Loading ...

Play interactive tourEdit tour

Analysis Report Payment_slip.exe

Overview

General Information

Sample Name:Payment_slip.exe
Analysis ID:248843
MD5:4b3ac1a2ed151b36a4468f47bf2d8781
SHA1:84e997cf5e76ab524c4d0534e51e6fe0dcd1dad7
SHA256:dab6a48ba657c5f7b2847c460dd389e85b368e1e55e7f1ba4e3603f43bcf3fbf

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected HawkEye Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Contains functionality to register a low level keyboard hook
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Machine Learning detection for sample
Maps a DLL or memory area into another process
Yara detected WebBrowserPassView password recovery tool
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Process Creation
Stores large binary data to the registry
Tries to load missing DLLs
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Payment_slip.exe (PID: 5544 cmdline: 'C:\Users\user\Desktop\Payment_slip.exe' MD5: 4B3AC1A2ED151B36A4468F47BF2D8781)
    • RegAsm.exe (PID: 5636 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
      • WerFault.exe (PID: 5836 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5636 -s 1964 MD5: 80E91E3C0F5563E4049B62FCAF5D67AC)
      • vbc.exe (PID: 5964 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 5972 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000003.527642507.0000000004CE0000.00000004.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
  • 0x10127:$key: HawkEyeKeylogger
  • 0x12391:$salt: 099u787978786
  • 0x10768:$string1: HawkEye_Keylogger
  • 0x115bb:$string1: HawkEye_Keylogger
  • 0x122f1:$string1: HawkEye_Keylogger
  • 0x10b51:$string2: holdermail.txt
  • 0x10b71:$string2: holdermail.txt
  • 0x10a93:$string3: wallet.dat
  • 0x10aab:$string3: wallet.dat
  • 0x10ac1:$string3: wallet.dat
  • 0x11eb5:$string4: Keylog Records
  • 0x121cd:$string4: Keylog Records
  • 0x123e9:$string5: do not script -->
  • 0x1010f:$string6: \pidloc.txt
  • 0x1019d:$string7: BSPLIT
  • 0x101ad:$string7: BSPLIT
00000005.00000003.527642507.0000000004CE0000.00000004.00000001.sdmpHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
  • 0x107c0:$hawkstr1: HawkEye Keylogger
  • 0x11601:$hawkstr1: HawkEye Keylogger
  • 0x11930:$hawkstr1: HawkEye Keylogger
  • 0x11a8b:$hawkstr1: HawkEye Keylogger
  • 0x11bee:$hawkstr1: HawkEye Keylogger
  • 0x11e8d:$hawkstr1: HawkEye Keylogger
  • 0x1034e:$hawkstr2: Dear HawkEye Customers!
  • 0x11983:$hawkstr2: Dear HawkEye Customers!
  • 0x11ada:$hawkstr2: Dear HawkEye Customers!
  • 0x11c41:$hawkstr2: Dear HawkEye Customers!
  • 0x1046f:$hawkstr3: HawkEye Logger Details:
00000002.00000002.555774642.0000000004161000.00000004.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
    00000002.00000002.555919177.00000000041C6000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
      00000002.00000002.553338636.0000000003161000.00000004.00000001.sdmpHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
      • 0x39570:$hawkstr1: HawkEye Keylogger
      • 0x3d1d0:$hawkstr1: HawkEye Keylogger
      • 0x3d5a0:$hawkstr1: HawkEye Keylogger
      • 0x601f4:$hawkstr1: HawkEye Keylogger
      • 0x39028:$hawkstr2: Dear HawkEye Customers!
      • 0x3d230:$hawkstr2: Dear HawkEye Customers!
      • 0x3d600:$hawkstr2: Dear HawkEye Customers!
      • 0x39156:$hawkstr3: HawkEye Logger Details:
      Click to see the 20 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.Payment_slip.exe.5be0000.3.unpackRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
      • 0x7b917:$key: HawkEyeKeylogger
      • 0x7db81:$salt: 099u787978786
      • 0x7bf58:$string1: HawkEye_Keylogger
      • 0x7cdab:$string1: HawkEye_Keylogger
      • 0x7dae1:$string1: HawkEye_Keylogger
      • 0x7c341:$string2: holdermail.txt
      • 0x7c361:$string2: holdermail.txt
      • 0x7c283:$string3: wallet.dat
      • 0x7c29b:$string3: wallet.dat
      • 0x7c2b1:$string3: wallet.dat
      • 0x7d6a5:$string4: Keylog Records
      • 0x7d9bd:$string4: Keylog Records
      • 0x7dbd9:$string5: do not script -->
      • 0x7b8ff:$string6: \pidloc.txt
      • 0x7b98d:$string7: BSPLIT
      • 0x7b99d:$string7: BSPLIT
      0.2.Payment_slip.exe.5be0000.3.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
        0.2.Payment_slip.exe.5be0000.3.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
          0.2.Payment_slip.exe.5be0000.3.unpackHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
          • 0x7bfb0:$hawkstr1: HawkEye Keylogger
          • 0x7cdf1:$hawkstr1: HawkEye Keylogger
          • 0x7d120:$hawkstr1: HawkEye Keylogger
          • 0x7d27b:$hawkstr1: HawkEye Keylogger
          • 0x7d3de:$hawkstr1: HawkEye Keylogger
          • 0x7d67d:$hawkstr1: HawkEye Keylogger
          • 0x7bb3e:$hawkstr2: Dear HawkEye Customers!
          • 0x7d173:$hawkstr2: Dear HawkEye Customers!
          • 0x7d2ca:$hawkstr2: Dear HawkEye Customers!
          • 0x7d431:$hawkstr2: Dear HawkEye Customers!
          • 0x7bc5f:$hawkstr3: HawkEye Logger Details:
          2.2.RegAsm.exe.400000.0.unpackRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
          • 0x7b917:$key: HawkEyeKeylogger
          • 0x7db81:$salt: 099u787978786
          • 0x7bf58:$string1: HawkEye_Keylogger
          • 0x7cdab:$string1: HawkEye_Keylogger
          • 0x7dae1:$string1: HawkEye_Keylogger
          • 0x7c341:$string2: holdermail.txt
          • 0x7c361:$string2: holdermail.txt
          • 0x7c283:$string3: wallet.dat
          • 0x7c29b:$string3: wallet.dat
          • 0x7c2b1:$string3: wallet.dat
          • 0x7d6a5:$string4: Keylog Records
          • 0x7d9bd:$string4: Keylog Records
          • 0x7dbd9:$string5: do not script -->
          • 0x7b8ff:$string6: \pidloc.txt
          • 0x7b98d:$string7: BSPLIT
          • 0x7b99d:$string7: BSPLIT
          Click to see the 3 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Suspicious Process CreationShow sources
          Source: Process startedAuthor: Florian Roth, Daniil Yugoslavskiy, oscd.community (update): Data: Command: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt', CommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt', CommandLine|base64offset|contains: ^, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, ParentCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentProcessId: 5636, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt', ProcessId: 5964

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus / Scanner detection for submitted sampleShow sources
          Source: Payment_slip.exeAvira: detected
          Multi AV Scanner detection for submitted fileShow sources
          Source: Payment_slip.exeVirustotal: Detection: 54%Perma Link
          Machine Learning detection for sampleShow sources
          Source: Payment_slip.exeJoe Sandbox ML: detected
          Source: 0.2.Payment_slip.exe.5be0000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
          Source: 0.2.Payment_slip.exe.5be0000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
          Source: 2.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
          Source: 2.2.RegAsm.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
          Source: Payment_slip.exe, 00000000.00000002.475419598.0000000004075000.00000004.00000001.sdmpBinary or memory string: autorun.inf
          Source: Payment_slip.exe, 00000000.00000002.475419598.0000000004075000.00000004.00000001.sdmpBinary or memory string: [autorun]
          Source: RegAsm.exe, 00000002.00000002.551181822.0000000000402000.00000040.00000001.sdmpBinary or memory string: autorun.inf
          Source: RegAsm.exe, 00000002.00000002.551181822.0000000000402000.00000040.00000001.sdmpBinary or memory string: [autorun]
          Source: WerFault.exe, 00000005.00000003.527642507.0000000004CE0000.00000004.00000001.sdmpBinary or memory string: autorun.inf
          Source: WerFault.exe, 00000005.00000003.527642507.0000000004CE0000.00000004.00000001.sdmpBinary or memory string: [autorun]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]2_2_07A43F9C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]2_2_07A4467B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then call 0577A6E8h2_2_07A4316D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]2_2_07A4316D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]2_2_07ED9F70
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]2_2_07ED7ED0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]2_2_07EDA430
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]2_2_07EDAB03
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]2_2_07EDA0CD
          Source: unknownDNS traffic detected: query: 241.215.8.0.in-addr.arpa replaycode: Name error (3)
          Source: Payment_slip.exe, 00000000.00000002.475419598.0000000004075000.00000004.00000001.sdmp, RegAsm.exe, 00000002.00000002.555919177.00000000041C6000.00000004.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
          Source: Payment_slip.exe, 00000000.00000002.475419598.0000000004075000.00000004.00000001.sdmp, RegAsm.exe, 00000002.00000002.555919177.00000000041C6000.00000004.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
          Source: unknownDNS traffic detected: queries for: 241.215.8.0.in-addr.arpa
          Source: Payment_slip.exe, 00000000.00000002.475419598.0000000004075000.00000004.00000001.sdmp, RegAsm.exe, 00000002.00000002.555919177.00000000041C6000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
          Source: RegAsm.exe, 00000002.00000002.559902963.00000000063B6000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: Payment_slip.exe, 00000000.00000002.475419598.0000000004075000.00000004.00000001.sdmp, RegAsm.exe, 00000002.00000002.555919177.00000000041C6000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
          Source: WerFault.exe, 00000005.00000003.525561717.00000000051F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
          Source: WerFault.exe, 00000005.00000003.525561717.00000000051F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
          Source: WerFault.exe, 00000005.00000003.525561717.00000000051F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
          Source: WerFault.exe, 00000005.00000003.525561717.00000000051F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
          Source: WerFault.exe, 00000005.00000003.525561717.00000000051F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
          Source: WerFault.exe, 00000005.00000003.525561717.00000000051F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
          Source: WerFault.exe, 00000005.00000003.525561717.00000000051F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
          Source: RegAsm.exe, 00000002.00000002.553338636.0000000003161000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.525561717.00000000051F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: WerFault.exe, 00000005.00000003.525561717.00000000051F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
          Source: WerFault.exe, 00000005.00000003.525561717.00000000051F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
          Source: WerFault.exe, 00000005.00000003.525561717.00000000051F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
          Source: WerFault.exe, 00000005.00000003.525561717.00000000051F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
          Source: WerFault.exe, 00000005.00000003.525561717.00000000051F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
          Source: WerFault.exe, 00000005.00000003.525561717.00000000051F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
          Source: WerFault.exe, 00000005.00000003.525561717.00000000051F0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
          Source: Payment_slip.exe, 00000000.00000002.475419598.0000000004075000.00000004.00000001.sdmp, RegAsm.exe, 00000002.00000002.551181822.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 00000005.00000003.527642507.0000000004CE0000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/-
          Source: RegAsm.exe, 00000002.00000002.559902963.00000000063B6000.00000002.00000001.sdmp, RegAsm.exe, 00000002.00000003.483006539.00000000062D7000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: RegAsm.exe, 00000002.00000003.488279458.00000000062F6000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
          Source: RegAsm.exe, 00000002.00000003.483711856.00000000062CF000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
          Source: RegAsm.exe, 00000002.00000003.483711856.00000000062CF000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com5
          Source: RegAsm.exe, 00000002.00000003.483824742.00000000062C2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comCn
          Source: RegAsm.exe, 00000002.00000003.483838298.00000000062C9000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTC
          Source: RegAsm.exe, 00000002.00000003.483711856.00000000062CF000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coming%
          Source: RegAsm.exe, 00000002.00000003.483711856.00000000062CF000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comk
          Source: RegAsm.exe, 00000002.00000002.559902963.00000000063B6000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: RegAsm.exe, 00000002.00000003.483711856.00000000062CF000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comltU
          Source: RegAsm.exe, 00000002.00000002.559902963.00000000063B6000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: RegAsm.exe, 00000002.00000002.559902963.00000000063B6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: RegAsm.exe, 00000002.00000002.559902963.00000000063B6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: RegAsm.exe, 00000002.00000002.559902963.00000000063B6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: RegAsm.exe, 00000002.00000003.481893343.00000000062CD000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn5
          Source: RegAsm.exe, 00000002.00000003.481967090.00000000062D2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnC
          Source: RegAsm.exe, 00000002.00000003.481893343.00000000062CD000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cng
          Source: RegAsm.exe, 00000002.00000002.559902963.00000000063B6000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: RegAsm.exe, 00000002.00000002.559902963.00000000063B6000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: RegAsm.exe, 00000002.00000002.555774642.0000000004161000.00000004.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
          Source: RegAsm.exe, 00000002.00000002.559902963.00000000063B6000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: RegAsm.exe, 00000002.00000002.559902963.00000000063B6000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: RegAsm.exe, 00000002.00000002.559902963.00000000063B6000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: RegAsm.exe, 00000002.00000002.553338636.0000000003161000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
          Source: RegAsm.exe, 00000002.00000002.559902963.00000000063B6000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: RegAsm.exe, 00000002.00000003.483838298.00000000062C9000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com/
          Source: RegAsm.exe, 00000002.00000003.483838298.00000000062C9000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com4X
          Source: RegAsm.exe, 00000002.00000003.483838298.00000000062C9000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comic
          Source: RegAsm.exe, 00000002.00000002.559902963.00000000063B6000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: RegAsm.exe, 00000002.00000002.559902963.00000000063B6000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: RegAsm.exe, 00000002.00000003.483711856.00000000062CF000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn#

          Key, Mouse, Clipboard, Microphone and Screen Capturing:

          barindex
          Contains functionality to log keystrokes (.Net Source)Show sources
          Source: 0.2.Payment_slip.exe.5be0000.3.unpack, Form1.cs.Net Code: HookKeyboard
          Source: 2.2.RegAsm.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
          Contains functionality to register a low level keyboard hookShow sources
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07ED679C SetWindowsHookExA 0000000D,00000000,?,?2_2_07ED679C
          Installs a global keyboard hookShow sources
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
          Source: Payment_slip.exe, 00000000.00000002.475138691.00000000012D0000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000005.00000003.527642507.0000000004CE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000005.00000003.527642507.0000000004CE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.553338636.0000000003161000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.551181822.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000002.00000002.551181822.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.475419598.0000000004075000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000000.00000002.475419598.0000000004075000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.477373474.00000000055D3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000000.00000002.477373474.00000000055D3000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.477585949.0000000005BE2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000000.00000002.477585949.0000000005BE2000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.Payment_slip.exe.5be0000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0.2.Payment_slip.exe.5be0000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: Payment_slip.exe
          Source: C:\Users\user\Desktop\Payment_slip.exeCode function: 0_2_01581C09 CreateProcessW,NtQueryInformationProcess,NtReadVirtualMemory,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtWriteVirtualMemory,NtGetContextThread,NtSetContextThread,NtResumeThread,0_2_01581C09
          Source: C:\Users\user\Desktop\Payment_slip.exeCode function: 0_2_015800AD NtOpenSection,NtMapViewOfSection,0_2_015800AD
          Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\Windows\AppCompat\Programs\Amcache.hve.tmpJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0310B29C2_2_0310B29C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0310C3102_2_0310C310
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0310B2902_2_0310B290
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_031099D02_2_031099D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0310DFD02_2_0310DFD0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07A485182_2_07A48518
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07A44B102_2_07A44B10
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07A400402_2_07A40040
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07A458512_2_07A45851
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07A4316D2_2_07A4316D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07ED5EB82_2_07ED5EB8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07ED55E82_2_07ED55E8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07EDB4802_2_07EDB480
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07EDA4402_2_07EDA440
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07ED9B502_2_07ED9B50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07ED92E82_2_07ED92E8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07EDB4712_2_07EDB471
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07EDB4732_2_07EDB473
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07ED9B402_2_07ED9B40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07ED52A02_2_07ED52A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07ED00272_2_07ED0027
          Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5636 -s 1964
          Source: Payment_slip.exe, 00000000.00000002.475138691.00000000012D0000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Payment_slip.exe
          Source: Payment_slip.exe, 00000000.00000002.475419598.0000000004075000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameutfcvhbBNbFGMleB.river.exe4 vs Payment_slip.exe
          Source: Payment_slip.exe, 00000000.00000002.475419598.0000000004075000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs Payment_slip.exe
          Source: Payment_slip.exe, 00000000.00000002.475419598.0000000004075000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs Payment_slip.exe
          Source: Payment_slip.exe, 00000000.00000002.475419598.0000000004075000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs Payment_slip.exe
          Source: Payment_slip.exe, 00000000.00000002.475419598.0000000004075000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs Payment_slip.exe
          Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dllJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
          Source: 00000005.00000003.527642507.0000000004CE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 00000005.00000003.527642507.0000000004CE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.553338636.0000000003161000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.551181822.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 00000002.00000002.551181822.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.475419598.0000000004075000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 00000000.00000002.475419598.0000000004075000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.477373474.00000000055D3000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 00000000.00000002.477373474.00000000055D3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.477585949.0000000005BE2000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 00000000.00000002.477585949.0000000005BE2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.Payment_slip.exe.5be0000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 0.2.Payment_slip.exe.5be0000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: Payment_slip.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: 0.2.Payment_slip.exe.5be0000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
          Source: 0.2.Payment_slip.exe.5be0000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
          Source: 0.2.Payment_slip.exe.5be0000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
          Source: 0.2.Payment_slip.exe.5be0000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
          Source: 2.2.RegAsm.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
          Source: 2.2.RegAsm.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
          Source: 2.2.RegAsm.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
          Source: 2.2.RegAsm.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
          Source: 0.2.Payment_slip.exe.5be0000.3.unpack, Form1.csBase64 encoded string: 'Ta2Jfga3JLt9/E73uK1VhbUkk6jqZCdloIN2u06AJMoTMeKiapqOoCfJFBjcj+Ok8ojK3Xa4zTJPtjgAWPgTDA==', 'qV6RbSlp+AMZw5SKvXWylN1rCuU8c5wmPAh3Hdmo0Ki+cXj7F0pWkNOaz5xvcV8/1lMVIeZ7DPLAHupVS+LnUQ==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
          Source: 2.2.RegAsm.exe.400000.0.unpack, Form1.csBase64 encoded string: 'Ta2Jfga3JLt9/E73uK1VhbUkk6jqZCdloIN2u06AJMoTMeKiapqOoCfJFBjcj+Ok8ojK3Xa4zTJPtjgAWPgTDA==', 'qV6RbSlp+AMZw5SKvXWylN1rCuU8c5wmPAh3Hdmo0Ki+cXj7F0pWkNOaz5xvcV8/1lMVIeZ7DPLAHupVS+LnUQ==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@8/7@1/0
          Source: C:\Users\user\Desktop\Payment_slip.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Payment_slip.exe.logJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5636
          Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER2146.tmpJump to behavior
          Source: Payment_slip.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Payment_slip.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\Payment_slip.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Payment_slip.exe, 00000000.00000002.475419598.0000000004075000.00000004.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
          Source: Payment_slip.exe, 00000000.00000002.475419598.0000000004075000.00000004.00000001.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
          Source: Payment_slip.exe, 00000000.00000002.475419598.0000000004075000.00000004.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
          Source: Payment_slip.exe, 00000000.00000002.475419598.0000000004075000.00000004.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
          Source: Payment_slip.exe, 00000000.00000002.475419598.0000000004075000.00000004.00000001.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
          Source: Payment_slip.exe, 00000000.00000002.475419598.0000000004075000.00000004.00000001.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
          Source: Payment_slip.exe, 00000000.00000002.475419598.0000000004075000.00000004.00000001.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
          Source: Payment_slip.exeVirustotal: Detection: 54%
          Source: unknownProcess created: C:\Users\user\Desktop\Payment_slip.exe 'C:\Users\user\Desktop\Payment_slip.exe'
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5636 -s 1964
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
          Source: C:\Users\user\Desktop\Payment_slip.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: Payment_slip.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: Payment_slip.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: rsaenh.pdb source: WerFault.exe, 00000005.00000003.529971655.0000000004D85000.00000004.00000040.sdmp
          Source: Binary string: anagement.pdb source: WerFault.exe, 00000005.00000003.529934600.0000000004DB9000.00000004.00000001.sdmp
          Source: Binary string: System.ni.pdb% source: WerFault.exe, 00000005.00000003.529971655.0000000004D85000.00000004.00000040.sdmp
          Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 00000005.00000003.527642507.0000000004CE0000.00000004.00000001.sdmp
          Source: Binary string: System.ni.pdb" source: WerFault.exe, 00000005.00000003.529934600.0000000004DB9000.00000004.00000001.sdmp
          Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000005.00000003.508878674.000000000499A000.00000004.00000001.sdmp
          Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000005.00000003.530246384.0000000004D7B000.00000004.00000040.sdmp
          Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000005.00000003.530246384.0000000004D7B000.00000004.00000040.sdmp
          Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000005.00000003.529693014.0000000004D72000.00000004.00000040.sdmp
          Source: Binary string: wbemcomn.pdb source: WerFault.exe, 00000005.00000003.529971655.0000000004D85000.00000004.00000040.sdmp
          Source: Binary string: NapiNSP.pdb source: WerFault.exe, 00000005.00000003.529971655.0000000004D85000.00000004.00000040.sdmp
          Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000005.00000003.529851922.0000000004DA1000.00000004.00000001.sdmp
          Source: Binary string: RegAsm.pdb source: RegAsm.exe, 00000002.00000002.562654444.0000000007EE0000.00000004.00000001.sdmp
          Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000005.00000003.530220867.0000000004D70000.00000004.00000040.sdmp
          Source: Binary string: wntdll.pdb source: WerFault.exe, 00000005.00000003.508940552.0000000000875000.00000004.00000001.sdmp
          Source: Binary string: winnsi.pdb source: WerFault.exe, 00000005.00000003.529971655.0000000004D85000.00000004.00000040.sdmp
          Source: Binary string: ml.pdb source: WerFault.exe, 00000005.00000003.529934600.0000000004DB9000.00000004.00000001.sdmp
          Source: Binary string: .ni.pdb source: WerFault.exe, 00000005.00000003.529934600.0000000004DB9000.00000004.00000001.sdmp
          Source: Binary string: clr.pdb source: WerFault.exe, 00000005.00000003.529958521.0000000004D81000.00000004.00000040.sdmp
          Source: Binary string: cryptsp.pdb source: WerFault.exe, 00000005.00000003.529971655.0000000004D85000.00000004.00000040.sdmp
          Source: Binary string: ility.pdb source: WerFault.exe, 00000005.00000003.529934600.0000000004DB9000.00000004.00000001.sdmp
          Source: Binary string: advapi32.pdb source: WerFault.exe, 00000005.00000003.530246384.0000000004D7B000.00000004.00000040.sdmp
          Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000005.00000003.530246384.0000000004D7B000.00000004.00000040.sdmp
          Source: Binary string: System.Configuration.ni.pdb" source: WerFault.exe, 00000005.00000003.529934600.0000000004DB9000.00000004.00000001.sdmp
          Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 00000005.00000003.529971655.0000000004D85000.00000004.00000040.sdmp
          Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 00000005.00000003.527642507.0000000004CE0000.00000004.00000001.sdmp, WER2146.tmp.dmp.5.dr
          Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 00000005.00000003.529971655.0000000004D85000.00000004.00000040.sdmp
          Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 00000005.00000003.527642507.0000000004CE0000.00000004.00000001.sdmp
          Source: Binary string: untime.Remoting.pdbn source: WerFault.exe, 00000005.00000003.529934600.0000000004DB9000.00000004.00000001.sdmp
          Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000005.00000003.529851922.0000000004DA1000.00000004.00000001.sdmp
          Source: Binary string: System.Core.pdb8 source: WER2146.tmp.dmp.5.dr
          Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000005.00000003.530246384.0000000004D7B000.00000004.00000040.sdmp
          Source: Binary string: mpr.pdb source: WerFault.exe, 00000005.00000003.529958521.0000000004D81000.00000004.00000040.sdmp
          Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000005.00000003.529881043.0000000004DB9000.00000004.00000001.sdmp, WER2146.tmp.dmp.5.dr
          Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: Payment_slip.exe, 00000000.00000002.475419598.0000000004075000.00000004.00000001.sdmp, RegAsm.exe, 00000002.00000002.553338636.0000000003161000.00000004.00000001.sdmp
          Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: Payment_slip.exe, 00000000.00000002.475419598.0000000004075000.00000004.00000001.sdmp, RegAsm.exe, 00000002.00000002.555774642.0000000004161000.00000004.00000001.sdmp
          Source: Binary string: RegAsm.pdb4 source: RegAsm.exe, 00000002.00000002.562654444.0000000007EE0000.00000004.00000001.sdmp
          Source: Binary string: System.Xml.pdbx source: WerFault.exe, 00000005.00000003.527642507.0000000004CE0000.00000004.00000001.sdmp
          Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000005.00000003.529971655.0000000004D85000.00000004.00000040.sdmp
          Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb+ source: RegAsm.exe, 00000002.00000002.563499705.00000000089DA000.00000004.00000010.sdmp
          Source: Binary string: mscoree.pdb source: WerFault.exe, 00000005.00000003.529851922.0000000004DA1000.00000004.00000001.sdmp
          Source: Binary string: sfc.pdb! source: WerFault.exe, 00000005.00000003.529958521.0000000004D81000.00000004.00000040.sdmp
          Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000005.00000003.529971655.0000000004D85000.00000004.00000040.sdmp
          Source: Binary string: winspool.pdb source: WerFault.exe, 00000005.00000003.530246384.0000000004D7B000.00000004.00000040.sdmp
          Source: Binary string: System.Runtime.Remoting.pdbx source: WerFault.exe, 00000005.00000003.527642507.0000000004CE0000.00000004.00000001.sdmp
          Source: Binary string: shell32.pdbk source: WerFault.exe, 00000005.00000003.529693014.0000000004D72000.00000004.00000040.sdmp
          Source: Binary string: System.Management.pdbL7 source: WER2146.tmp.dmp.5.dr
          Source: Binary string: symbols\dll\mscorlib.pdb source: RegAsm.exe, 00000002.00000002.563499705.00000000089DA000.00000004.00000010.sdmp
          Source: Binary string: .pdb0 source: RegAsm.exe, 00000002.00000002.563499705.00000000089DA000.00000004.00000010.sdmp
          Source: Binary string: System.Configuration.pdb" source: WerFault.exe, 00000005.00000003.529934600.0000000004DB9000.00000004.00000001.sdmp
          Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000005.00000003.530246384.0000000004D7B000.00000004.00000040.sdmp
          Source: Binary string: alijroiCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000005.00000002.542744483.00000000002D2000.00000004.00000010.sdmp
          Source: Binary string: nsi.pdb source: WerFault.exe, 00000005.00000003.529971655.0000000004D85000.00000004.00000040.sdmp
          Source: Binary string: System.Management.ni.pdbRSDSJ source: WER2146.tmp.dmp.5.dr
          Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000005.00000003.529693014.0000000004D72000.00000004.00000040.sdmp
          Source: Binary string: (Pwi0C:\Windows\mscorlib.pdbpdblib.pdb source: RegAsm.exe, 00000002.00000002.563499705.00000000089DA000.00000004.00000010.sdmp
          Source: Binary string: powrprof.pdb source: WerFault.exe, 00000005.00000003.530246384.0000000004D7B000.00000004.00000040.sdmp
          Source: Binary string: msvcr120_clr0400.i386.pdb% source: WerFault.exe, 00000005.00000003.529958521.0000000004D81000.00000004.00000040.sdmp
          Source: Binary string: mscorlib.ni.pdbRSDS source: WER2146.tmp.dmp.5.dr
          Source: Binary string: System.Configuration.pdb source: WerFault.exe, 00000005.00000003.529881043.0000000004DB9000.00000004.00000001.sdmp, WER2146.tmp.dmp.5.dr
          Source: Binary string: System.Core.ni.pdb` source: WerFault.exe, 00000005.00000003.527642507.0000000004CE0000.00000004.00000001.sdmp
          Source: Binary string: ole32.pdb source: WerFault.exe, 00000005.00000003.530246384.0000000004D7B000.00000004.00000040.sdmp
          Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000005.00000003.529851922.0000000004DA1000.00000004.00000001.sdmp
          Source: Binary string: mscorlib.pdb source: RegAsm.exe, 00000002.00000002.563499705.00000000089DA000.00000004.00000010.sdmp, WerFault.exe, 00000005.00000003.529881043.0000000004DB9000.00000004.00000001.sdmp, WER2146.tmp.dmp.5.dr
          Source: Binary string: .pdbVW source: WerFault.exe, 00000005.00000003.529934600.0000000004DB9000.00000004.00000001.sdmp
          Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000005.00000003.529971655.0000000004D85000.00000004.00000040.sdmp
          Source: Binary string: DWrite.pdb source: WerFault.exe, 00000005.00000003.529971655.0000000004D85000.00000004.00000040.sdmp
          Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000005.00000003.529693014.0000000004D72000.00000004.00000040.sdmp
          Source: Binary string: System.Drawing.pdb source: WerFault.exe, 00000005.00000003.529881043.0000000004DB9000.00000004.00000001.sdmp, WER2146.tmp.dmp.5.dr
          Source: Binary string: System.Management.pdb source: WerFault.exe, 00000005.00000003.529881043.0000000004DB9000.00000004.00000001.sdmp, WER2146.tmp.dmp.5.dr
          Source: Binary string: combase.pdb source: WerFault.exe, 00000005.00000003.530246384.0000000004D7B000.00000004.00000040.sdmp
          Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000005.00000003.530220867.0000000004D70000.00000004.00000040.sdmp
          Source: Binary string: System.Management.ni.pdb source: WerFault.exe, 00000005.00000003.529881043.0000000004DB9000.00000004.00000001.sdmp, WER2146.tmp.dmp.5.dr
          Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000005.00000003.510108495.0000000000881000.00000004.00000001.sdmp
          Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER2146.tmp.dmp.5.dr
          Source: Binary string: sfc.pdb source: WerFault.exe, 00000005.00000003.529958521.0000000004D81000.00000004.00000040.sdmp
          Source: Binary string: Accessibility.pdbx source: WerFault.exe, 00000005.00000003.527642507.0000000004CE0000.00000004.00000001.sdmp
          Source: Binary string: nsi.pdb% source: WerFault.exe, 00000005.00000003.529971655.0000000004D85000.00000004.00000040.sdmp
          Source: Binary string: apphelp.pdb source: WerFault.exe, 00000005.00000003.529851922.0000000004DA1000.00000004.00000001.sdmp
          Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000005.00000003.530246384.0000000004D7B000.00000004.00000040.sdmp
          Source: Binary string: System.Xml.ni.pdbRSDS source: WER2146.tmp.dmp.5.dr
          Source: Binary string: rasadhlp.pdb source: WerFault.exe, 00000005.00000003.529971655.0000000004D85000.00000004.00000040.sdmp
          Source: Binary string: ml.ni.pdb source: WerFault.exe, 00000005.00000003.529934600.0000000004DB9000.00000004.00000001.sdmp
          Source: Binary string: C:\Windows\mscorlib.pdb source: RegAsm.exe, 00000002.00000002.563499705.00000000089DA000.00000004.00000010.sdmp
          Source: Binary string: diasymreader.pdb_ source: WerFault.exe, 00000005.00000003.529794296.0000000004D8E000.00000004.00000001.sdmp
          Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000005.00000003.529971655.0000000004D85000.00000004.00000040.sdmp
          Source: Binary string: System.Xml.ni.pdb< source: WerFault.exe, 00000005.00000003.527642507.0000000004CE0000.00000004.00000001.sdmp
          Source: Binary string: Accessibility.pdb source: WerFault.exe, 00000005.00000003.529881043.0000000004DB9000.00000004.00000001.sdmp, WER2146.tmp.dmp.5.dr
          Source: Binary string: System.Management.pdbx source: WerFault.exe, 00000005.00000003.527642507.0000000004CE0000.00000004.00000001.sdmp
          Source: Binary string: rawing.pdb source: WerFault.exe, 00000005.00000003.529934600.0000000004DB9000.00000004.00000001.sdmp
          Source: Binary string: gdiplus.pdb*6 source: WerFault.exe, 00000005.00000003.529971655.0000000004D85000.00000004.00000040.sdmp
          Source: Binary string: pnrpnsp.pdb source: WerFault.exe, 00000005.00000003.529971655.0000000004D85000.00000004.00000040.sdmp
          Source: Binary string: mscorlib.pdbx source: WerFault.exe, 00000005.00000003.527642507.0000000004CE0000.00000004.00000001.sdmp
          Source: Binary string: System.ni.pdb<3 source: WerFault.exe, 00000005.00000003.527642507.0000000004CE0000.00000004.00000001.sdmp
          Source: Binary string: shcore.pdb source: WerFault.exe, 00000005.00000003.530220867.0000000004D70000.00000004.00000040.sdmp
          Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 00000005.00000003.529971655.0000000004D85000.00000004.00000040.sdmp
          Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000005.00000003.529851922.0000000004DA1000.00000004.00000001.sdmp
          Source: Binary string: System.Core.ni.pdb" source: WerFault.exe, 00000005.00000003.529934600.0000000004DB9000.00000004.00000001.sdmp
          Source: Binary string: fltLib.pdb source: WerFault.exe, 00000005.00000003.530246384.0000000004D7B000.00000004.00000040.sdmp
          Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 00000005.00000003.529881043.0000000004DB9000.00000004.00000001.sdmp, WER2146.tmp.dmp.5.dr
          Source: Binary string: shell32.pdb source: WerFault.exe, 00000005.00000003.529693014.0000000004D72000.00000004.00000040.sdmp
          Source: Binary string: msvcp_win.pdbk source: WerFault.exe, 00000005.00000003.529693014.0000000004D72000.00000004.00000040.sdmp
          Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000005.00000003.529693014.0000000004D72000.00000004.00000040.sdmp
          Source: Binary string: mscorlib.ni.pdb4 source: WerFault.exe, 00000005.00000003.527642507.0000000004CE0000.00000004.00000001.sdmp
          Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000005.00000003.529971655.0000000004D85000.00000004.00000040.sdmp
          Source: Binary string: wimm32.pdb source: WerFault.exe, 00000005.00000003.530246384.0000000004D7B000.00000004.00000040.sdmp
          Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000005.00000003.529851922.0000000004DA1000.00000004.00000001.sdmp
          Source: Binary string: System.pdb(@s source: WER2146.tmp.dmp.5.dr
          Source: Binary string: diasymreader.pdb source: WerFault.exe, 00000005.00000003.529794296.0000000004D8E000.00000004.00000001.sdmp
          Source: Binary string: nlaapi.pdb source: WerFault.exe, 00000005.00000003.529971655.0000000004D85000.00000004.00000040.sdmp
          Source: Binary string: setupapi.pdb source: WerFault.exe, 00000005.00000003.530246384.0000000004D7B000.00000004.00000040.sdmp
          Source: Binary string: dhcpcsvc.pdb&6 source: WerFault.exe, 00000005.00000003.529971655.0000000004D85000.00000004.00000040.sdmp
          Source: Binary string: System.Configuration.pdb4- source: WER2146.tmp.dmp.5.dr
          Source: Binary string: DWrite.pdb 6 source: WerFault.exe, 00000005.00000003.529971655.0000000004D85000.00000004.00000040.sdmp
          Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000005.00000003.529971655.0000000004D85000.00000004.00000040.sdmp
          Source: Binary string: wmiutils.pdb source: WerFault.exe, 00000005.00000003.529971655.0000000004D85000.00000004.00000040.sdmp
          Source: Binary string: gdiplus.pdb source: WerFault.exe, 00000005.00000003.529971655.0000000004D85000.00000004.00000040.sdmp
          Source: Binary string: clrjit.pdbx1 source: WerFault.exe, 00000005.00000003.529971655.0000000004D85000.00000004.00000040.sdmp
          Source: Binary string: pnrpnsp.pdb~1n4 source: WerFault.exe, 00000005.00000003.529971655.0000000004D85000.00000004.00000040.sdmp
          Source: Binary string: System.pdbx source: WerFault.exe, 00000005.00000003.527642507.0000000004CE0000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000005.00000003.508940552.0000000000875000.00000004.00000001.sdmp
          Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000005.00000003.529971655.0000000004D85000.00000004.00000040.sdmp
          Source: Binary string: profapi.pdb source: WerFault.exe, 00000005.00000003.530246384.0000000004D7B000.00000004.00000040.sdmp
          Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 00000005.00000003.529881043.0000000004DB9000.00000004.00000001.sdmp, WER2146.tmp.dmp.5.dr
          Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000005.00000003.529851922.0000000004DA1000.00000004.00000001.sdmp
          Source: Binary string: anagement.ni.pdb source: WerFault.exe, 00000005.00000003.529934600.0000000004DB9000.00000004.00000001.sdmp
          Source: Binary string: sechost.pdb source: WerFault.exe, 00000005.00000003.530246384.0000000004D7B000.00000004.00000040.sdmp
          Source: Binary string: System.ni.pdbRSDS source: WER2146.tmp.dmp.5.dr
          Source: Binary string: System.Core.pdbY source: WerFault.exe, 00000005.00000003.529881043.0000000004DB9000.00000004.00000001.sdmp
          Source: Binary string: clrjit.pdb source: WerFault.exe, 00000005.00000003.529971655.0000000004D85000.00000004.00000040.sdmp
          Source: Binary string: propsys.pdb source: WerFault.exe, 00000005.00000003.530246384.0000000004D7B000.00000004.00000040.sdmp
          Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000005.00000003.529693014.0000000004D72000.00000004.00000040.sdmp
          Source: Binary string: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.PDBwi source: RegAsm.exe, 00000002.00000002.563499705.00000000089DA000.00000004.00000010.sdmp
          Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 00000005.00000003.529958521.0000000004D81000.00000004.00000040.sdmp
          Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 00000005.00000003.529881043.0000000004DB9000.00000004.00000001.sdmp, WER2146.tmp.dmp.5.dr
          Source: Binary string: fastprox.pdb source: WerFault.exe, 00000005.00000003.529971655.0000000004D85000.00000004.00000040.sdmp
          Source: Binary string: wbemsvc.pdb source: WerFault.exe, 00000005.00000003.529971655.0000000004D85000.00000004.00000040.sdmp
          Source: Binary string: winrnr.pdb source: WerFault.exe, 00000005.00000003.529971655.0000000004D85000.00000004.00000040.sdmp
          Source: Binary string: winrnr.pdb46 source: WerFault.exe, 00000005.00000003.529971655.0000000004D85000.00000004.00000040.sdmp
          Source: Binary string: mscorlib.pdbBTM\TM NTM_CorDllMainmscoree.dll source: RegAsm.exe, 00000002.00000002.562654444.0000000007EE0000.00000004.00000001.sdmp
          Source: Binary string: msctf.pdb source: WerFault.exe, 00000005.00000003.529971655.0000000004D85000.00000004.00000040.sdmp
          Source: Binary string: System.Core.pdbE source: WerFault.exe, 00000005.00000003.529934600.0000000004DB9000.00000004.00000001.sdmp
          Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: Payment_slip.exe, 00000000.00000002.475419598.0000000004075000.00000004.00000001.sdmp, RegAsm.exe, 00000002.00000002.555919177.00000000041C6000.00000004.00000001.sdmp
          Source: Binary string: System.Runtime.Remoting.pdb source: WerFault.exe, 00000005.00000003.529881043.0000000004DB9000.00000004.00000001.sdmp, WER2146.tmp.dmp.5.dr
          Source: Binary string: wmswsock.pdb source: WerFault.exe, 00000005.00000003.529971655.0000000004D85000.00000004.00000040.sdmp
          Source: Binary string: version.pdb source: WerFault.exe, 00000005.00000003.530246384.0000000004D7B000.00000004.00000040.sdmp
          Source: Binary string: System.Xml.pdb source: WerFault.exe, 00000005.00000003.529881043.0000000004DB9000.00000004.00000001.sdmp, WER2146.tmp.dmp.5.dr
          Source: Binary string: System.pdb source: WerFault.exe, 00000005.00000003.529881043.0000000004DB9000.00000004.00000001.sdmp, WER2146.tmp.dmp.5.dr
          Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000005.00000003.527642507.0000000004CE0000.00000004.00000001.sdmp, WER2146.tmp.dmp.5.dr
          Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000005.00000003.530220867.0000000004D70000.00000004.00000040.sdmp
          Source: Binary string: psapi.pdb source: WerFault.exe, 00000005.00000003.529971655.0000000004D85000.00000004.00000040.sdmp
          Source: Binary string: WMINet_Utils.pdb source: WerFault.exe, 00000005.00000003.529971655.0000000004D85000.00000004.00000040.sdmp
          Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000005.00000003.530246384.0000000004D7B000.00000004.00000040.sdmp
          Source: Binary string: System.Core.pdbx source: WerFault.exe, 00000005.00000003.527642507.0000000004CE0000.00000004.00000001.sdmp
          Source: Binary string: rawing.pdb" source: WerFault.exe, 00000005.00000003.529934600.0000000004DB9000.00000004.00000001.sdmp
          Source: Binary string: mscoreei.pdb source: WerFault.exe, 00000005.00000003.530246384.0000000004D7B000.00000004.00000040.sdmp
          Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000005.00000003.508977967.0000000000887000.00000004.00000001.sdmp
          Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000005.00000003.530220867.0000000004D70000.00000004.00000040.sdmp
          Source: Binary string: System.Drawing.pdbx source: WerFault.exe, 00000005.00000003.527642507.0000000004CE0000.00000004.00000001.sdmp
          Source: Binary string: System.Core.pdb source: WerFault.exe, 00000005.00000003.529881043.0000000004DB9000.00000004.00000001.sdmp, WER2146.tmp.dmp.5.dr
          Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000005.00000003.530246384.0000000004D7B000.00000004.00000040.sdmp
          Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 00000005.00000003.527642507.0000000004CE0000.00000004.00000001.sdmp
          Source: Binary string: wuser32.pdb source: WerFault.exe, 00000005.00000003.529851922.0000000004DA1000.00000004.00000001.sdmp
          Source: Binary string: Microsoft.VisualBasic.pdb" source: WerFault.exe, 00000005.00000003.529906906.0000000004DA2000.00000004.00000001.sdmp
          Source: Binary string: comctl32.pdb source: WerFault.exe, 00000005.00000003.529971655.0000000004D85000.00000004.00000040.sdmp
          Source: Binary string: untime.Remoting.pdb source: WerFault.exe, 00000005.00000003.529934600.0000000004DB9000.00000004.00000001.sdmp
          Source: Binary string: wbemprox.pdb source: WerFault.exe, 00000005.00000003.529971655.0000000004D85000.00000004.00000040.sdmp
          Source: Binary string: System.ni.pdb source: WerFault.exe, 00000005.00000003.529881043.0000000004DB9000.00000004.00000001.sdmp, WER2146.tmp.dmp.5.dr
          Source: Binary string: System.Core.ni.pdbRSDS source: WER2146.tmp.dmp.5.dr
          Source: Binary string: edputil.pdb source: WerFault.exe, 00000005.00000003.529971655.0000000004D85000.00000004.00000040.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: 0.2.Payment_slip.exe.5be0000.3.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.2.Payment_slip.exe.5be0000.3.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.2.Payment_slip.exe.5be0000.3.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.2.Payment_slip.exe.5be0000.3.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 2.2.RegAsm.exe.400000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 2.2.RegAsm.exe.400000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 2.2.RegAsm.exe.400000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 2.2.RegAsm.exe.400000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\Desktop\Payment_slip.exeCode function: 0_2_00B78FB6 push eax; ret 0_2_00B78FD6
          Source: C:\Users\user\Desktop\Payment_slip.exeCode function: 0_2_00B8A9B3 push esi; ret 0_2_00B8A9CA
          Source: C:\Users\user\Desktop\Payment_slip.exeCode function: 0_2_00BE1793 push edi; ret 0_2_00BE17AA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0310E673 push esp; ret 2_2_0310E679
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07A41C20 push es; ret 2_2_07A41C30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07A44A6F push es; ret 2_2_07A44A70
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07EDD1A9 push esp; retf 2_2_07EDD1AA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07ED8084 push eax; retn 0576h2_2_07ED8089
          Source: initial sampleStatic PE information: section name: .text entropy: 7.11868932459

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Changes the view of files in windows explorer (hidden files and folders)Show sources
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HiddenJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363} DeviceTicketJump to behavior
          Source: C:\Users\user\Desktop\Payment_slip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Payment_slip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Payment_slip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Payment_slip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Payment_slip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Payment_slip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Payment_slip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Payment_slip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Payment_slip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Payment_slip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Payment_slip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Payment_slip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Payment_slip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Payment_slip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Payment_slip.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 300000Jump to behavior
          Source: C:\Users\user\Desktop\Payment_slip.exe TID: 5592Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5668Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5752Thread sleep time: -120000s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5756Thread sleep time: -140000s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5764Thread sleep time: -300000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeFile opened: PhysicalDrive0Jump to behavior
          Source: WerFault.exe, 00000005.00000002.547810635.0000000004AE0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: WerFault.exe, 00000005.00000002.543495902.00000000007CE000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
          Source: WerFault.exe, 00000005.00000002.547612656.000000000497E000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW/?J0
          Source: WerFault.exe, 00000005.00000002.547810635.0000000004AE0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: WerFault.exe, 00000005.00000002.547810635.0000000004AE0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: WerFault.exe, 00000005.00000002.547810635.0000000004AE0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07EDBD40 LdrInitializeThunk,2_2_07EDBD40
          Source: C:\Users\user\Desktop\Payment_slip.exeCode function: 0_2_015801CB mov eax, dword ptr fs:[00000030h]0_2_015801CB
          Source: C:\Users\user\Desktop\Payment_slip.exeCode function: 0_2_015800AD mov ecx, dword ptr fs:[00000030h]0_2_015800AD
          Source: C:\Users\user\Desktop\Payment_slip.exeCode function: 0_2_015800AD mov eax, dword ptr fs:[00000030h]0_2_015800AD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\Payment_slip.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          .NET source code references suspicious native API functionsShow sources
          Source: 0.2.Payment_slip.exe.5be0000.3.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
          Source: 0.2.Payment_slip.exe.5be0000.3.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
          Source: 2.2.RegAsm.exe.400000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
          Source: 2.2.RegAsm.exe.400000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\Payment_slip.exeSection loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\Payment_slip.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'Jump to behavior
          Source: C:\Users\user\Desktop\Payment_slip.exeQueries volume information: C:\Users\user\Desktop\Payment_slip.exe VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior