.0000000002A90000.00000004.00000001.sdmpString found in binary or memory: k&HawkEye_Keylogger_Execution_Confirmed_
            Source: RegAsm.exe, 00000003.00000002.1160948173.0000000000402000.00000040.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
            Source: RegAsm.exe, 00000003.00000002.1160948173.0000000000402000.00000040.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
            Source: RegAsm.exe, 00000003.00000002.1160948173.0000000000402000.00000040.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
            Source: RegAsm.exe, 00000003.00000002.1160948173.0000000000402000.00000040.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Replication Through Removable Media1Windows Management Instrumentation1Hidden Files and Directories1Process Injection112Masquerading11Input Capture311Virtualization/Sandbox Evasion4Replication Through Removable Media1Input Capture311Data Encrypted11Standard Cryptographic Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Replication Through Removable MediaExecution through API1Port MonitorsAccessibility FeaturesHidden Files and Directories1Network SniffingProcess Discovery2Remote ServicesClipboard Data1Exfiltration Over Other Network MediumRemote Access Tools1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionSoftware Packing12Input CapturePeripheral Device Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Non-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingDisabling Security Tools1Credentials in FilesSecurity Software Discovery31Logon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol1SIM Card SwapPremium SMS Toll Fraud
            Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessVirtualization/Sandbox Evasion4Account ManipulationRemote System Discovery1Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceProcess Injection112Brute ForceSystem Information Discovery22Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
            Spearphishing AttachmentScriptingPath InterceptionScheduled TaskDeobfuscate/Decode Files or Information1Two-Factor Authentication InterceptionNetwork SniffingPass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionObfuscated Files or Information31Bash HistoryNetwork Service ScanningRemote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Supply Chain CompromiseRundll32DLL Search Order HijackingService Registry Permissions WeaknessDLL Side-Loading1Input PromptSystem Network Connections DiscoveryWindows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer EncryptionRogue Cellular Base StationData Destruction

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.