Loading ...

Play interactive tourEdit tour

Analysis Report PAYMENT_SLIP.exe

Overview

General Information

Sample Name:PAYMENT_SLIP.exe
Analysis ID:260433
MD5:f5af83d7dd3c7d33d5f7e1765509a309
SHA1:e64937bcad1b561d6adbc2e33e56d7eab5d390d9
SHA256:ce5e82f16ce8eacf843209211cb6a4b4f006f46d86f7d9f39c271beacc5b52aa

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected HawkEye Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Contains functionality to register a low level keyboard hook
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Maps a DLL or memory area into another process
Sample uses process hollowing technique
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Process Creation
Stores large binary data to the registry
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • PAYMENT_SLIP.exe (PID: 6864 cmdline: 'C:\Users\user\Desktop\PAYMENT_SLIP.exe' MD5: F5AF83D7DD3C7D33D5F7E1765509A309)
    • RegAsm.exe (PID: 6932 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
    • RegAsm.exe (PID: 7032 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
    • RegAsm.exe (PID: 7040 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
    • RegAsm.exe (PID: 7048 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
      • WerFault.exe (PID: 6400 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7048 -s 1832 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
      • vbc.exe (PID: 6628 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
        • WerFault.exe (PID: 4568 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6628 -s 176 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
      • vbc.exe (PID: 6624 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
        • WerFault.exe (PID: 7132 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6624 -s 192 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000003.264893048.00000000057F0000.00000004.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
  • 0x10667:$key: HawkEyeKeylogger
  • 0x128d1:$salt: 099u787978786
  • 0x10ca8:$string1: HawkEye_Keylogger
  • 0x11afb:$string1: HawkEye_Keylogger
  • 0x12831:$string1: HawkEye_Keylogger
  • 0x11091:$string2: holdermail.txt
  • 0x110b1:$string2: holdermail.txt
  • 0x10fd3:$string3: wallet.dat
  • 0x10feb:$string3: wallet.dat
  • 0x11001:$string3: wallet.dat
  • 0x123f5:$string4: Keylog Records
  • 0x1270d:$string4: Keylog Records
  • 0x12929:$string5: do not script -->
  • 0x1064f:$string6: \pidloc.txt
  • 0x106dd:$string7: BSPLIT
  • 0x106ed:$string7: BSPLIT
00000009.00000003.264893048.00000000057F0000.00000004.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
    00000009.00000003.264893048.00000000057F0000.00000004.00000001.sdmpHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
    • 0x10d00:$hawkstr1: HawkEye Keylogger
    • 0x11b41:$hawkstr1: HawkEye Keylogger
    • 0x11e70:$hawkstr1: HawkEye Keylogger
    • 0x11fcb:$hawkstr1: HawkEye Keylogger
    • 0x1212e:$hawkstr1: HawkEye Keylogger
    • 0x123cd:$hawkstr1: HawkEye Keylogger
    • 0x1088e:$hawkstr2: Dear HawkEye Customers!
    • 0x11ec3:$hawkstr2: Dear HawkEye Customers!
    • 0x1201a:$hawkstr2: Dear HawkEye Customers!
    • 0x12181:$hawkstr2: Dear HawkEye Customers!
    • 0x109af:$hawkstr3: HawkEye Logger Details:
    00000005.00000002.289614169.0000000003A42000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
      00000005.00000002.289457964.00000000039D9000.00000004.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
        Click to see the 29 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.PAYMENT_SLIP.exe.5da0000.3.unpackRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
        • 0x7b917:$key: HawkEyeKeylogger
        • 0x7db81:$salt: 099u787978786
        • 0x7bf58:$string1: HawkEye_Keylogger
        • 0x7cdab:$string1: HawkEye_Keylogger
        • 0x7dae1:$string1: HawkEye_Keylogger
        • 0x7c341:$string2: holdermail.txt
        • 0x7c361:$string2: holdermail.txt
        • 0x7c283:$string3: wallet.dat
        • 0x7c29b:$string3: wallet.dat
        • 0x7c2b1:$string3: wallet.dat
        • 0x7d6a5:$string4: Keylog Records
        • 0x7d9bd:$string4: Keylog Records
        • 0x7dbd9:$string5: do not script -->
        • 0x7b8ff:$string6: \pidloc.txt
        • 0x7b98d:$string7: BSPLIT
        • 0x7b99d:$string7: BSPLIT
        0.2.PAYMENT_SLIP.exe.5da0000.3.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
          0.2.PAYMENT_SLIP.exe.5da0000.3.unpackJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
            0.2.PAYMENT_SLIP.exe.5da0000.3.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
              0.2.PAYMENT_SLIP.exe.5da0000.3.unpackHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
              • 0x7bfb0:$hawkstr1: HawkEye Keylogger
              • 0x7cdf1:$hawkstr1: HawkEye Keylogger
              • 0x7d120:$hawkstr1: HawkEye Keylogger
              • 0x7d27b:$hawkstr1: HawkEye Keylogger
              • 0x7d3de:$hawkstr1: HawkEye Keylogger
              • 0x7d67d:$hawkstr1: HawkEye Keylogger
              • 0x7bb3e:$hawkstr2: Dear HawkEye Customers!
              • 0x7d173:$hawkstr2: Dear HawkEye Customers!
              • 0x7d2ca:$hawkstr2: Dear HawkEye Customers!
              • 0x7d431:$hawkstr2: Dear HawkEye Customers!
              • 0x7bc5f:$hawkstr3: HawkEye Logger Details:
              Click to see the 5 entries

              Sigma Overview

              System Summary:

              barindex
              Sigma detected: Suspicious Process CreationShow sources
              Source: Process startedAuthor: Florian Roth, Daniil Yugoslavskiy, oscd.community (update): Data: Command: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt', CommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt', CommandLine|base64offset|contains: ^, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, ParentCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentProcessId: 7048, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt', ProcessId: 6628

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: RegAsm.exe.7048.5.memstrMalware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}
              Machine Learning detection for sampleShow sources
              Source: PAYMENT_SLIP.exeJoe Sandbox ML: detected
              Source: PAYMENT_SLIP.exe, 00000000.00000002.221603839.0000000003F05000.00000004.00000001.sdmpBinary or memory string: autorun.inf
              Source: PAYMENT_SLIP.exe, 00000000.00000002.221603839.0000000003F05000.00000004.00000001.sdmpBinary or memory string: [autorun]
              Source: RegAsm.exe, 00000005.00000002.282146574.0000000000402000.00000040.00000001.sdmpBinary or memory string: autorun.inf
              Source: RegAsm.exe, 00000005.00000002.282146574.0000000000402000.00000040.00000001.sdmpBinary or memory string: [autorun]
              Source: WerFault.exe, 00000009.00000003.264893048.00000000057F0000.00000004.00000001.sdmpBinary or memory string: autorun.inf
              Source: WerFault.exe, 00000009.00000003.264893048.00000000057F0000.00000004.00000001.sdmpBinary or memory string: [autorun]
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then call 0508A6E8h5_2_0762CF60
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]5_2_0762CF60
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]5_2_0762D634
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]5_2_076226D9
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]5_2_0762DD13
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]5_2_0762DDFD
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]5_2_0762D30F
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]5_2_07622B99
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]5_2_0762326B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then call 0508A6E8h5_2_0762D04A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]5_2_0762D04A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]5_2_07622835
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then call 0508A6E8h5_2_0762C800
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]5_2_0762C800
              Source: PAYMENT_SLIP.exe, 00000000.00000002.221603839.0000000003F05000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.289614169.0000000003A42000.00000004.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
              Source: PAYMENT_SLIP.exe, 00000000.00000002.221603839.0000000003F05000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.289614169.0000000003A42000.00000004.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
              Source: unknownDNS traffic detected: queries for: 231.29.2.0.in-addr.arpa
              Source: PAYMENT_SLIP.exe, 00000000.00000002.221603839.0000000003F05000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.289614169.0000000003A42000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
              Source: WerFault.exe, 00000009.00000003.275564372.000000000508F000.00000004.00000001.sdmpString found in binary or memory: http://crl.microsoft
              Source: RegAsm.exe, 00000005.00000002.296263647.0000000005CC0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
              Source: PAYMENT_SLIP.exe, 00000000.00000002.221603839.0000000003F05000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.289614169.0000000003A42000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
              Source: WerFault.exe, 00000009.00000003.263498328.0000000005AF0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
              Source: WerFault.exe, 00000009.00000003.263498328.0000000005AF0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
              Source: WerFault.exe, 00000009.00000003.263498328.0000000005AF0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
              Source: WerFault.exe, 00000009.00000003.263498328.0000000005AF0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
              Source: WerFault.exe, 00000009.00000003.263498328.0000000005AF0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
              Source: WerFault.exe, 00000009.00000003.263498328.0000000005AF0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
              Source: WerFault.exe, 00000009.00000003.263498328.0000000005AF0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
              Source: RegAsm.exe, 00000005.00000002.284665525.00000000029D1000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.263498328.0000000005AF0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: WerFault.exe, 00000009.00000003.263498328.0000000005AF0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
              Source: WerFault.exe, 00000009.00000003.263498328.0000000005AF0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
              Source: WerFault.exe, 00000009.00000003.263498328.0000000005AF0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
              Source: WerFault.exe, 00000009.00000003.263498328.0000000005AF0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
              Source: WerFault.exe, 00000009.00000003.263498328.0000000005AF0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
              Source: WerFault.exe, 00000009.00000003.263498328.0000000005AF0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
              Source: WerFault.exe, 00000009.00000003.263498328.0000000005AF0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
              Source: PAYMENT_SLIP.exe, 00000000.00000002.221603839.0000000003F05000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.282146574.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 00000009.00000003.264893048.00000000057F0000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/-
              Source: RegAsm.exe, 00000005.00000002.296263647.0000000005CC0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: RegAsm.exe, 00000005.00000003.230048480.0000000005BD9000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
              Source: RegAsm.exe, 00000005.00000003.229913765.0000000005BDB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com6
              Source: RegAsm.exe, 00000005.00000002.296263647.0000000005CC0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
              Source: RegAsm.exe, 00000005.00000003.229084551.0000000005BD3000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comn-uj
              Source: RegAsm.exe, 00000005.00000003.230048480.0000000005BD9000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comr
              Source: RegAsm.exe, 00000005.00000002.296263647.0000000005CC0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
              Source: RegAsm.exe, 00000005.00000002.296263647.0000000005CC0000.00000002.00000001.sdmp, RegAsm.exe, 00000005.00000002.296123659.0000000005BD0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
              Source: RegAsm.exe, 00000005.00000002.296263647.0000000005CC0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
              Source: RegAsm.exe, 00000005.00000002.296263647.0000000005CC0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
              Source: RegAsm.exe, 00000005.00000002.296263647.0000000005CC0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
              Source: RegAsm.exe, 00000005.00000002.296263647.0000000005CC0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
              Source: RegAsm.exe, 00000005.00000002.296263647.0000000005CC0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
              Source: RegAsm.exe, 00000005.00000002.296263647.0000000005CC0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
              Source: RegAsm.exe, 00000005.00000002.296123659.0000000005BD0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
              Source: RegAsm.exe, 00000005.00000002.296123659.0000000005BD0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comasm
              Source: RegAsm.exe, 00000005.00000002.296123659.0000000005BD0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.como
              Source: RegAsm.exe, 00000005.00000002.296123659.0000000005BD0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comue9
              Source: RegAsm.exe, 00000005.00000002.296263647.0000000005CC0000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
              Source: RegAsm.exe, 00000005.00000002.296263647.0000000005CC0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
              Source: RegAsm.exe, 00000005.00000002.296263647.0000000005CC0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
              Source: RegAsm.exe, 00000005.00000002.296263647.0000000005CC0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
              Source: RegAsm.exe, 00000005.00000002.296263647.0000000005CC0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
              Source: RegAsm.exe, 00000005.00000002.296263647.0000000005CC0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
              Source: RegAsm.exe, 00000005.00000002.296263647.0000000005CC0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
              Source: RegAsm.exe, 00000005.00000003.230804038.0000000005BD7000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
              Source: RegAsm.exe, 00000005.00000003.230804038.0000000005BD7000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/%
              Source: RegAsm.exe, 00000005.00000003.230804038.0000000005BD7000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/R
              Source: RegAsm.exe, 00000005.00000003.231522581.0000000005BD9000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0z
              Source: RegAsm.exe, 00000005.00000003.230804038.0000000005BD7000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
              Source: RegAsm.exe, 00000005.00000003.231522581.0000000005BD9000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/c
              Source: RegAsm.exe, 00000005.00000003.230804038.0000000005BD7000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/o
              Source: RegAsm.exe, 00000005.00000003.230804038.0000000005BD7000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/uea
              Source: RegAsm.exe, 00000005.00000003.230804038.0000000005BD7000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/wat
              Source: RegAsm.exe, 00000005.00000003.238644176.0000000005BE4000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
              Source: RegAsm.exe, 00000005.00000002.282146574.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
              Source: RegAsm.exe, 00000005.00000002.296263647.0000000005CC0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
              Source: RegAsm.exe, 00000005.00000002.296263647.0000000005CC0000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
              Source: RegAsm.exe, 00000005.00000002.296263647.0000000005CC0000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
              Source: RegAsm.exe, 00000005.00000002.284665525.00000000029D1000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
              Source: RegAsm.exe, 00000005.00000002.296263647.0000000005CC0000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
              Source: RegAsm.exe, 00000005.00000003.229913765.0000000005BDB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comslnt
              Source: RegAsm.exe, 00000005.00000002.296263647.0000000005CC0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
              Source: RegAsm.exe, 00000005.00000002.296263647.0000000005CC0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
              Source: RegAsm.exe, 00000005.00000002.296263647.0000000005CC0000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

              Key, Mouse, Clipboard, Microphone and Screen Capturing:

              barindex
              Yara detected HawkEye KeyloggerShow sources
              Source: Yara matchFile source: 00000009.00000003.264893048.00000000057F0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.221603839.0000000003F05000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.282146574.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.222456290.0000000005657000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.222565754.0000000005DA2000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.284665525.00000000029D1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7048, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: WerFault.exe PID: 6400, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: PAYMENT_SLIP.exe PID: 6864, type: MEMORY
              Source: Yara matchFile source: 0.2.PAYMENT_SLIP.exe.5da0000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
              Contains functionality to log keystrokes (.Net Source)Show sources
              Source: 0.2.PAYMENT_SLIP.exe.5da0000.3.unpack, Form1.cs.Net Code: HookKeyboard
              Source: 5.2.RegAsm.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
              Contains functionality to register a low level keyboard hookShow sources
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_076204E4 SetWindowsHookExA 0000000D,00000000,?,?5_2_076204E4
              Installs a global keyboard hookShow sources
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

              System Summary:

              barindex
              Malicious sample detected (through community Yara rule)Show sources
              Source: 00000009.00000003.264893048.00000000057F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000009.00000003.264893048.00000000057F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000002.221603839.0000000003F05000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000000.00000002.221603839.0000000003F05000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000005.00000002.282146574.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000005.00000002.282146574.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000002.222456290.0000000005657000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000000.00000002.222456290.0000000005657000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000002.222565754.0000000005DA2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000000.00000002.222565754.0000000005DA2000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000005.00000002.284665525.00000000029D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 0.2.PAYMENT_SLIP.exe.5da0000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0.2.PAYMENT_SLIP.exe.5da0000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Initial sample is a PE file and has a suspicious nameShow sources
              Source: initial sampleStatic PE information: Filename: PAYMENT_SLIP.exe
              Source: C:\Users\user\Desktop\PAYMENT_SLIP.exeCode function: 0_2_05641C09 CreateProcessW,NtQueryInformationProcess,NtReadVirtualMemory,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtTerminateProcess,NtUnmapViewOfSection,NtWriteVirtualMemory,NtGetContextThread,NtSetContextThread,NtResumeThread,0_2_05641C09
              Source: C:\Users\user\Desktop\PAYMENT_SLIP.exeCode function: 0_2_056400AD NtOpenSection,NtMapViewOfSection,0_2_056400AD
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_07682720 NtWriteVirtualMemory,5_2_07682720
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_076827D8 NtSetContextThread,5_2_076827D8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_076825C0 NtResumeThread,5_2_076825C0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_07682718 NtWriteVirtualMemory,5_2_07682718
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_076827D0 NtSetContextThread,5_2_076827D0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_076825BA NtResumeThread,5_2_076825BA
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0293B29C5_2_0293B29C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0293C3105_2_0293C310
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0293B2905_2_0293B290
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_029399D05_2_029399D0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0293DFD05_2_0293DFD0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0762E5485_2_0762E548
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_07623BE85_2_07623BE8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_07622BA85_2_07622BA8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_076222B85_2_076222B8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0762F1885_2_0762F188
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0762C8105_2_0762C810
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_076298C05_2_076298C0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_07623BD75_2_07623BD7
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_076222A95_2_076222A9
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0762C8005_2_0762C800
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_07681BF05_2_07681BF0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_076807985_2_07680798
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_077FB4E05_2_077FB4E0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_077F00405_2_077F0040
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_077FEEC85_2_077FEEC8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_077FBDB05_2_077FBDB0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_077FB1985_2_077FB198
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_077F00075_2_077F0007
              Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7048 -s 1832
              Source: PAYMENT_SLIP.exe, 00000000.00000002.222303069.0000000005470000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCbFpubpPogNybrNq.river.exe4 vs PAYMENT_SLIP.exe
              Source: PAYMENT_SLIP.exe, 00000000.00000002.221603839.0000000003F05000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs PAYMENT_SLIP.exe
              Source: PAYMENT_SLIP.exe, 00000000.00000002.221603839.0000000003F05000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs PAYMENT_SLIP.exe
              Source: PAYMENT_SLIP.exe, 00000000.00000002.221603839.0000000003F05000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs PAYMENT_SLIP.exe
              Source: PAYMENT_SLIP.exe, 00000000.00000002.221603839.0000000003F05000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs PAYMENT_SLIP.exe
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
              Source: 00000009.00000003.264893048.00000000057F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000009.00000003.264893048.00000000057F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000000.00000002.221603839.0000000003F05000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000000.00000002.221603839.0000000003F05000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000005.00000002.282146574.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000005.00000002.282146574.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000000.00000002.222456290.0000000005657000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000000.00000002.222456290.0000000005657000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000000.00000002.222565754.0000000005DA2000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000000.00000002.222565754.0000000005DA2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000005.00000002.284665525.00000000029D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 0.2.PAYMENT_SLIP.exe.5da0000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 0.2.PAYMENT_SLIP.exe.5da0000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: PAYMENT_SLIP.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: 0.2.PAYMENT_SLIP.exe.5da0000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 0.2.PAYMENT_SLIP.exe.5da0000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 0.2.PAYMENT_SLIP.exe.5da0000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 0.2.PAYMENT_SLIP.exe.5da0000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
              Source: 5.2.RegAsm.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 5.2.RegAsm.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 5.2.RegAsm.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 5.2.RegAsm.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
              Source: 0.2.PAYMENT_SLIP.exe.5da0000.3.unpack, Form1.csBase64 encoded string: 'Ta2Jfga3JLt9/E73uK1VhbUkk6jqZCdloIN2u06AJMoTMeKiapqOoCfJFBjcj+Ok8ojK3Xa4zTJPtjgAWPgTDA==', 'qV6RbSlp+AMZw5SKvXWylN1rCuU8c5wmPAh3Hdmo0Ki+cXj7F0pWkNOaz5xvcV8/1lMVIeZ7DPLAHupVS+LnUQ==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
              Source: 5.2.RegAsm.exe.400000.0.unpack, Form1.csBase64 encoded string: 'Ta2Jfga3JLt9/E73uK1VhbUkk6jqZCdloIN2u06AJMoTMeKiapqOoCfJFBjcj+Ok8ojK3Xa4zTJPtjgAWPgTDA==', 'qV6RbSlp+AMZw5SKvXWylN1rCuU8c5wmPAh3Hdmo0Ki+cXj7F0pWkNOaz5xvcV8/1lMVIeZ7DPLAHupVS+LnUQ==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@16/15@1/1
              Source: C:\Users\user\Desktop\PAYMENT_SLIP.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PAYMENT_SLIP.exe.logJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6628
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7048
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6624
              Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER2075.tmpJump to behavior
              Source: PAYMENT_SLIP.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\PAYMENT_SLIP.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\PAYMENT_SLIP.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: PAYMENT_SLIP.exe, 00000000.00000002.221603839.0000000003F05000.00000004.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
              Source: PAYMENT_SLIP.exe, 00000000.00000002.221603839.0000000003F05000.00000004.00000001.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
              Source: PAYMENT_SLIP.exe, 00000000.00000002.221603839.0000000003F05000.00000004.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
              Source: PAYMENT_SLIP.exe, 00000000.00000002.221603839.0000000003F05000.00000004.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
              Source: PAYMENT_SLIP.exe, 00000000.00000002.221603839.0000000003F05000.00000004.00000001.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
              Source: PAYMENT_SLIP.exe, 00000000.00000002.221603839.0000000003F05000.00000004.00000001.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
              Source: PAYMENT_SLIP.exe, 00000000.00000002.221603839.0000000003F05000.00000004.00000001.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
              Source: unknownProcess created: C:\Users\user\Desktop\PAYMENT_SLIP.exe 'C:\Users\user\Desktop\PAYMENT_SLIP.exe'
              Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
              Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
              Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
              Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
              Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7048 -s 1832
              Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
              Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
              Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6628 -s 176
              Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6624 -s 192
              Source: C:\Users\user\Desktop\PAYMENT_SLIP.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
              Source: C:\Users\user\Desktop\PAYMENT_SLIP.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
              Source: C:\Users\user\Desktop\PAYMENT_SLIP.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
              Source: C:\Users\user\Desktop\PAYMENT_SLIP.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: PAYMENT_SLIP.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: PAYMENT_SLIP.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: Binary string: rsaenh.pdb source: WerFault.exe, 00000009.00000003.266723531.00000000056B6000.00000004.00000040.sdmp
              Source: Binary string: cryptbase.pdbb,Mvt source: WerFault.exe, 00000009.00000003.266955575.00000000056AB000.00000004.00000040.sdmp
              Source: Binary string: propsys.pdbd,Gv source: WerFault.exe, 00000009.00000003.266955575.00000000056AB000.00000004.00000040.sdmp
              Source: Binary string: System.ni.pdb% source: WerFault.exe, 00000009.00000003.266723531.00000000056B6000.00000004.00000040.sdmp
              Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 00000009.00000003.264893048.00000000057F0000.00000004.00000001.sdmp
              Source: Binary string: f:\binaries.x86ret\bin\i386\bbt\opt\bin\i386\vbc.pdb source: WerFault.exe, 00000017.00000002.310347106.0000000005020000.00000002.00000001.sdmp, WerFault.exe, 00000018.00000002.311206676.0000000005700000.00000002.00000001.sdmp
              Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000009.00000003.257057076.000000000500B000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.288095264.0000000000D94000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.289553780.00000000036B1000.00000004.00000001.sdmp
              Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000009.00000003.266955575.00000000056AB000.00000004.00000040.sdmp
              Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000009.00000003.266955575.00000000056AB000.00000004.00000040.sdmp
              Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000009.00000003.266385007.00000000056A2000.00000004.00000040.sdmp
              Source: Binary string: wbemcomn.pdb source: WerFault.exe, 00000009.00000003.266723531.00000000056B6000.00000004.00000040.sdmp
              Source: Binary string: NapiNSP.pdb source: WerFault.exe, 00000009.00000003.266723531.00000000056B6000.00000004.00000040.sdmp
              Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000009.00000003.266588021.00000000055A1000.00000004.00000001.sdmp
              Source: Binary string: RegAsm.pdb source: WerFault.exe, 00000009.00000002.279148329.00000000031A0000.00000002.00000001.sdmp
              Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000009.00000003.267038786.00000000056A0000.00000004.00000040.sdmp
              Source: Binary string: wntdll.pdb source: WerFault.exe, 00000009.00000003.266588021.00000000055A1000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.287901263.0000000000D8E000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.289674973.000000000369B000.00000004.00000001.sdmp
              Source: Binary string: winnsi.pdb source: WerFault.exe, 00000009.00000003.266723531.00000000056B6000.00000004.00000040.sdmp
              Source: Binary string: clr.pdb source: WerFault.exe, 00000009.00000003.266569783.00000000056AE000.00000004.00000040.sdmp
              Source: Binary string: cryptsp.pdb source: WerFault.exe, 00000009.00000003.266723531.00000000056B6000.00000004.00000040.sdmp
              Source: Binary string: System.Windows.Forms.pdb" source: WerFault.exe, 00000009.00000003.266750048.00000000056A1000.00000004.00000040.sdmp
              Source: Binary string: advapi32.pdb source: WerFault.exe, 00000009.00000003.266955575.00000000056AB000.00000004.00000040.sdmp
              Source: Binary string: ility.pdb source: WerFault.exe, 00000009.00000003.266642478.00000000055A2000.00000004.00000001.sdmp
              Source: Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000009.00000002.276789017.0000000000B02000.00000004.00000010.sdmp, WerFault.exe, 00000017.00000002.306789405.0000000000A72000.00000004.00000010.sdmp, WerFault.exe, 00000018.00000002.308742396.0000000000F82000.00000004.00000010.sdmp
              Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000009.00000003.266955575.00000000056AB000.00000004.00000040.sdmp
              Source: Binary string: System.Configuration.ni.pdb" source: WerFault.exe, 00000009.00000003.266642478.00000000055A2000.00000004.00000001.sdmp
              Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 00000009.00000003.266723531.00000000056B6000.00000004.00000040.sdmp
              Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 00000009.00000003.266750048.00000000056A1000.00000004.00000040.sdmp, WER2075.tmp.dmp.9.dr
              Source: Binary string: i0C:\Windows\mscorlib.pdbpdblib.pdb source: RegAsm.exe, 00000005.00000002.299747124.000000000835A000.00000004.00000010.sdmp
              Source: Binary string: RegAsm.PDB source: RegAsm.exe, 00000005.00000002.299747124.000000000835A000.00000004.00000010.sdmp
              Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 00000009.00000003.266723531.00000000056B6000.00000004.00000040.sdmp
              Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 00000009.00000003.264893048.00000000057F0000.00000004.00000001.sdmp
              Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000009.00000003.266588021.00000000055A1000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.288123362.0000000000D9A000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.290299337.00000000036A7000.00000004.00000001.sdmp
              Source: Binary string: mpr.pdb source: WerFault.exe, 00000009.00000003.266569783.00000000056AE000.00000004.00000040.sdmp
              Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000009.00000003.266955575.00000000056AB000.00000004.00000040.sdmp
              Source: Binary string: System.Core.pdb: source: WerFault.exe, 00000009.00000003.266642478.00000000055A2000.00000004.00000001.sdmp
              Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000009.00000003.264893048.00000000057F0000.00000004.00000001.sdmp, WER2075.tmp.dmp.9.dr
              Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: PAYMENT_SLIP.exe, 00000000.00000002.221603839.0000000003F05000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.297660359.00000000075D0000.00000004.00000001.sdmp
              Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: PAYMENT_SLIP.exe, 00000000.00000002.221603839.0000000003F05000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.282146574.0000000000402000.00000040.00000001.sdmp
              Source: Binary string: crypt32.pdbA source: WerFault.exe, 00000009.00000003.266723531.00000000056B6000.00000004.00000040.sdmp
              Source: Binary string: System.Xml.pdbx source: WerFault.exe, 00000009.00000003.264893048.00000000057F0000.00000004.00000001.sdmp
              Source: Binary string: RegAsm.pdb4 source: WerFault.exe, 00000009.00000002.279148329.00000000031A0000.00000002.00000001.sdmp
              Source: Binary string: msctf.pdbO source: WerFault.exe, 00000009.00000003.266723531.00000000056B6000.00000004.00000040.sdmp
              Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000009.00000003.266723531.00000000056B6000.00000004.00000040.sdmp
              Source: Binary string: mscoree.pdb source: WerFault.exe, 00000009.00000003.266588021.00000000055A1000.00000004.00000001.sdmp
              Source: Binary string: sfc.pdb! source: WerFault.exe, 00000009.00000003.266707135.00000000056B1000.00000004.00000040.sdmp
              Source: Binary string: Microsoft.VisualBasic.pdb` source: WER2075.tmp.dmp.9.dr
              Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000009.00000003.266723531.00000000056B6000.00000004.00000040.sdmp
              Source: Binary string: winspool.pdb source: WerFault.exe, 00000009.00000003.266955575.00000000056AB000.00000004.00000040.sdmp
              Source: Binary string: System.Runtime.Remoting.pdbx source: WerFault.exe, 00000009.00000003.264893048.00000000057F0000.00000004.00000001.sdmp
              Source: Binary string: shell32.pdbk source: WerFault.exe, 00000009.00000003.266385007.00000000056A2000.00000004.00000040.sdmp
              Source: Binary string: symbols\dll\mscorlib.pdb source: RegAsm.exe, 00000005.00000002.299747124.000000000835A000.00000004.00000010.sdmp
              Source: Binary string: .pdb0 source: RegAsm.exe, 00000005.00000002.299747124.000000000835A000.00000004.00000010.sdmp
              Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000009.00000003.266955575.00000000056AB000.00000004.00000040.sdmp
              Source: Binary string: System.Configuration.pdb" source: WerFault.exe, 00000009.00000003.266642478.00000000055A2000.00000004.00000001.sdmp
              Source: Binary string: System.Configuration.pdb source: WER2075.tmp.dmp.9.dr
              Source: Binary string: nsi.pdb source: WerFault.exe, 00000009.00000003.266723531.00000000056B6000.00000004.00000040.sdmp
              Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000009.00000003.266385007.00000000056A2000.00000004.00000040.sdmp
              Source: Binary string: msvcr120_clr0400.i386.pdb% source: WerFault.exe, 00000009.00000003.266569783.00000000056AE000.00000004.00000040.sdmp
              Source: Binary string: powrprof.pdb source: WerFault.exe, 00000009.00000003.266955575.00000000056AB000.00000004.00000040.sdmp
              Source: Binary string: mscorlib.ni.pdbRSDS source: WER2075.tmp.dmp.9.dr
              Source: Binary string: dnsapi.pdbq source: WerFault.exe, 00000009.00000003.266723531.00000000056B6000.00000004.00000040.sdmp
              Source: Binary string: System.pdbR source: WerFault.exe, 00000009.00000003.266642478.00000000055A2000.00000004.00000001.sdmp
              Source: Binary string: System.Configuration.pdb source: WerFault.exe, 00000009.00000003.264893048.00000000057F0000.00000004.00000001.sdmp, WER2075.tmp.dmp.9.dr
              Source: Binary string: ole32.pdb source: WerFault.exe, 00000009.00000003.266955575.00000000056AB000.00000004.00000040.sdmp
              Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000009.00000003.266588021.00000000055A1000.00000004.00000001.sdmp
              Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 00000009.00000003.264893048.00000000057F0000.00000004.00000001.sdmp
              Source: Binary string: msasn1.pdb source: WerFault.exe, 00000009.00000003.266723531.00000000056B6000.00000004.00000040.sdmp
              Source: Binary string: mscorlib.pdb source: RegAsm.exe, 00000005.00000002.299747124.000000000835A000.00000004.00000010.sdmp, WerFault.exe, 00000009.00000003.264893048.00000000057F0000.00000004.00000001.sdmp, WER2075.tmp.dmp.9.dr
              Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000009.00000003.266723531.00000000056B6000.00000004.00000040.sdmp
              Source: Binary string: DWrite.pdb source: WerFault.exe, 00000009.00000003.266723531.00000000056B6000.00000004.00000040.sdmp
              Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000009.00000003.267053488.00000000056A8000.00000004.00000040.sdmp
              Source: Binary string: System.Drawing.pdb source: WerFault.exe, 00000009.00000003.264893048.00000000057F0000.00000004.00000001.sdmp, WER2075.tmp.dmp.9.dr
              Source: Binary string: System.Management.pdb source: WerFault.exe, 00000009.00000003.264893048.00000000057F0000.00000004.00000001.sdmp, WER2075.tmp.dmp.9.dr
              Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000009.00000003.267038786.00000000056A0000.00000004.00000040.sdmp
              Source: Binary string: combase.pdb source: WerFault.exe, 00000009.00000003.266955575.00000000056AB000.00000004.00000040.sdmp
              Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000017.00000003.288095264.0000000000D94000.00000004.00000001.sdmp
              Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER2075.tmp.dmp.9.dr
              Source: Binary string: sfc.pdb source: WerFault.exe, 00000009.00000003.266569783.00000000056AE000.00000004.00000040.sdmp
              Source: Binary string: Accessibility.pdbx source: WerFault.exe, 00000009.00000003.264893048.00000000057F0000.00000004.00000001.sdmp
              Source: Binary string: oleaut32.pdbh,Kv source: WerFault.exe, 00000009.00000003.266955575.00000000056AB000.00000004.00000040.sdmp
              Source: Binary string: apphelp.pdb source: WerFault.exe, 00000009.00000003.266588021.00000000055A1000.00000004.00000001.sdmp
              Source: Binary string: System.Xml.ni.pdbRSDS source: WER2075.tmp.dmp.9.dr
              Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000017.00000003.297099421.0000000004EA1000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.298559766.0000000005611000.00000004.00000001.sdmp
              Source: Binary string: rasadhlp.pdb source: WerFault.exe, 00000009.00000003.266723531.00000000056B6000.00000004.00000040.sdmp
              Source: Binary string: xecute.pdb{{% source: WerFault.exe, 00000009.00000003.266642478.00000000055A2000.00000004.00000001.sdmp
              Source: Binary string: ml.ni.pdb source: WerFault.exe, 00000009.00000003.266642478.00000000055A2000.00000004.00000001.sdmp
              Source: Binary string: C:\Windows\mscorlib.pdb source: RegAsm.exe, 00000005.00000002.299747124.000000000835A000.00000004.00000010.sdmp
              Source: Binary string: xecute.pdb source: WerFault.exe, 00000009.00000003.266642478.00000000055A2000.00000004.00000001.sdmp
              Source: Binary string: Accessibility.pdbj source: WerFault.exe, 00000009.00000003.266588021.00000000055A1000.00000004.00000001.sdmp
              Source: Binary string: System.Core.ni.pdbRSDSD source: WER2075.tmp.dmp.9.dr
              Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000009.00000003.266723531.00000000056B6000.00000004.00000040.sdmp
              Source: Binary string: System.Windows.Forms.pdbfd)l source: WER2075.tmp.dmp.9.dr
              Source: Binary string: Accessibility.pdb source: WerFault.exe, 00000009.00000003.264893048.00000000057F0000.00000004.00000001.sdmp, WER2075.tmp.dmp.9.dr
              Source: Binary string: System.Management.pdbx source: WerFault.exe, 00000009.00000003.264893048.00000000057F0000.00000004.00000001.sdmp
              Source: Binary string: rawing.pdb source: WerFault.exe, 00000009.00000003.266642478.00000000055A2000.00000004.00000001.sdmp
              Source: Binary string: ml.ni.pdb" source: WerFault.exe, 00000009.00000003.266642478.00000000055A2000.00000004.00000001.sdmp
              Source: Binary string: pnrpnsp.pdb source: WerFault.exe, 00000009.00000003.266723531.00000000056B6000.00000004.00000040.sdmp
              Source: Binary string: mscorlib.pdbx source: WerFault.exe, 00000009.00000003.264893048.00000000057F0000.00000004.00000001.sdmp
              Source: Binary string: shcore.pdb source: WerFault.exe, 00000009.00000003.267038786.00000000056A0000.00000004.00000040.sdmp
              Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 00000009.00000003.266723531.00000000056B6000.00000004.00000040.sdmp
              Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000009.00000003.266588021.00000000055A1000.00000004.00000001.sdmp
              Source: Binary string: fltLib.pdb source: WerFault.exe, 00000009.00000003.266955575.00000000056AB000.00000004.00000040.sdmp
              Source: Binary string: mscorlib.pdbj source: WerFault.exe, 00000009.00000003.266588021.00000000055A1000.00000004.00000001.sdmp
              Source: Binary string: System.Core.ni.pdb" source: WerFault.exe, 00000009.00000003.266642478.00000000055A2000.00000004.00000001.sdmp
              Source: Binary string: CMemoryExecute.pdb source: WerFault.exe, 00000009.00000003.264893048.00000000057F0000.00000004.00000001.sdmp, WER2075.tmp.dmp.9.dr
              Source: Binary string: f:\binaries.x86ret\bin\i386\bbt\opt\bin\i386\vbc.pdbpUNzUN source: WerFault.exe, 00000017.00000002.310347106.0000000005020000.00000002.00000001.sdmp, WerFault.exe, 00000018.00000002.311206676.0000000005700000.00000002.00000001.sdmp
              Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 00000009.00000003.264893048.00000000057F0000.00000004.00000001.sdmp, WER2075.tmp.dmp.9.dr
              Source: Binary string: shell32.pdb source: WerFault.exe, 00000009.00000003.266385007.00000000056A2000.00000004.00000040.sdmp
              Source: Binary string: msvcp_win.pdbk source: WerFault.exe, 00000009.00000003.266385007.00000000056A2000.00000004.00000040.sdmp
              Source: Binary string: rsaenh.pdb] source: WerFault.exe, 00000009.00000003.266723531.00000000056B6000.00000004.00000040.sdmp
              Source: Binary string: clrjit.pdbi source: WerFault.exe, 00000009.00000003.266723531.00000000056B6000.00000004.00000040.sdmp
              Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000009.00000003.266385007.00000000056A2000.00000004.00000040.sdmp
              Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000009.00000003.266723531.00000000056B6000.00000004.00000040.sdmp
              Source: Binary string: wimm32.pdb source: WerFault.exe, 00000009.00000003.266955575.00000000056AB000.00000004.00000040.sdmp
              Source: Binary string: System.Runtime.Remoting.pdb" source: WerFault.exe, 00000009.00000003.266642478.00000000055A2000.00000004.00000001.sdmp
              Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000009.00000003.266588021.00000000055A1000.00000004.00000001.sdmp
              Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 00000009.00000003.264893048.00000000057F0000.00000004.00000001.sdmp
              Source: Binary string: setupapi.pdb source: WerFault.exe, 00000009.00000003.266955575.00000000056AB000.00000004.00000040.sdmp
              Source: Binary string: nlaapi.pdb source: WerFault.exe, 00000009.00000003.266723531.00000000056B6000.00000004.00000040.sdmp
              Source: Binary string: diasymreader.pdb source: WerFault.exe, 00000009.00000003.266723531.00000000056B6000.00000004.00000040.sdmp
              Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000009.00000003.266723531.00000000056B6000.00000004.00000040.sdmp
              Source: Binary string: System.Xml.pdb4"7l< source: WER2075.tmp.dmp.9.dr
              Source: Binary string: rawing.pdbn source: WerFault.exe, 00000009.00000003.266642478.00000000055A2000.00000004.00000001.sdmp
              Source: Binary string: wbemsvc.pdb5 source: WerFault.exe, 00000009.00000003.266723531.00000000056B6000.00000004.00000040.sdmp
              Source: Binary string: wgdi32full.pdb_ source: WerFault.exe, 00000009.00000003.266588021.00000000055A1000.00000004.00000001.sdmp
              Source: Binary string: wUxTheme.pdbW source: WerFault.exe, 00000009.00000003.266723531.00000000056B6000.00000004.00000040.sdmp
              Source: Binary string: wmiutils.pdb source: WerFault.exe, 00000009.00000003.266723531.00000000056B6000.00000004.00000040.sdmp
              Source: Binary string: gdiplus.pdb source: WerFault.exe, 00000009.00000003.266723531.00000000056B6000.00000004.00000040.sdmp
              Source: Binary string: System.ni.pdbT3 source: WerFault.exe, 00000009.00000003.264893048.00000000057F0000.00000004.00000001.sdmp
              Source: Binary string: System.pdbx source: WerFault.exe, 00000009.00000003.264893048.00000000057F0000.00000004.00000001.sdmp
              Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000017.00000003.287901263.0000000000D8E000.00000004.00000001.sdmp
              Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: RegAsm.exe, 00000005.00000002.299747124.000000000835A000.00000004.00000010.sdmp
              Source: Binary string: profapi.pdb source: WerFault.exe, 00000009.00000003.266955575.00000000056AB000.00000004.00000040.sdmp
              Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000009.00000003.266723531.00000000056B6000.00000004.00000040.sdmp
              Source: Binary string: dhcpcsvc.pdbc source: WerFault.exe, 00000009.00000003.266723531.00000000056B6000.00000004.00000040.sdmp
              Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 00000009.00000003.264893048.00000000057F0000.00000004.00000001.sdmp, WER2075.tmp.dmp.9.dr
              Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000009.00000003.266588021.00000000055A1000.00000004.00000001.sdmp
              Source: Binary string: WLDP.pdb source: WerFault.exe, 00000009.00000003.266723531.00000000056B6000.00000004.00000040.sdmp
              Source: Binary string: sechost.pdb source: WerFault.exe, 00000009.00000003.266955575.00000000056AB000.00000004.00000040.sdmp
              Source: Binary string: mscorlib.ni.pdb" source: WerFault.exe, 00000009.00000003.266642478.00000000055A2000.00000004.00000001.sdmp
              Source: Binary string: System.ni.pdbRSDS source: WER2075.tmp.dmp.9.dr
              Source: Binary string: clrjit.pdb source: WerFault.exe, 00000009.00000003.266723531.00000000056B6000.00000004.00000040.sdmp
              Source: Binary string: propsys.pdb source: WerFault.exe, 00000009.00000003.266955575.00000000056AB000.00000004.00000040.sdmp
              Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000009.00000003.267053488.00000000056A8000.00000004.00000040.sdmp
              Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 00000009.00000003.266569783.00000000056AE000.00000004.00000040.sdmp
              Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 00000009.00000003.264893048.00000000057F0000.00000004.00000001.sdmp, WER2075.tmp.dmp.9.dr
              Source: Binary string: fastprox.pdb source: WerFault.exe, 00000009.00000003.266723531.00000000056B6000.00000004.00000040.sdmp
              Source: Binary string: wbemsvc.pdb source: WerFault.exe, 00000009.00000003.266723531.00000000056B6000.00000004.00000040.sdmp
              Source: Binary string: winrnr.pdb source: WerFault.exe, 00000009.00000003.266723531.00000000056B6000.00000004.00000040.sdmp
              Source: Binary string: msctf.pdb source: WerFault.exe, 00000009.00000003.266723531.00000000056B6000.00000004.00000040.sdmp
              Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: PAYMENT_SLIP.exe, 00000000.00000002.221603839.0000000003F05000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.289614169.0000000003A42000.00000004.00000001.sdmp
              Source: Binary string: System.Runtime.Remoting.pdb source: WerFault.exe, 00000009.00000003.264893048.00000000057F0000.00000004.00000001.sdmp, WER2075.tmp.dmp.9.dr
              Source: Binary string: wmswsock.pdb source: WerFault.exe, 00000009.00000003.266723531.00000000056B6000.00000004.00000040.sdmp
              Source: Binary string: version.pdb source: WerFault.exe, 00000009.00000003.266955575.00000000056AB000.00000004.00000040.sdmp
              Source: Binary string: msasn1.pdb[ source: WerFault.exe, 00000009.00000003.266723531.00000000056B6000.00000004.00000040.sdmp
              Source: Binary string: wintrust.pdb source: WerFault.exe, 00000009.00000003.266723531.00000000056B6000.00000004.00000040.sdmp
              Source: Binary string: System.Xml.pdb source: WerFault.exe, 00000009.00000003.264893048.00000000057F0000.00000004.00000001.sdmp, WER2075.tmp.dmp.9.dr
              Source: Binary string: System.pdb source: WerFault.exe, 00000009.00000003.264893048.00000000057F0000.00000004.00000001.sdmp, WER2075.tmp.dmp.9.dr
              Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000009.00000003.266750048.00000000056A1000.00000004.00000040.sdmp, WER2075.tmp.dmp.9.dr
              Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000009.00000003.267038786.00000000056A0000.00000004.00000040.sdmp
              Source: Binary string: setupapi.pdbp,sv source: WerFault.exe, 00000009.00000003.266955575.00000000056AB000.00000004.00000040.sdmp
              Source: Binary string: System.Runtime.Remoting.pdb@x source: WER2075.tmp.dmp.9.dr
              Source: Binary string: psapi.pdb source: WerFault.exe, 00000009.00000003.266723531.00000000056B6000.00000004.00000040.sdmp
              Source: Binary string: WMINet_Utils.pdb source: WerFault.exe, 00000009.00000003.266723531.00000000056B6000.00000004.00000040.sdmp
              Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000009.00000003.266955575.00000000056AB000.00000004.00000040.sdmp
              Source: Binary string: fastprox.pdbe source: WerFault.exe, 00000009.00000003.266723531.00000000056B6000.00000004.00000040.sdmp
              Source: Binary string: System.Core.pdbx source: WerFault.exe, 00000009.00000003.264893048.00000000057F0000.00000004.00000001.sdmp
              Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000009.00000003.267038786.00000000056A0000.00000004.00000040.sdmp
              Source: Binary string: mscoreei.pdb source: WerFault.exe, 00000009.00000003.266955575.00000000056AB000.00000004.00000040.sdmp
              Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000017.00000003.288123362.0000000000D9A000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.290299337.00000000036A7000.00000004.00000001.sdmp
              Source: Binary string: System.Drawing.pdbx source: WerFault.exe, 00000009.00000003.264893048.00000000057F0000.00000004.00000001.sdmp
              Source: Binary string: fltLib.pdbV,Qvr source: WerFault.exe, 00000009.00000003.266955575.00000000056AB000.00000004.00000040.sdmp
              Source: Binary string: System.Core.pdb source: WerFault.exe, 00000009.00000003.264893048.00000000057F0000.00000004.00000001.sdmp, WER2075.tmp.dmp.9.dr
              Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000009.00000003.266955575.00000000056AB000.00000004.00000040.sdmp
              Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 00000009.00000003.264893048.00000000057F0000.00000004.00000001.sdmp
              Source: Binary string: Microsoft.VisualBasic.pdb" source: WerFault.exe, 00000009.00000003.266750048.00000000056A1000.00000004.00000040.sdmp
              Source: Binary string: wuser32.pdb source: WerFault.exe, 00000009.00000003.266588021.00000000055A1000.00000004.00000001.sdmp
              Source: Binary string: wsspicli.pdb~,yv source: WerFault.exe, 00000009.00000003.266955575.00000000056AB000.00000004.00000040.sdmp
              Source: Binary string: comctl32.pdb source: WerFault.exe, 00000009.00000003.266723531.00000000056B6000.00000004.00000040.sdmp
              Source: Binary string: wbemprox.pdb source: WerFault.exe, 00000009.00000003.266723531.00000000056B6000.00000004.00000040.sdmp
              Source: Binary string: System.ni.pdb source: WerFault.exe, 00000009.00000003.266750048.00000000056A1000.00000004.00000040.sdmp, WER2075.tmp.dmp.9.dr
              Source: Binary string: crypt32.pdb source: WerFault.exe, 00000009.00000003.266723531.00000000056B6000.00000004.00000040.sdmp
              Source: Binary string: edputil.pdb source: WerFault.exe, 00000009.00000003.266723531.00000000056B6000.00000004.00000040.sdmp

              Data Obfuscation:

              barindex
              .NET source code contains potential unpackerShow sources
              Source: 0.2.PAYMENT_SLIP.exe.5da0000.3.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 0.2.PAYMENT_SLIP.exe.5da0000.3.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 0.2.PAYMENT_SLIP.exe.5da0000.3.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 0.2.PAYMENT_SLIP.exe.5da0000.3.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 5.2.RegAsm.exe.400000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 5.2.RegAsm.exe.400000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 5.2.RegAsm.exe.400000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 5.2.RegAsm.exe.400000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: C:\Users\user\Desktop\PAYMENT_SLIP.exeCode function: 0_2_00BD72C1 push ebp; iretd 0_2_00BD72C2
              Source: C:\Users\user\Desktop\PAYMENT_SLIP.exeCode function: 0_2_00BD367B push ebp; ret 0_2_00BD367C
              Source: initial sampleStatic PE information: section name: .text entropy: 7.25038650081

              Hooking and other Techniques for Hiding and Protection:

              <