Loading ...

Play interactive tourEdit tour

Analysis Report INVOICE.exe

Overview

General Information

Sample Name:INVOICE.exe
Analysis ID:260342
MD5:4037e5576f062533d5831b647cbd4423
SHA1:cb7cacaf6b49569ff2916a0bae1826525a040d60
SHA256:13f6f1d1869dbe741a1058440889194bb12f7e06045cebc9beaba8c0707149b1

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected HawkEye Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Machine Learning detection for sample
Maps a DLL or memory area into another process
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Process Creation
Stores large binary data to the registry
Tries to load missing DLLs
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • INVOICE.exe (PID: 6880 cmdline: 'C:\Users\user\Desktop\INVOICE.exe' MD5: 4037E5576F062533D5831B647CBD4423)
    • RegAsm.exe (PID: 6816 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
    • RegAsm.exe (PID: 6800 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
      • vbc.exe (PID: 6616 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 7068 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • WerFault.exe (PID: 6096 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6800 -s 2032 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.278578909.0000000000402000.00000040.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
  • 0x7b6b5:$key: HawkEyeKeylogger
  • 0x7d907:$salt: 099u787978786
  • 0x7bd18:$string1: HawkEye_Keylogger
  • 0x7cb57:$string1: HawkEye_Keylogger
  • 0x7d867:$string1: HawkEye_Keylogger
  • 0x7c0ed:$string2: holdermail.txt
  • 0x7c10d:$string2: holdermail.txt
  • 0x7c02f:$string3: wallet.dat
  • 0x7c047:$string3: wallet.dat
  • 0x7c05d:$string3: wallet.dat
  • 0x7d42b:$string4: Keylog Records
  • 0x7d743:$string4: Keylog Records
  • 0x7d95f:$string5: do not script -->
  • 0x7b69d:$string6: \pidloc.txt
  • 0x7b72b:$string7: BSPLIT
  • 0x7b73b:$string7: BSPLIT
00000002.00000002.278578909.0000000000402000.00000040.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
    00000002.00000002.278578909.0000000000402000.00000040.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
      00000002.00000002.278578909.0000000000402000.00000040.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
        00000002.00000002.278578909.0000000000402000.00000040.00000001.sdmpHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
        • 0x7bd70:$hawkstr1: HawkEye Keylogger
        • 0x7cb9d:$hawkstr1: HawkEye Keylogger
        • 0x7cecc:$hawkstr1: HawkEye Keylogger
        • 0x7d027:$hawkstr1: HawkEye Keylogger
        • 0x7d18a:$hawkstr1: HawkEye Keylogger
        • 0x7d403:$hawkstr1: HawkEye Keylogger
        • 0x7b8fe:$hawkstr2: Dear HawkEye Customers!
        • 0x7cf1f:$hawkstr2: Dear HawkEye Customers!
        • 0x7d076:$hawkstr2: Dear HawkEye Customers!
        • 0x7d1dd:$hawkstr2: Dear HawkEye Customers!
        • 0x7ba1f:$hawkstr3: HawkEye Logger Details:
        Click to see the 27 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.INVOICE.exe.5ec0000.3.unpackRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
        • 0x7b8b5:$key: HawkEyeKeylogger
        • 0x7db07:$salt: 099u787978786
        • 0x7bf18:$string1: HawkEye_Keylogger
        • 0x7cd57:$string1: HawkEye_Keylogger
        • 0x7da67:$string1: HawkEye_Keylogger
        • 0x7c2ed:$string2: holdermail.txt
        • 0x7c30d:$string2: holdermail.txt
        • 0x7c22f:$string3: wallet.dat
        • 0x7c247:$string3: wallet.dat
        • 0x7c25d:$string3: wallet.dat
        • 0x7d62b:$string4: Keylog Records
        • 0x7d943:$string4: Keylog Records
        • 0x7db5f:$string5: do not script -->
        • 0x7b89d:$string6: \pidloc.txt
        • 0x7b92b:$string7: BSPLIT
        • 0x7b93b:$string7: BSPLIT
        0.2.INVOICE.exe.5ec0000.3.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
          0.2.INVOICE.exe.5ec0000.3.unpackJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
            0.2.INVOICE.exe.5ec0000.3.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
              0.2.INVOICE.exe.5ec0000.3.unpackHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
              • 0x7bf70:$hawkstr1: HawkEye Keylogger
              • 0x7cd9d:$hawkstr1: HawkEye Keylogger
              • 0x7d0cc:$hawkstr1: HawkEye Keylogger
              • 0x7d227:$hawkstr1: HawkEye Keylogger
              • 0x7d38a:$hawkstr1: HawkEye Keylogger
              • 0x7d603:$hawkstr1: HawkEye Keylogger
              • 0x7bafe:$hawkstr2: Dear HawkEye Customers!
              • 0x7d11f:$hawkstr2: Dear HawkEye Customers!
              • 0x7d276:$hawkstr2: Dear HawkEye Customers!
              • 0x7d3dd:$hawkstr2: Dear HawkEye Customers!
              • 0x7bc1f:$hawkstr3: HawkEye Logger Details:
              Click to see the 5 entries

              Sigma Overview

              System Summary:

              barindex
              Sigma detected: Suspicious Process CreationShow sources
              Source: Process startedAuthor: Florian Roth, Daniil Yugoslavskiy, oscd.community (update): Data: Command: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt', CommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt', CommandLine|base64offset|contains: ^, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, ParentCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentProcessId: 6800, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt', ProcessId: 6616

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: INVOICE.exe.6880.0.memstrMalware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}
              Machine Learning detection for sampleShow sources
              Source: INVOICE.exeJoe Sandbox ML: detected
              Source: INVOICE.exe, 00000000.00000002.238731864.00000000058B3000.00000004.00000001.sdmpBinary or memory string: autorun.inf
              Source: INVOICE.exe, 00000000.00000002.238731864.00000000058B3000.00000004.00000001.sdmpBinary or memory string: [autorun]
              Source: RegAsm.exe, 00000002.00000002.279705313.0000000002A3A000.00000004.00000001.sdmpBinary or memory string: autorun.inf
              Source: RegAsm.exe, 00000002.00000002.279705313.0000000002A3A000.00000004.00000001.sdmpBinary or memory string: m[autorun]
              Source: RegAsm.exe, 00000002.00000002.278578909.0000000000402000.00000040.00000001.sdmpBinary or memory string: [autorun]
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]2_2_07332711
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]2_2_073328A6
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]2_2_076EFE8A
              Source: unknownDNS traffic detected: query: 158.157.4.0.in-addr.arpa replaycode: Name error (3)
              Source: INVOICE.exe, 00000000.00000002.238731864.00000000058B3000.00000004.00000001.sdmp, RegAsm.exe, 00000002.00000002.278578909.0000000000402000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
              Source: INVOICE.exe, 00000000.00000002.238731864.00000000058B3000.00000004.00000001.sdmp, RegAsm.exe, 00000002.00000002.278578909.0000000000402000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
              Source: unknownDNS traffic detected: queries for: 158.157.4.0.in-addr.arpa
              Source: INVOICE.exe, 00000000.00000002.238731864.00000000058B3000.00000004.00000001.sdmp, RegAsm.exe, 00000002.00000002.278578909.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
              Source: RegAsm.exe, 00000002.00000002.283628788.0000000005AF0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
              Source: INVOICE.exe, 00000000.00000002.238731864.00000000058B3000.00000004.00000001.sdmp, RegAsm.exe, 00000002.00000002.278578909.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
              Source: RegAsm.exe, 00000002.00000002.279334500.0000000002771000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: INVOICE.exe, 00000000.00000002.238731864.00000000058B3000.00000004.00000001.sdmp, RegAsm.exe, 00000002.00000002.278578909.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/-
              Source: RegAsm.exe, 00000002.00000002.283628788.0000000005AF0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: RegAsm.exe, 00000002.00000003.246530832.0000000005A0F000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
              Source: RegAsm.exe, 00000002.00000003.246610380.0000000005A0F000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlr
              Source: RegAsm.exe, 00000002.00000003.244686828.0000000005A11000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
              Source: RegAsm.exe, 00000002.00000002.283628788.0000000005AF0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
              Source: RegAsm.exe, 00000002.00000002.283628788.0000000005AF0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
              Source: RegAsm.exe, 00000002.00000002.283628788.0000000005AF0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
              Source: RegAsm.exe, 00000002.00000002.283628788.0000000005AF0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
              Source: RegAsm.exe, 00000002.00000002.283628788.0000000005AF0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
              Source: RegAsm.exe, 00000002.00000002.283628788.0000000005AF0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
              Source: RegAsm.exe, 00000002.00000002.283628788.0000000005AF0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
              Source: RegAsm.exe, 00000002.00000002.283628788.0000000005AF0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
              Source: RegAsm.exe, 00000002.00000002.283628788.0000000005AF0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
              Source: RegAsm.exe, 00000002.00000002.283587011.0000000005A00000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comad
              Source: RegAsm.exe, 00000002.00000002.283587011.0000000005A00000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comceTF
              Source: RegAsm.exe, 00000002.00000002.283587011.0000000005A00000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.commeta
              Source: RegAsm.exe, 00000002.00000002.283628788.0000000005AF0000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
              Source: RegAsm.exe, 00000002.00000003.241395943.0000000000E4D000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comc
              Source: RegAsm.exe, 00000002.00000003.241368437.0000000005A1B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comre
              Source: RegAsm.exe, 00000002.00000002.283628788.0000000005AF0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
              Source: RegAsm.exe, 00000002.00000002.283628788.0000000005AF0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
              Source: RegAsm.exe, 00000002.00000002.283628788.0000000005AF0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
              Source: RegAsm.exe, 00000002.00000003.243699238.0000000005A04000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnC
              Source: RegAsm.exe, 00000002.00000002.283628788.0000000005AF0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
              Source: RegAsm.exe, 00000002.00000002.283628788.0000000005AF0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
              Source: RegAsm.exe, 00000002.00000002.283628788.0000000005AF0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
              Source: RegAsm.exe, 00000002.00000002.283628788.0000000005AF0000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
              Source: RegAsm.exe, 00000002.00000002.278578909.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
              Source: RegAsm.exe, 00000002.00000002.283628788.0000000005AF0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
              Source: RegAsm.exe, 00000002.00000002.283628788.0000000005AF0000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
              Source: RegAsm.exe, 00000002.00000002.283628788.0000000005AF0000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
              Source: RegAsm.exe, 00000002.00000002.279417095.00000000027DE000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
              Source: RegAsm.exe, 00000002.00000002.283628788.0000000005AF0000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
              Source: RegAsm.exe, 00000002.00000002.283628788.0000000005AF0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
              Source: RegAsm.exe, 00000002.00000002.283628788.0000000005AF0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
              Source: RegAsm.exe, 00000002.00000002.283628788.0000000005AF0000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

              Key, Mouse, Clipboard, Microphone and Screen Capturing:

              barindex
              Yara detected HawkEye KeyloggerShow sources
              Source: Yara matchFile source: 00000002.00000002.278578909.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.238731864.00000000058B3000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.279663528.0000000002A1C000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.238816723.0000000005EC2000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.279650416.0000000002A0C000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.238037346.00000000041A5000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: INVOICE.exe PID: 6880, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6800, type: MEMORY
              Source: Yara matchFile source: 0.2.INVOICE.exe.5ec0000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
              Contains functionality to log keystrokes (.Net Source)Show sources
              Source: 0.2.INVOICE.exe.5ec0000.3.unpack, Form1.cs.Net Code: HookKeyboard
              Source: 2.2.RegAsm.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
              Installs a global keyboard hookShow sources
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
              Source: INVOICE.exe, 00000000.00000002.237890894.00000000014C0000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

              System Summary:

              barindex
              Malicious sample detected (through community Yara rule)Show sources
              Source: 00000002.00000002.278578909.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000002.00000002.278578909.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000002.238731864.00000000058B3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000000.00000002.238731864.00000000058B3000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000002.00000002.279663528.0000000002A1C000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000002.238816723.0000000005EC2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000000.00000002.238816723.0000000005EC2000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000002.00000002.279650416.0000000002A0C000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000002.238037346.00000000041A5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000000.00000002.238037346.00000000041A5000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 0.2.INVOICE.exe.5ec0000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0.2.INVOICE.exe.5ec0000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Initial sample is a PE file and has a suspicious nameShow sources
              Source: initial sampleStatic PE information: Filename: INVOICE.exe
              Source: C:\Users\user\Desktop\INVOICE.exeCode function: 0_2_058A00AD NtOpenSection,NtMapViewOfSection,0_2_058A00AD
              Source: C:\Users\user\Desktop\INVOICE.exeCode function: 0_2_058A1C09 CreateProcessW,NtQueryInformationProcess,NtReadVirtualMemory,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtTerminateProcess,NtUnmapViewOfSection,NtWriteVirtualMemory,NtGetContextThread,NtSetContextThread,NtResumeThread,0_2_058A1C09
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07332BD8 NtUnmapViewOfSection,2_2_07332BD8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07332BD0 NtUnmapViewOfSection,2_2_07332BD0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0261B29C2_2_0261B29C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0261C3102_2_0261C310
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0261B2902_2_0261B290
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_026199D02_2_026199D0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0261DFD02_2_0261DFD0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07331BF02_2_07331BF0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_076EB4E02_2_076EB4E0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_076EEEC82_2_076EEEC8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_076EBDB02_2_076EBDB0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_076EB1982_2_076EB198
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_076E00062_2_076E0006
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_076E6FE32_2_076E6FE3
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_076E6FA02_2_076E6FA0
              Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6800 -s 2032
              Source: INVOICE.exe, 00000000.00000002.237890894.00000000014C0000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs INVOICE.exe
              Source: INVOICE.exe, 00000000.00000002.238510188.0000000005680000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePLcUdbWTygyWzwKb.river.exe4 vs INVOICE.exe
              Source: INVOICE.exe, 00000000.00000002.238731864.00000000058B3000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs INVOICE.exe
              Source: INVOICE.exe, 00000000.00000002.238731864.00000000058B3000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs INVOICE.exe
              Source: INVOICE.exe, 00000000.00000002.238731864.00000000058B3000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs INVOICE.exe
              Source: INVOICE.exe, 00000000.00000002.238731864.00000000058B3000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs INVOICE.exe
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: netapi32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: dsreg.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: twinapi.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: rmclient.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: netprofm.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: npmproxy.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: netprofm.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: npmproxy.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: windows.security.authentication.onlineid.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: twinapi.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: rmclient.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: webio.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: cryptnet.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: twinapi.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: rmclient.dllJump to behavior
              Source: 00000002.00000002.278578909.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000002.00000002.278578909.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000000.00000002.238731864.00000000058B3000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000000.00000002.238731864.00000000058B3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000002.00000002.279663528.0000000002A1C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000000.00000002.238816723.0000000005EC2000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000000.00000002.238816723.0000000005EC2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000002.00000002.279650416.0000000002A0C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000000.00000002.238037346.00000000041A5000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000000.00000002.238037346.00000000041A5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 0.2.INVOICE.exe.5ec0000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 0.2.INVOICE.exe.5ec0000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: INVOICE.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: 0.2.INVOICE.exe.5ec0000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 0.2.INVOICE.exe.5ec0000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 0.2.INVOICE.exe.5ec0000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 0.2.INVOICE.exe.5ec0000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
              Source: 2.2.RegAsm.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 2.2.RegAsm.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 2.2.RegAsm.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 2.2.RegAsm.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
              Source: 0.2.INVOICE.exe.5ec0000.3.unpack, Form1.csBase64 encoded string: 'ii4fzorR5ZdqzZpbBxBVK+4jFKmLWkzfJjaeFwa/u74u1Ap/gS2DL3DDcN4TR6IZ', 'vhGaC1xstEHttVY50fahabuway8Jdkyek58HQf1pZti47ppTwiMUjsNtkDbxeQTs', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
              Source: 2.2.RegAsm.exe.400000.0.unpack, Form1.csBase64 encoded string: 'ii4fzorR5ZdqzZpbBxBVK+4jFKmLWkzfJjaeFwa/u74u1Ap/gS2DL3DDcN4TR6IZ', 'vhGaC1xstEHttVY50fahabuway8Jdkyek58HQf1pZti47ppTwiMUjsNtkDbxeQTs', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@10/7@1/1
              Source: C:\Users\user\Desktop\INVOICE.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\INVOICE.exe.logJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6800
              Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER6B86.tmpJump to behavior
              Source: INVOICE.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\INVOICE.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\INVOICE.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: INVOICE.exe, 00000000.00000002.238731864.00000000058B3000.00000004.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
              Source: INVOICE.exe, 00000000.00000002.238731864.00000000058B3000.00000004.00000001.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
              Source: INVOICE.exe, 00000000.00000002.238731864.00000000058B3000.00000004.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
              Source: INVOICE.exe, 00000000.00000002.238731864.00000000058B3000.00000004.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
              Source: INVOICE.exe, 00000000.00000002.238731864.00000000058B3000.00000004.00000001.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
              Source: INVOICE.exe, 00000000.00000002.238731864.00000000058B3000.00000004.00000001.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
              Source: INVOICE.exe, 00000000.00000002.238731864.00000000058B3000.00000004.00000001.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
              Source: unknownProcess created: C:\Users\user\Desktop\INVOICE.exe 'C:\Users\user\Desktop\INVOICE.exe'
              Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
              Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
              Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
              Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
              Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6800 -s 2032
              Source: C:\Users\user\Desktop\INVOICE.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
              Source: C:\Users\user\Desktop\INVOICE.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: INVOICE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: INVOICE.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: Binary string: C:\Windows\mscorlib.pdb source: RegAsm.exe, 00000002.00000002.285516310.00000000081CA000.00000004.00000010.sdmp
              Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: RegAsm.exe, 00000002.00000002.285516310.00000000081CA000.00000004.00000010.sdmp
              Source: Binary string: System.Core.ni.pdbRSDSD source: WER6B86.tmp.dmp.10.dr
              Source: Binary string: System.Xml.ni.pdb source: WER6B86.tmp.dmp.10.dr
              Source: Binary string: symbols\dll\mscorlib.pdb source: RegAsm.exe, 00000002.00000002.285516310.00000000081CA000.00000004.00000010.sdmp
              Source: Binary string: Accessibility.pdb source: WER6B86.tmp.dmp.10.dr
              Source: Binary string: System.ni.pdbRSDS source: WER6B86.tmp.dmp.10.dr
              Source: Binary string: o0C:\Windows\mscorlib.pdbpdblib.pdb source: RegAsm.exe, 00000002.00000002.285516310.00000000081CA000.00000004.00000010.sdmp
              Source: Binary string: System.Configuration.ni.pdb source: WER6B86.tmp.dmp.10.dr
              Source: Binary string: mscorlib.ni.pdbRSDS source: WER6B86.tmp.dmp.10.dr
              Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: INVOICE.exe, 00000000.00000002.238731864.00000000058B3000.00000004.00000001.sdmp, RegAsm.exe, 00000002.00000002.278578909.0000000000402000.00000040.00000001.sdmp
              Source: Binary string: System.Runtime.Remoting.pdb source: WER6B86.tmp.dmp.10.dr
              Source: Binary string: System.Configuration.pdb source: WER6B86.tmp.dmp.10.dr
              Source: Binary string: .pdbg source: RegAsm.exe, 00000002.00000002.285516310.00000000081CA000.00000004.00000010.sdmp
              Source: Binary string: System.Xml.pdb source: WER6B86.tmp.dmp.10.dr
              Source: Binary string: System.pdb source: WER6B86.tmp.dmp.10.dr
              Source: Binary string: CMemoryExecute.pdb source: WER6B86.tmp.dmp.10.dr
              Source: Binary string: Microsoft.VisualBasic.pdb source: WER6B86.tmp.dmp.10.dr
              Source: Binary string: System.Core.ni.pdb source: WER6B86.tmp.dmp.10.dr
              Source: Binary string: RegAsm.PDB source: RegAsm.exe, 00000002.00000002.285516310.00000000081CA000.00000004.00000010.sdmp
              Source: Binary string: System.Windows.Forms.pdb source: WER6B86.tmp.dmp.10.dr
              Source: Binary string: System.pdb@ source: WER6B86.tmp.dmp.10.dr
              Source: Binary string: mscorlib.pdb source: RegAsm.exe, 00000002.00000002.285516310.00000000081CA000.00000004.00000010.sdmp, WER6B86.tmp.dmp.10.dr
              Source: Binary string: _ .pdb0 source: RegAsm.exe, 00000002.00000002.285516310.00000000081CA000.00000004.00000010.sdmp
              Source: Binary string: System.Drawing.pdb source: WER6B86.tmp.dmp.10.dr
              Source: Binary string: System.Management.pdb source: WER6B86.tmp.dmp.10.dr
              Source: Binary string: mscorlib.ni.pdb source: WER6B86.tmp.dmp.10.dr
              Source: Binary string: CMemoryExecute.pdb< source: WER6B86.tmp.dmp.10.dr
              Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: INVOICE.exe, 00000000.00000002.238731864.00000000058B3000.00000004.00000001.sdmp, RegAsm.exe, 00000002.00000002.279334500.0000000002771000.00000004.00000001.sdmp
              Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER6B86.tmp.dmp.10.dr
              Source: Binary string: System.Core.pdb source: WER6B86.tmp.dmp.10.dr
              Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: INVOICE.exe, 00000000.00000002.238731864.00000000058B3000.00000004.00000001.sdmp, RegAsm.exe, 00000002.00000002.278578909.0000000000402000.00000040.00000001.sdmp
              Source: Binary string: System.Xml.ni.pdbRSDS source: WER6B86.tmp.dmp.10.dr
              Source: Binary string: System.Drawing.pdbl source: WER6B86.tmp.dmp.10.dr
              Source: Binary string: System.ni.pdb source: WER6B86.tmp.dmp.10.dr

              Data Obfuscation:

              barindex
              .NET source code contains potential unpackerShow sources
              Source: 0.2.INVOICE.exe.5ec0000.3.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 0.2.INVOICE.exe.5ec0000.3.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 0.2.INVOICE.exe.5ec0000.3.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 0.2.INVOICE.exe.5ec0000.3.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 2.2.RegAsm.exe.400000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 2.2.RegAsm.exe.400000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 2.2.RegAsm.exe.400000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 2.2.RegAsm.exe.400000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: C:\Users\user\Desktop\INVOICE.exeCode function: 0_2_00E178CC push eax; ret 0_2_00E178D4
              Source: C:\Users\user\Desktop\INVOICE.exeCode function: 0_2_00E148A3 push eax; ret 0_2_00E148A4
              Source: C:\Users\user\Desktop\INVOICE.exeCode function: 0_2_00E145F5 push edi; iretd 0_2_00E1461E
              Source: C:\Users\user\Desktop\INVOICE.exeCode function: 0_2_00E1795C push eax; ret 0_2_00E179B4
              Source: C:\Users\user\Desktop\INVOICE.exeCode function: 0_2_00E17921 push eax; ret 0_2_00E179B4
              Source: C:\Users\user\Desktop\INVOICE.exeCode function: 0_2_00E17905 push eax; ret 0_2_00E179B4
              Source: C:\Users\user\Desktop\INVOICE.exeCode function: 0_2_00E16A84 push eax; ret 0_2_00E16A94
              Source: C:\Users\user\Desktop\INVOICE.exeCode function: 0_2_00E13E70 push C79DFFACh; retf 0_2_00E13E84
              Source: C:\Users\user\Desktop\INVOICE.exeCode function: 0_2_00E177C9 push eax; ret 0_2_00E177D4
              Source: C:\Users\user\Desktop\INVOICE.exeCode function: 0_2_00E15706 push ebx; retf 0_2_00E1570B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_02610488 pushad ; iretd 2_2_0261048A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0261048B pushad ; iretd 2_2_0261048E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0261048F pushad ; iretd 2_2_02610492
              Source: initial sampleStatic PE information: section name: .text entropy: 7.28975668879

              Hooking and other Techniques for Hiding and Protection:

              barindex
              Changes the view of files in windows explorer (hidden files and folders)Show sources
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HiddenJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363} DeviceTicketJump to behavior
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\INVOICE.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 300000Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 180000Jump to behavior
              Source: C:\Users\user\Desktop\INVOICE.exe TID: 6916Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3972Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6112Thread sleep time: -120000s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5208Thread sleep time: -140000s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5484Thread sleep time: -300000s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6504Thread sleep time: -180000s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeFile opened: PhysicalDrive0Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\INVOICE.exeCode function: 0_2_058A01CB mov eax, dword ptr fs:[00000030h]0_2_058A01CB
              Source: C:\Users\user\Desktop\INVOICE.exeCode function: 0_2_058A00AD mov ecx, dword ptr fs:[00000030h]0_2_058A00AD
              Source: C:\Users\user\Desktop\INVOICE.exeCode function: 0_2_058A00AD mov eax, dword ptr fs:[00000030h]0_2_058A00AD
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\INVOICE.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion:

              barindex
              .NET source code references suspicious native API functionsShow sources
              Source: 0.2.INVOICE.exe.5ec0000.3.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
              Source: 0.2.INVOICE.exe.5ec0000.3.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
              Source: 2.2.RegAsm.exe.400000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
              Source: 2.2.RegAsm.exe.400000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
              Maps a DLL or memory area into another processShow sources
              Source: C:\Users\user\Desktop\INVOICE.exeSection loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and writeJump to behavior
              Writes to foreign memory regionsShow sources
              Source: C:\Users\user\Desktop\INVOICE.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 7E6008Jump to behavior
              Source: C:\Users\user\Desktop\INVOICE.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
              Source: C:\Users\user\Desktop\INVOICE.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'Jump to behavior
              Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Users\user\Desktop\INVOICE.exe VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeI