Loading ...

Play interactive tourEdit tour

Analysis Report SLIP.exe

Overview

General Information

Sample Name:SLIP.exe
Analysis ID:253973
MD5:3f8caacf73c89cb7bf6afe8a56218a03
SHA1:fda1a5766df7423ed196a8982e0a3d1cc4c8ee1f
SHA256:ab4c9019f3f231fdedb61a280f15eb7cc83d76d6f1ee9a0ad2dc363386650016

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected HawkEye Rat
Malicious sample detected (through community Yara rule)
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Installs a global keyboard hook
Machine Learning detection for sample
May check the online IP address of the machine
Sample uses process hollowing technique
Tries to steal Mail credentials (via file registry)
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains strange resources
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Process Creation
Stores large binary data to the registry
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • SLIP.exe (PID: 6788 cmdline: 'C:\Users\user\Desktop\SLIP.exe' MD5: 3F8CAACF73C89CB7BF6AFE8A56218A03)
    • dw20.exe (PID: 6992 cmdline: dw20.exe -x -s 2252 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
    • vbc.exe (PID: 7092 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
    • vbc.exe (PID: 7104 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • WerFault.exe (PID: 5348 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7104 -s 180 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
SLIP.exeRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
  • 0x7b917:$key: HawkEyeKeylogger
  • 0x7db81:$salt: 099u787978786
  • 0x7bf58:$string1: HawkEye_Keylogger
  • 0x7cdab:$string1: HawkEye_Keylogger
  • 0x7dae1:$string1: HawkEye_Keylogger
  • 0x7c341:$string2: holdermail.txt
  • 0x7c361:$string2: holdermail.txt
  • 0x7c283:$string3: wallet.dat
  • 0x7c29b:$string3: wallet.dat
  • 0x7c2b1:$string3: wallet.dat
  • 0x7d6a5:$string4: Keylog Records
  • 0x7d9bd:$string4: Keylog Records
  • 0x7dbd9:$string5: do not script -->
  • 0x7b8ff:$string6: \pidloc.txt
  • 0x7b98d:$string7: BSPLIT
  • 0x7b99d:$string7: BSPLIT
SLIP.exeJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
    SLIP.exeJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
      SLIP.exeHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
      • 0x7bfb0:$hawkstr1: HawkEye Keylogger
      • 0x7cdf1:$hawkstr1: HawkEye Keylogger
      • 0x7d120:$hawkstr1: HawkEye Keylogger
      • 0x7d27b:$hawkstr1: HawkEye Keylogger
      • 0x7d3de:$hawkstr1: HawkEye Keylogger
      • 0x7d67d:$hawkstr1: HawkEye Keylogger
      • 0x7bb3e:$hawkstr2: Dear HawkEye Customers!
      • 0x7d173:$hawkstr2: Dear HawkEye Customers!
      • 0x7d2ca:$hawkstr2: Dear HawkEye Customers!
      • 0x7d431:$hawkstr2: Dear HawkEye Customers!
      • 0x7bc5f:$hawkstr3: HawkEye Logger Details:

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.255454674.0000000004141000.00000004.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
        00000000.00000002.251689993.0000000000962000.00000002.00020000.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
        • 0x7b717:$key: HawkEyeKeylogger
        • 0x7d981:$salt: 099u787978786
        • 0x7bd58:$string1: HawkEye_Keylogger
        • 0x7cbab:$string1: HawkEye_Keylogger
        • 0x7d8e1:$string1: HawkEye_Keylogger
        • 0x7c141:$string2: holdermail.txt
        • 0x7c161:$string2: holdermail.txt
        • 0x7c083:$string3: wallet.dat
        • 0x7c09b:$string3: wallet.dat
        • 0x7c0b1:$string3: wallet.dat
        • 0x7d4a5:$string4: Keylog Records
        • 0x7d7bd:$string4: Keylog Records
        • 0x7d9d9:$string5: do not script -->
        • 0x7b6ff:$string6: \pidloc.txt
        • 0x7b78d:$string7: BSPLIT
        • 0x7b79d:$string7: BSPLIT
        00000000.00000002.251689993.0000000000962000.00000002.00020000.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
          00000000.00000002.251689993.0000000000962000.00000002.00020000.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
            00000000.00000002.251689993.0000000000962000.00000002.00020000.sdmpHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
            • 0x7bdb0:$hawkstr1: HawkEye Keylogger
            • 0x7cbf1:$hawkstr1: HawkEye Keylogger
            • 0x7cf20:$hawkstr1: HawkEye Keylogger
            • 0x7d07b:$hawkstr1: HawkEye Keylogger
            • 0x7d1de:$hawkstr1: HawkEye Keylogger
            • 0x7d47d:$hawkstr1: HawkEye Keylogger
            • 0x7b93e:$hawkstr2: Dear HawkEye Customers!
            • 0x7cf73:$hawkstr2: Dear HawkEye Customers!
            • 0x7d0ca:$hawkstr2: Dear HawkEye Customers!
            • 0x7d231:$hawkstr2: Dear HawkEye Customers!
            • 0x7ba5f:$hawkstr3: HawkEye Logger Details:
            Click to see the 12 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.vbc.exe.400000.0.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
              4.2.vbc.exe.400000.0.raw.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
                0.2.SLIP.exe.960000.0.unpackRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
                • 0x7b917:$key: HawkEyeKeylogger
                • 0x7db81:$salt: 099u787978786
                • 0x7bf58:$string1: HawkEye_Keylogger
                • 0x7cdab:$string1: HawkEye_Keylogger
                • 0x7dae1:$string1: HawkEye_Keylogger
                • 0x7c341:$string2: holdermail.txt
                • 0x7c361:$string2: holdermail.txt
                • 0x7c283:$string3: wallet.dat
                • 0x7c29b:$string3: wallet.dat
                • 0x7c2b1:$string3: wallet.dat
                • 0x7d6a5:$string4: Keylog Records
                • 0x7d9bd:$string4: Keylog Records
                • 0x7dbd9:$string5: do not script -->
                • 0x7b8ff:$string6: \pidloc.txt
                • 0x7b98d:$string7: BSPLIT
                • 0x7b99d:$string7: BSPLIT
                0.2.SLIP.exe.960000.0.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
                  0.2.SLIP.exe.960000.0.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                    Click to see the 5 entries

                    Sigma Overview

                    System Summary:

                    barindex
                    Sigma detected: Suspicious Process CreationShow sources
                    Source: Process startedAuthor: Florian Roth, Daniil Yugoslavskiy, oscd.community (update): Data: Command: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt', CommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt', CommandLine|base64offset|contains: ^, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, ParentCommandLine: 'C:\Users\user\Desktop\SLIP.exe' , ParentImage: C:\Users\user\Desktop\SLIP.exe, ParentProcessId: 6788, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt', ProcessId: 7092

                    Signature Overview

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection:

                    barindex
                    Machine Learning detection for sampleShow sources
                    Source: SLIP.exeJoe Sandbox ML: detected
                    Source: SLIP.exeBinary or memory string: autorun.inf
                    Source: SLIP.exeBinary or memory string: [autorun]
                    Source: SLIP.exeBinary or memory string: autorun.inf
                    Source: SLIP.exeBinary or memory string: [autorun]
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,4_2_00406EC3

                    Networking:

                    barindex
                    May check the online IP address of the machineShow sources
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                    Source: SLIP.exeString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                    Source: SLIP.exeString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                    Source: SLIP.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                    Source: unknownDNS traffic detected: queries for: 201.75.14.0.in-addr.arpa
                    Source: SLIP.exeString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
                    Source: SLIP.exe, 00000000.00000003.233165041.0000000005717000.00000004.00000001.sdmpString found in binary or memory: http://en.wikip
                    Source: SLIP.exe, 00000000.00000002.257784141.0000000005870000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                    Source: SLIP.exeString found in binary or memory: http://ocsp.comodoca.com0
                    Source: SLIP.exe, 00000000.00000002.254468736.00000000034D4000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com
                    Source: SLIP.exeString found in binary or memory: http://whatismyipaddress.com/
                    Source: SLIP.exeString found in binary or memory: http://whatismyipaddress.com/-
                    Source: SLIP.exe, 00000000.00000002.257784141.0000000005870000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: SLIP.exe, 00000000.00000003.232446542.0000000005713000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                    Source: SLIP.exe, 00000000.00000002.257784141.0000000005870000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: SLIP.exe, 00000000.00000002.257784141.0000000005870000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: SLIP.exe, 00000000.00000002.257784141.0000000005870000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: SLIP.exe, 00000000.00000002.257784141.0000000005870000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: SLIP.exe, 00000000.00000002.257784141.0000000005870000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: SLIP.exe, 00000000.00000002.257784141.0000000005870000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                    Source: SLIP.exe, 00000000.00000002.257784141.0000000005870000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: SLIP.exe, 00000000.00000002.257784141.0000000005870000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: SLIP.exe, 00000000.00000002.257784141.0000000005870000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: SLIP.exe, 00000000.00000002.257436945.0000000005708000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comP:
                    Source: SLIP.exe, 00000000.00000002.257436945.0000000005708000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
                    Source: SLIP.exe, 00000000.00000002.257436945.0000000005708000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comdia
                    Source: SLIP.exe, 00000000.00000002.257784141.0000000005870000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                    Source: SLIP.exe, 00000000.00000003.232112761.0000000005712000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: SLIP.exe, 00000000.00000002.257784141.0000000005870000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: SLIP.exe, 00000000.00000002.257784141.0000000005870000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: SLIP.exe, 00000000.00000003.231894686.0000000005711000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnp
                    Source: SLIP.exe, 00000000.00000002.257784141.0000000005870000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: SLIP.exe, 00000000.00000002.257784141.0000000005870000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: SLIP.exe, 00000000.00000002.257784141.0000000005870000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: SLIP.exe, 00000000.00000003.233720865.000000000570B000.00000004.00000001.sdmp, SLIP.exe, 00000000.00000003.233309462.0000000005703000.00000004.00000001.sdmp, SLIP.exe, 00000000.00000003.233946382.000000000570B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: SLIP.exe, 00000000.00000003.233720865.000000000570B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/-cz
                    Source: SLIP.exe, 00000000.00000003.233720865.000000000570B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/-cz):
                    Source: SLIP.exe, 00000000.00000003.233720865.000000000570B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/.
                    Source: SLIP.exe, 00000000.00000003.233720865.000000000570B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//
                    Source: SLIP.exe, 00000000.00000003.233546248.0000000005707000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/B:
                    Source: SLIP.exe, 00000000.00000003.233720865.000000000570B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/P:
                    Source: SLIP.exe, 00000000.00000003.233946382.000000000570B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
                    Source: SLIP.exe, 00000000.00000003.233720865.000000000570B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                    Source: SLIP.exe, 00000000.00000003.233946382.000000000570B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/7:
                    Source: SLIP.exe, 00000000.00000003.233720865.000000000570B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/B:
                    Source: SLIP.exe, 00000000.00000003.233720865.000000000570B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/f:
                    Source: SLIP.exe, 00000000.00000003.233720865.000000000570B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/t:
                    Source: SLIP.exeString found in binary or memory: http://www.nirsoft.net/
                    Source: SLIP.exe, 00000000.00000002.257784141.0000000005870000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: SLIP.exe, 00000000.00000002.257784141.0000000005870000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: SLIP.exe, 00000000.00000002.257784141.0000000005870000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: SLIP.exe, 00000000.00000002.254468736.00000000034D4000.00000004.00000001.sdmp, SLIP.exe, 00000000.00000002.253318504.0000000003141000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
                    Source: SLIP.exe, 00000000.00000002.257784141.0000000005870000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                    Source: SLIP.exe, 00000000.00000002.257784141.0000000005870000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                    Source: SLIP.exe, 00000000.00000002.257784141.0000000005870000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: SLIP.exe, 00000000.00000003.232446542.0000000005713000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: SLIP.exe, 00000000.00000003.232446542.0000000005713000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cne#
                    Source: SLIP.exe, 00000000.00000003.232446542.0000000005713000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.q
                    Source: SLIP.exeString found in binary or memory: https://login.yahoo.com/config/login
                    Source: SLIP.exe, 00000000.00000002.253318504.0000000003141000.00000004.00000001.sdmpString found in binary or memory: https://whatismyipaddress.com
                    Source: SLIP.exe, 00000000.00000002.253318504.0000000003141000.00000004.00000001.sdmpString found in binary or memory: https://whatismyipaddress.com/
                    Source: SLIP.exe, 00000000.00000002.254588545.000000000358A000.00000004.00000001.sdmpString found in binary or memory: https://whatismyipaddress.comXV
                    Source: SLIP.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715

                    Key, Mouse, Clipboard, Microphone and Screen Capturing:

                    barindex
                    Contains functionality to log keystrokes (.Net Source)Show sources
                    Source: SLIP.exe, Form1.cs.Net Code: HookKeyboard
                    Source: 0.2.SLIP.exe.960000.0.unpack, Form1.cs.Net Code: HookKeyboard
                    Source: 0.0.SLIP.exe.960000.0.unpack, Form1.cs.Net Code: HookKeyboard
                    Installs a global keyboard hookShow sources
                    Source: C:\Users\user\Desktop\SLIP.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\SLIP.exeJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_0040AC8A GetTempPathA,GetWindowsDirectoryA,GetTempFileNameA,OpenClipboard,GetLastError,DeleteFileA,4_2_0040AC8A
                    Source: SLIP.exe, 00000000.00000002.252424862.0000000001140000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                    Source: C:\Users\user\Desktop\SLIP.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                    System Summary:

                    barindex
                    Malicious sample detected (through community Yara rule)Show sources
                    Source: SLIP.exe, type: SAMPLEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: SLIP.exe, type: SAMPLEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000000.00000002.251689993.0000000000962000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000000.00000002.251689993.0000000000962000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000000.00000002.254661556.00000000035B8000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000000.00000000.228774535.0000000000962000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000000.00000000.228774535.0000000000962000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000000.00000002.253318504.0000000003141000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000000.00000002.253318504.0000000003141000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0.2.SLIP.exe.960000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.2.SLIP.exe.960000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0.0.SLIP.exe.960000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.0.SLIP.exe.960000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: C:\Users\user\Desktop\SLIP.exeCode function: 0_2_0096D4260_2_0096D426
                    Source: C:\Users\user\Desktop\SLIP.exeCode function: 0_2_0097D5AE0_2_0097D5AE
                    Source: C:\Users\user\Desktop\SLIP.exeCode function: 0_2_0096D5230_2_0096D523
                    Source: C:\Users\user\Desktop\SLIP.exeCode function: 0_2_009776460_2_00977646
                    Source: C:\Users\user\Desktop\SLIP.exeCode function: 0_2_009A29BE0_2_009A29BE
                    Source: C:\Users\user\Desktop\SLIP.exeCode function: 0_2_009A6AF40_2_009A6AF4
                    Source: C:\Users\user\Desktop\SLIP.exeCode function: 0_2_0099C7BC0_2_0099C7BC
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_00404DDB4_2_00404DDB
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_0040BD8A4_2_0040BD8A
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_00404E4C4_2_00404E4C
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_00404EBD4_2_00404EBD
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_00404F4E4_2_00404F4E
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00411538 appears 35 times
                    Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2252
                    Source: SLIP.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: SLIP.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: SLIP.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: SLIP.exeBinary or memory string: OriginalFilename vs SLIP.exe
                    Source: SLIP.exeBinary or memory string: OriginalFileName vs SLIP.exe
                    Source: SLIP.exe, 00000000.00000002.255454674.0000000004141000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs SLIP.exe
                    Source: SLIP.exe, 00000000.00000002.251689993.0000000000962000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs SLIP.exe
                    Source: SLIP.exe, 00000000.00000002.251689993.0000000000962000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs SLIP.exe
                    Source: SLIP.exe, 00000000.00000002.251767523.00000000009E2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs SLIP.exe
                    Source: SLIP.exe, 00000000.00000002.257109473.00000000054E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs SLIP.exe
                    Source: SLIP.exe, 00000000.00000002.261503077.0000000007850000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs SLIP.exe
                    Source: SLIP.exe, 00000000.00000002.252424862.0000000001140000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs SLIP.exe
                    Source: SLIP.exeBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs SLIP.exe
                    Source: SLIP.exeBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs SLIP.exe
                    Source: SLIP.exeBinary or memory string: OriginalFilenamemailpv.exe< vs SLIP.exe
                    Source: SLIP.exeBinary or memory string: OriginalFilenamePhulli.exe0 vs SLIP.exe
                    Source: C:\Users\user\Desktop\SLIP.exeSection loaded: security.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: phoneinfo.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
                    Source: SLIP.exe, type: SAMPLEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: SLIP.exe, type: SAMPLEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000000.00000002.251689993.0000000000962000.00000002.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000000.00000002.251689993.0000000000962000.00000002.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000000.00000002.254661556.00000000035B8000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000000.00000000.228774535.0000000000962000.00000002.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000000.00000000.228774535.0000000000962000.00000002.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000000.00000002.253318504.0000000003141000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000000.00000002.253318504.0000000003141000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0.2.SLIP.exe.960000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0.2.SLIP.exe.960000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0.0.SLIP.exe.960000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0.0.SLIP.exe.960000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: SLIP.exe, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                    Source: SLIP.exe, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                    Source: SLIP.exe, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                    Source: SLIP.exe, Form1.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.SLIP.exe.960000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                    Source: 0.2.SLIP.exe.960000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                    Source: 0.2.SLIP.exe.960000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                    Source: 0.2.SLIP.exe.960000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
                    Source: SLIP.exe, Form1.csBase64 encoded string: 'Ta2Jfga3JLt9/E73uK1VhbUkk6jqZCdloIN2u06AJMoTMeKiapqOoCfJFBjcj+Ok8ojK3Xa4zTJPtjgAWPgTDA==', 'qV6RbSlp+AMZw5SKvXWylN1rCuU8c5wmPAh3Hdmo0Ki+cXj7F0pWkNOaz5xvcV8/1lMVIeZ7DPLAHupVS+LnUQ==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                    Source: 0.2.SLIP.exe.960000.0.unpack, Form1.csBase64 encoded string: 'Ta2Jfga3JLt9/E73uK1VhbUkk6jqZCdloIN2u06AJMoTMeKiapqOoCfJFBjcj+Ok8ojK3Xa4zTJPtjgAWPgTDA==', 'qV6RbSlp+AMZw5SKvXWylN1rCuU8c5wmPAh3Hdmo0Ki+cXj7F0pWkNOaz5xvcV8/1lMVIeZ7DPLAHupVS+LnUQ==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                    Source: 0.0.SLIP.exe.960000.0.unpack, Form1.csBase64 encoded string: 'Ta2Jfga3JLt9/E73uK1VhbUkk6jqZCdloIN2u06AJMoTMeKiapqOoCfJFBjcj+Ok8ojK3Xa4zTJPtjgAWPgTDA==', 'qV6RbSlp+AMZw5SKvXWylN1rCuU8c5wmPAh3Hdmo0Ki+cXj7F0pWkNOaz5xvcV8/1lMVIeZ7DPLAHupVS+LnUQ==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@8/9@5/2
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_0040ED0B FindResourceA,SizeofResource,LoadResource,LockResource,4_2_0040ED0B
                    Source: C:\Users\user\Desktop\SLIP.exeFile created: C:\Users\user\AppData\Roaming\pid.txtJump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7104
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERCDED.tmpJump to behavior
                    Source: SLIP.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\SLIP.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: SLIP.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                    Source: SLIP.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                    Source: SLIP.exe, 00000000.00000002.251689993.0000000000962000.00000002.00020000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                    Source: SLIP.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                    Source: SLIP.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                    Source: SLIP.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                    Source: SLIP.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                    Source: SLIP.exeString found in binary or memory: 3http://crl.usertrust.com/AddTrustExternalCARoot.crl05
                    Source: unknownProcess created: C:\Users\user\Desktop\SLIP.exe 'C:\Users\user\Desktop\SLIP.exe'
                    Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2252
                    Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                    Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                    Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7104 -s 180
                    Source: C:\Users\user\Desktop\SLIP.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2252Jump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'Jump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'Jump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
                    Source: SLIP.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: C:\Users\user\Desktop\SLIP.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
                    Source: SLIP.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: Binary string: f:\binaries.x86ret\bin\i386\bbt\opt\bin\i386\vbc.pdb source: WerFault.exe, 00000008.00000002.273291165.0000000005000000.00000002.00000001.sdmp
                    Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000008.00000003.256567058.0000000002EB6000.00000004.00000001.sdmp
                    Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000008.00000003.256684110.0000000002EBC000.00000004.00000001.sdmp
                    Source: Binary string: a*mjr-mCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000008.00000002.271713269.0000000000762000.00000004.00000010.sdmp
                    Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000008.00000003.256684110.0000000002EBC000.00000004.00000001.sdmp
                    Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: SLIP.exe
                    Source: Binary string: wntdll.pdb source: WerFault.exe, 00000008.00000003.256734972.0000000002EB0000.00000004.00000001.sdmp
                    Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000008.00000003.256567058.0000000002EB6000.00000004.00000001.sdmp
                    Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: SLIP.exe
                    Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: SLIP.exe
                    Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000008.00000003.259208581.0000000004F11000.00000004.00000001.sdmp
                    Source: Binary string: mscorrc.pdb source: SLIP.exe, 00000000.00000002.257109473.00000000054E0000.00000002.00000001.sdmp
                    Source: Binary string: f:\binaries.x86ret\bin\i386\bbt\opt\bin\i386\vbc.pdbpUNzUN source: WerFault.exe, 00000008.00000002.273291165.0000000005000000.00000002.00000001.sdmp
                    Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000008.00000003.256734972.0000000002EB0000.00000004.00000001.sdmp

                    Data Obfuscation:

                    barindex
                    .NET source code contains potential unpackerShow sources
                    Source: SLIP.exe, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: SLIP.exe, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: SLIP.exe, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: SLIP.exe, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 0.2.SLIP.exe.960000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 0.2.SLIP.exe.960000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 0.2.SLIP.exe.960000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 0.2.SLIP.exe.960000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 0.0.SLIP.exe.960000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 0.0.SLIP.exe.960000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 0.0.SLIP.exe.960000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 0.0.SLIP.exe.960000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_00404837 GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,#17,MessageBoxA,4_2_00404837
                    Source: C:\Users\user\Desktop\SLIP.exeCode function: 0_2_009D0712 push eax; ret 0_2_009D0726
                    Source: C:\Users\user\Desktop\SLIP.exeCode function: 0_2_009D0712 push eax; ret 0_2_009D074E
                    Source: C:\Users\user\Desktop\SLIP.exeCode function: 0_2_009ABA9D push eax; ret 0_2_009ABAB1
                    Source: C:\Users\user\Desktop\SLIP.exeCode function: 0_2_009ABA9D push eax; ret 0_2_009ABAD9
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_00411879 push ecx; ret 4_2_00411889
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_004118A0 push eax; ret 4_2_004118B4
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_004118A0 push eax; ret 4_2_004118DC

                    Hooking and other Techniques for Hiding and Protection:

                    barindex
                    Changes the view of files in windows explorer (hidden files and folders)Show sources
                    Source: C:\Users\user\Desktop\SLIP.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HiddenJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_0040F64B memset,strcpy,memset,strcpy,strcat,strcpy,strcat,GetModuleHandleA,LoadLibraryExA,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,4_2_0040F64B
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363} DeviceTicketJump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exeThread delayed: delay time: 300000Jump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exe TID: 6812Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exe TID: 6976Thread sleep time: -120000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exe TID: 6980Thread sleep time: -140000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exe TID: 6988Thread sleep time: -300000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile opened: PhysicalDrive0Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,4_2_00406EC3
                    Source: SLIP.exe, 00000000.00000002.261503077.0000000007850000.00000002.00000001.sdmp, WerFault.exe, 00000008.00000002.273434048.0000000005120000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                    Source: WerFault.exe, 00000008.00000003.271297591.0000000002E7E000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                    Source: SLIP.exe, 00000000.00000002.261503077.0000000007850000.00000002.00000001.sdmp, WerFault.exe, 00000008.00000002.273434048.0000000005120000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                    Source: SLIP.exe, 00000000.00000002.261503077.0000000007850000.00000002.00000001.sdmp, WerFault.exe, 00000008.00000002.273434048.0000000005120000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                    Source: SLIP.exe, 00000000.00000002.252424862.0000000001140000.00000004.00000020.sdmp, WerFault.exe, 00000008.00000003.269532964.0000000002EC3000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: SLIP.exe, 00000000.00000002.261503077.0000000007850000.00000002.00000001.sdmp, WerFault.exe, 00000008.00000002.273434048.0000000005120000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                    Source: C:\Users\user\Desktop\SLIP.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_00404837 GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,#17,MessageBoxA,4_2_00404837
                    Source: C:\Users\user\Desktop\SLIP.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion:

                    barindex
                    .NET source code references suspicious native API functionsShow sources
                    Source: SLIP.exe, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: SLIP.exe, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Source: 0.2.SLIP.exe.960000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: 0.2.SLIP.exe.960000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Source: 0.0.SLIP.exe.960000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: 0.0.SLIP.exe.960000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Sample uses process hollowing techniqueShow sources
                    Source: C:\Users\user\Desktop\SLIP.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000Jump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000Jump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2252Jump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'Jump to behavior
                    Source: C:\Users\user\Desktop\SLIP.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'Jump to behavior