Loading ...

Play interactive tourEdit tour

Analysis Report PAYMENT.PDF

Overview

General Information

Sample Name:PAYMENT.PDF (renamed file extension from PDF to exe)
Analysis ID:260441
MD5:42cef60b8c59b507b4a7a3d49b3842cc
SHA1:069f949fa43c5aa1678e39f6b89e8f147dd00d3d
SHA256:f73d29d3a5ead37600a865eab0c868a610700bfd608775d253ae9e3dce1f92c8

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected HawkEye Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Maps a DLL or memory area into another process
Sample uses process hollowing technique
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Process Creation
Stores large binary data to the registry
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • PAYMENT.exe (PID: 7044 cmdline: 'C:\Users\user\Desktop\PAYMENT.exe' MD5: 42CEF60B8C59B507B4A7A3D49B3842CC)
    • RegAsm.exe (PID: 7072 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
      • WerFault.exe (PID: 3152 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7072 -s 2052 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
      • vbc.exe (PID: 492 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 2296 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.320994070.0000000004392000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
    00000000.00000002.248812200.0000000005AA2000.00000040.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
    • 0x7b717:$key: HawkEyeKeylogger
    • 0x7d981:$salt: 099u787978786
    • 0x7bd58:$string1: HawkEye_Keylogger
    • 0x7cbab:$string1: HawkEye_Keylogger
    • 0x7d8e1:$string1: HawkEye_Keylogger
    • 0x7c141:$string2: holdermail.txt
    • 0x7c161:$string2: holdermail.txt
    • 0x7c083:$string3: wallet.dat
    • 0x7c09b:$string3: wallet.dat
    • 0x7c0b1:$string3: wallet.dat
    • 0x7d4a5:$string4: Keylog Records
    • 0x7d7bd:$string4: Keylog Records
    • 0x7d9d9:$string5: do not script -->
    • 0x7b6ff:$string6: \pidloc.txt
    • 0x7b78d:$string7: BSPLIT
    • 0x7b79d:$string7: BSPLIT
    00000000.00000002.248812200.0000000005AA2000.00000040.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
      00000000.00000002.248812200.0000000005AA2000.00000040.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
        00000000.00000002.248812200.0000000005AA2000.00000040.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
          Click to see the 33 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.PAYMENT.exe.5aa0000.3.unpackRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
          • 0x7b917:$key: HawkEyeKeylogger
          • 0x7db81:$salt: 099u787978786
          • 0x7bf58:$string1: HawkEye_Keylogger
          • 0x7cdab:$string1: HawkEye_Keylogger
          • 0x7dae1:$string1: HawkEye_Keylogger
          • 0x7c341:$string2: holdermail.txt
          • 0x7c361:$string2: holdermail.txt
          • 0x7c283:$string3: wallet.dat
          • 0x7c29b:$string3: wallet.dat
          • 0x7c2b1:$string3: wallet.dat
          • 0x7d6a5:$string4: Keylog Records
          • 0x7d9bd:$string4: Keylog Records
          • 0x7dbd9:$string5: do not script -->
          • 0x7b8ff:$string6: \pidloc.txt
          • 0x7b98d:$string7: BSPLIT
          • 0x7b99d:$string7: BSPLIT
          0.2.PAYMENT.exe.5aa0000.3.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
            0.2.PAYMENT.exe.5aa0000.3.unpackJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
              0.2.PAYMENT.exe.5aa0000.3.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                0.2.PAYMENT.exe.5aa0000.3.unpackHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
                • 0x7bfb0:$hawkstr1: HawkEye Keylogger
                • 0x7cdf1:$hawkstr1: HawkEye Keylogger
                • 0x7d120:$hawkstr1: HawkEye Keylogger
                • 0x7d27b:$hawkstr1: HawkEye Keylogger
                • 0x7d3de:$hawkstr1: HawkEye Keylogger
                • 0x7d67d:$hawkstr1: HawkEye Keylogger
                • 0x7bb3e:$hawkstr2: Dear HawkEye Customers!
                • 0x7d173:$hawkstr2: Dear HawkEye Customers!
                • 0x7d2ca:$hawkstr2: Dear HawkEye Customers!
                • 0x7d431:$hawkstr2: Dear HawkEye Customers!
                • 0x7bc5f:$hawkstr3: HawkEye Logger Details:
                Click to see the 9 entries

                Sigma Overview

                System Summary:

                barindex
                Sigma detected: Suspicious Process CreationShow sources
                Source: Process startedAuthor: Florian Roth, Daniil Yugoslavskiy, oscd.community (update): Data: Command: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt', CommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt', CommandLine|base64offset|contains: ^, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, ParentCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentProcessId: 7072, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt', ProcessId: 492

                Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Found malware configurationShow sources
                Source: PAYMENT.exe.7044.0.memstrMalware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}
                Machine Learning detection for sampleShow sources
                Source: PAYMENT.exeJoe Sandbox ML: detected
                Source: PAYMENT.exe, 00000000.00000002.248812200.0000000005AA2000.00000040.00000001.sdmpBinary or memory string: autorun.inf
                Source: PAYMENT.exe, 00000000.00000002.248812200.0000000005AA2000.00000040.00000001.sdmpBinary or memory string: [autorun]
                Source: RegAsm.exe, 00000001.00000002.315192215.0000000000402000.00000040.00000001.sdmpBinary or memory string: autorun.inf
                Source: RegAsm.exe, 00000001.00000002.315192215.0000000000402000.00000040.00000001.sdmpBinary or memory string: [autorun]
                Source: WerFault.exe, 00000006.00000003.295172027.0000000005560000.00000004.00000001.sdmpBinary or memory string: autorun.inf
                Source: WerFault.exe, 00000006.00000003.295172027.0000000005560000.00000004.00000001.sdmpBinary or memory string: [autorun]
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,13_2_00408441
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,13_2_00407E0E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]1_2_0649FE8B
                Source: PAYMENT.exe, 00000000.00000002.248812200.0000000005AA2000.00000040.00000001.sdmp, RegAsm.exe, 00000001.00000002.320994070.0000000004392000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000002.319488748.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                Source: PAYMENT.exe, 00000000.00000002.248812200.0000000005AA2000.00000040.00000001.sdmp, RegAsm.exe, 00000001.00000002.320994070.0000000004392000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000002.319488748.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                Source: vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                Source: vbc.exe, 0000000D.00000003.319096202.00000000009FC000.00000004.00000001.sdmpString found in binary or memory: views.htmfile:///C:/jbxinitvm.au3https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                Source: vbc.exe, 0000000D.00000003.319096202.00000000009FC000.00000004.00000001.sdmpString found in binary or memory: views.htmfile:///C:/jbxinitvm.au3https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                Source: unknownDNS traffic detected: queries for: 72.245.12.0.in-addr.arpa
                Source: PAYMENT.exe, 00000000.00000002.248812200.0000000005AA2000.00000040.00000001.sdmp, RegAsm.exe, 00000001.00000002.320994070.0000000004392000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
                Source: WerFault.exe, 00000006.00000003.307369250.0000000004D97000.00000004.00000001.sdmpString found in binary or memory: http://crl.micro(
                Source: RegAsm.exe, 00000001.00000002.325237847.00000000065F0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                Source: PAYMENT.exe, 00000000.00000002.248812200.0000000005AA2000.00000040.00000001.sdmp, RegAsm.exe, 00000001.00000002.320994070.0000000004392000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                Source: WerFault.exe, 00000006.00000003.293641282.0000000005860000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
                Source: WerFault.exe, 00000006.00000003.293641282.0000000005860000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
                Source: WerFault.exe, 00000006.00000003.293641282.0000000005860000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
                Source: WerFault.exe, 00000006.00000003.293641282.0000000005860000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
                Source: WerFault.exe, 00000006.00000003.293641282.0000000005860000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
                Source: WerFault.exe, 00000006.00000003.293641282.0000000005860000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
                Source: WerFault.exe, 00000006.00000003.293641282.0000000005860000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
                Source: RegAsm.exe, 00000001.00000002.317819340.0000000003321000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.293641282.0000000005860000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: WerFault.exe, 00000006.00000003.293641282.0000000005860000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
                Source: WerFault.exe, 00000006.00000003.293641282.0000000005860000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
                Source: WerFault.exe, 00000006.00000003.293641282.0000000005860000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
                Source: WerFault.exe, 00000006.00000003.293641282.0000000005860000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
                Source: WerFault.exe, 00000006.00000003.293641282.0000000005860000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
                Source: WerFault.exe, 00000006.00000003.293641282.0000000005860000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
                Source: WerFault.exe, 00000006.00000003.293641282.0000000005860000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
                Source: PAYMENT.exe, 00000000.00000002.248812200.0000000005AA2000.00000040.00000001.sdmp, RegAsm.exe, 00000001.00000002.315192215.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 00000006.00000003.295172027.0000000005560000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/-
                Source: RegAsm.exe, 00000001.00000002.325237847.00000000065F0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: RegAsm.exe, 00000001.00000003.255502822.0000000006503000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                Source: RegAsm.exe, 00000001.00000003.255502822.0000000006503000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comP
                Source: RegAsm.exe, 00000001.00000003.255990312.000000000650B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comQ
                Source: RegAsm.exe, 00000001.00000003.256084733.0000000006509000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comhr
                Source: RegAsm.exe, 00000001.00000002.325237847.00000000065F0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: RegAsm.exe, 00000001.00000002.325237847.00000000065F0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: RegAsm.exe, 00000001.00000002.325237847.00000000065F0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: RegAsm.exe, 00000001.00000002.325237847.00000000065F0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: RegAsm.exe, 00000001.00000002.325237847.00000000065F0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: RegAsm.exe, 00000001.00000002.325237847.00000000065F0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                Source: RegAsm.exe, 00000001.00000002.325237847.00000000065F0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: RegAsm.exe, 00000001.00000002.325237847.00000000065F0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: RegAsm.exe, 00000001.00000002.325237847.00000000065F0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: RegAsm.exe, 00000001.00000002.325084857.0000000006500000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
                Source: RegAsm.exe, 00000001.00000002.325084857.0000000006500000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comicom0
                Source: RegAsm.exe, 00000001.00000002.325084857.0000000006500000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comlvfet
                Source: RegAsm.exe, 00000001.00000002.325084857.0000000006500000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comm
                Source: RegAsm.exe, 00000001.00000002.325237847.00000000065F0000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                Source: RegAsm.exe, 00000001.00000002.325237847.00000000065F0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: RegAsm.exe, 00000001.00000002.325237847.00000000065F0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: RegAsm.exe, 00000001.00000002.325237847.00000000065F0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: RegAsm.exe, 00000001.00000002.325237847.00000000065F0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: RegAsm.exe, 00000001.00000002.325237847.00000000065F0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: RegAsm.exe, 00000001.00000002.325237847.00000000065F0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: RegAsm.exe, 00000001.00000003.256766946.0000000006507000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: RegAsm.exe, 00000001.00000003.256766946.0000000006507000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/0
                Source: RegAsm.exe, 00000001.00000003.256766946.0000000006507000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/D
                Source: RegAsm.exe, 00000001.00000003.256766946.0000000006507000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0ns
                Source: RegAsm.exe, 00000001.00000003.256766946.0000000006507000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ild
                Source: RegAsm.exe, 00000001.00000003.256766946.0000000006507000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                Source: RegAsm.exe, 00000001.00000003.256766946.0000000006507000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/.
                Source: RegAsm.exe, 00000001.00000003.256766946.0000000006507000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/K
                Source: RegAsm.exe, 00000001.00000003.256766946.0000000006507000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/o
                Source: RegAsm.exe, 00000001.00000003.256766946.0000000006507000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/q
                Source: RegAsm.exe, 00000001.00000003.256766946.0000000006507000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/uem
                Source: RegAsm.exe, 00000001.00000003.256766946.0000000006507000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/vaV
                Source: RegAsm.exe, 00000001.00000003.256766946.0000000006507000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/x
                Source: vbc.exe, 0000000E.00000002.509646524.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
                Source: RegAsm.exe, 00000001.00000002.325237847.00000000065F0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: RegAsm.exe, 00000001.00000002.325237847.00000000065F0000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                Source: RegAsm.exe, 00000001.00000002.325237847.00000000065F0000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: RegAsm.exe, 00000001.00000002.317819340.0000000003321000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
                Source: RegAsm.exe, 00000001.00000002.325237847.00000000065F0000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                Source: RegAsm.exe, 00000001.00000002.325237847.00000000065F0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                Source: RegAsm.exe, 00000001.00000002.325237847.00000000065F0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: RegAsm.exe, 00000001.00000002.325237847.00000000065F0000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: vbc.exe, 0000000D.00000002.320942235.000000000075C000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: vbc.exe, 0000000D.00000002.320942235.000000000075C000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=serviceZ
                Source: vbc.exe, 0000000D.00000002.320942235.000000000075C000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/oauth20_deskto
                Source: vbc.exe, 0000000D.00000002.320942235.000000000075C000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: vbc.exe, 0000000D.00000003.319129319.00000000009FB000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://
                Source: vbc.exe, 0000000D.00000002.320942235.000000000075C000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
                Source: vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin

                Key, Mouse, Clipboard, Microphone and Screen Capturing:

                barindex
                Yara detected HawkEye KeyloggerShow sources
                Source: Yara matchFile source: 00000000.00000002.248812200.0000000005AA2000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.248707947.0000000005490000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.247980658.0000000003DD5000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.315192215.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.317819340.0000000003321000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000003.295172027.0000000005560000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PAYMENT.exe PID: 7044, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: WerFault.exe PID: 3152, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7072, type: MEMORY
                Source: Yara matchFile source: 0.2.PAYMENT.exe.5aa0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Contains functionality to log keystrokes (.Net Source)Show sources
                Source: 0.2.PAYMENT.exe.5aa0000.3.unpack, Form1.cs.Net Code: HookKeyboard
                Source: 1.2.RegAsm.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
                Installs a global keyboard hookShow sources
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_0040D674 OpenClipboard,GetLastError,DeleteFileW,13_2_0040D674
                Source: PAYMENT.exe, 00000000.00000002.247780036.00000000011CA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                System Summary:

                barindex
                Malicious sample detected (through community Yara rule)Show sources
                Source: 00000000.00000002.248812200.0000000005AA2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000000.00000002.248812200.0000000005AA2000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000000.00000002.248707947.0000000005490000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000000.00000002.248707947.0000000005490000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000000.00000002.247980658.0000000003DD5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000000.00000002.247980658.0000000003DD5000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000001.00000002.315192215.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000001.00000002.315192215.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000001.00000002.317819340.0000000003321000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000006.00000003.295172027.0000000005560000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000006.00000003.295172027.0000000005560000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0.2.PAYMENT.exe.5aa0000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0.2.PAYMENT.exe.5aa0000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Initial sample is a PE file and has a suspicious nameShow sources
                Source: initial sampleStatic PE information: Filename: PAYMENT.exe
                Source: C:\Users\user\Desktop\PAYMENT.exeCode function: 0_2_05481C09 CreateProcessW,NtQueryInformationProcess,NtReadVirtualMemory,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtWriteVirtualMemory,NtGetContextThread,NtSetContextThread,NtResumeThread,0_2_05481C09
                Source: C:\Users\user\Desktop\PAYMENT.exeCode function: 0_2_054800AD NtOpenSection,NtMapViewOfSection,0_2_054800AD
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,13_2_00408836
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0185B29C1_2_0185B29C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0185C3101_2_0185C310
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0185B2901_2_0185B290
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_018599D01_2_018599D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0185DFD01_2_0185DFD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0649B4E01_2_0649B4E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0649EEC81_2_0649EEC8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0649BDB01_2_0649BDB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_064900061_2_06490006
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0649B1981_2_0649B198
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_0040441913_2_00404419
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_0040451613_2_00404516
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_0041353813_2_00413538
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_004145A113_2_004145A1
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_0040E63913_2_0040E639
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_004337AF13_2_004337AF
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_004399B113_2_004399B1
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_0043DAE713_2_0043DAE7
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00405CF613_2_00405CF6
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00403F8513_2_00403F85
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00411F9913_2_00411F99
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00442A90 appears 36 times
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004141D6 appears 88 times
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413F8E appears 66 times
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413E2D appears 34 times
                Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7072 -s 2052
                Source: PAYMENT.exe, 00000000.00000002.248942657.0000000005B22000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs PAYMENT.exe
                Source: PAYMENT.exe, 00000000.00000002.247872272.0000000001450000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamewDKaPGAlcRDbNofv.river.exe4 vs PAYMENT.exe
                Source: PAYMENT.exe, 00000000.00000002.248812200.0000000005AA2000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs PAYMENT.exe
                Source: PAYMENT.exe, 00000000.00000002.248812200.0000000005AA2000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs PAYMENT.exe
                Source: PAYMENT.exe, 00000000.00000002.248812200.0000000005AA2000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs PAYMENT.exe
                Source: PAYMENT.exe, 00000000.00000002.247780036.00000000011CA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs PAYMENT.exe
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: windows.security.authentication.onlineid.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: webio.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: cryptnet.dllJump to behavior
                Source: 00000000.00000002.248812200.0000000005AA2000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000000.00000002.248812200.0000000005AA2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000000.00000002.248707947.0000000005490000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000000.00000002.248707947.0000000005490000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000000.00000002.247980658.0000000003DD5000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000000.00000002.247980658.0000000003DD5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000001.00000002.315192215.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000001.00000002.315192215.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000001.00000002.317819340.0000000003321000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000006.00000003.295172027.0000000005560000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000006.00000003.295172027.0000000005560000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0.2.PAYMENT.exe.5aa0000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0.2.PAYMENT.exe.5aa0000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: PAYMENT.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: 0.2.PAYMENT.exe.5aa0000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 0.2.PAYMENT.exe.5aa0000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 0.2.PAYMENT.exe.5aa0000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 0.2.PAYMENT.exe.5aa0000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
                Source: 1.2.RegAsm.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 1.2.RegAsm.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 1.2.RegAsm.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 1.2.RegAsm.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
                Source: 0.2.PAYMENT.exe.5aa0000.3.unpack, Form1.csBase64 encoded string: 'Ta2Jfga3JLt9/E73uK1VhbUkk6jqZCdloIN2u06AJMoTMeKiapqOoCfJFBjcj+Ok8ojK3Xa4zTJPtjgAWPgTDA==', 'qV6RbSlp+AMZw5SKvXWylN1rCuU8c5wmPAh3Hdmo0Ki+cXj7F0pWkNOaz5xvcV8/1lMVIeZ7DPLAHupVS+LnUQ==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: 1.2.RegAsm.exe.400000.0.unpack, Form1.csBase64 encoded string: 'Ta2Jfga3JLt9/E73uK1VhbUkk6jqZCdloIN2u06AJMoTMeKiapqOoCfJFBjcj+Ok8ojK3Xa4zTJPtjgAWPgTDA==', 'qV6RbSlp+AMZw5SKvXWylN1rCuU8c5wmPAh3Hdmo0Ki+cXj7F0pWkNOaz5xvcV8/1lMVIeZ7DPLAHupVS+LnUQ==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@8/8@1/1
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00415AFD GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,13_2_00415AFD
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00415F87 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,13_2_00415F87
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00411196 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,FindCloseChangeNotification,free,Process32NextW,FindCloseChangeNotification,13_2_00411196
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00411EF8 FindResourceW,SizeofResource,LoadResource,LockResource,13_2_00411EF8
                Source: C:\Users\user\Desktop\PAYMENT.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PAYMENT.exe.logJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7072
                Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER306A.tmpJump to behavior
                Source: PAYMENT.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\PAYMENT.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSystem information queried: HandleInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: PAYMENT.exe, 00000000.00000002.248812200.0000000005AA2000.00000040.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                Source: PAYMENT.exe, 00000000.00000002.248812200.0000000005AA2000.00000040.00000001.sdmp, vbc.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                Source: PAYMENT.exe, 00000000.00000002.248812200.0000000005AA2000.00000040.00000001.sdmp, vbc.exe, 0000000D.00000002.319488748.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                Source: PAYMENT.exe, 00000000.00000002.248812200.0000000005AA2000.00000040.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                Source: PAYMENT.exe, 00000000.00000002.248812200.0000000005AA2000.00000040.00000001.sdmp, vbc.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                Source: PAYMENT.exe, 00000000.00000002.248812200.0000000005AA2000.00000040.00000001.sdmp, vbc.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                Source: PAYMENT.exe, 00000000.00000002.248812200.0000000005AA2000.00000040.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                Source: unknownProcess created: C:\Users\user\Desktop\PAYMENT.exe 'C:\Users\user\Desktop\PAYMENT.exe'
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7072 -s 2052
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                Source: C:\Users\user\Desktop\PAYMENT.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: PAYMENT.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: PAYMENT.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                Source: Binary string: C:\Windows\mscorlib.pdb source: RegAsm.exe, 00000001.00000002.330051509.0000000008BEA000.00000004.00000010.sdmp
                Source: Binary string: anagement.pdb source: WerFault.exe, 00000006.00000003.297602729.0000000005319000.00000004.00000001.sdmp
                Source: Binary string: System.Core.ni.pdbRSDSD source: WER306A.tmp.dmp.6.dr
                Source: Binary string: Accessibility.pdbh source: WER306A.tmp.dmp.6.dr
                Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 00000006.00000003.295172027.0000000005560000.00000004.00000001.sdmp
                Source: Binary string: \??\C:\Windows\symbols\exe\RegAsm.pdb source: RegAsm.exe, 00000001.00000003.273540972.0000000008169000.00000004.00000001.sdmp
                Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000006.00000003.297558762.0000000005301000.00000004.00000001.sdmp
                Source: Binary string: Accessibility.pdb source: WerFault.exe, 00000006.00000003.297570110.0000000005319000.00000004.00000001.sdmp, WER306A.tmp.dmp.6.dr
                Source: Binary string: rawing.pdb source: WerFault.exe, 00000006.00000003.297742391.0000000005319000.00000004.00000001.sdmp
                Source: Binary string: onfiguration.ni.pdb source: WerFault.exe, 00000006.00000003.297742391.0000000005319000.00000004.00000001.sdmp
                Source: Binary string: System.Management.pdbx source: WerFault.exe, 00000006.00000003.295172027.0000000005560000.00000004.00000001.sdmp
                Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000006.00000003.297558762.0000000005301000.00000004.00000001.sdmp
                Source: Binary string: mscorlib.pdbx source: WerFault.exe, 00000006.00000003.295172027.0000000005560000.00000004.00000001.sdmp
                Source: Binary string: RegAsm.pdb source: RegAsm.exe, 00000001.00000003.273512323.0000000008146000.00000004.00000001.sdmp
                Source: Binary string: System.Xml.ni.pdbN source: WerFault.exe, 00000006.00000003.297570110.0000000005319000.00000004.00000001.sdmp
                Source: Binary string: System.Runtime.Remoting.pdbN source: WerFault.exe, 00000006.00000003.297570110.0000000005319000.00000004.00000001.sdmp
                Source: Binary string: wntdll.pdb source: WerFault.exe, 00000006.00000003.297558762.0000000005301000.00000004.00000001.sdmp
                Source: Binary string: ml.pdb source: WerFault.exe, 00000006.00000003.297742391.0000000005319000.00000004.00000001.sdmp
                Source: Binary string: .ni.pdb source: WerFault.exe, 00000006.00000003.297602729.0000000005319000.00000004.00000001.sdmp
                Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000006.00000003.297558762.0000000005301000.00000004.00000001.sdmp
                Source: Binary string: System.Windows.Forms.pdb" source: WerFault.exe, 00000006.00000003.297581672.0000000005304000.00000004.00000001.sdmp
                Source: Binary string: ility.pdb source: WerFault.exe, 00000006.00000003.297602729.0000000005319000.00000004.00000001.sdmp
                Source: Binary string: mscorlib.ni.pdbN source: WerFault.exe, 00000006.00000003.297570110.0000000005319000.00000004.00000001.sdmp
                Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 00000006.00000003.297570110.0000000005319000.00000004.00000001.sdmp, WER306A.tmp.dmp.6.dr
                Source: Binary string: Accessibility.pdbN source: WerFault.exe, 00000006.00000003.297570110.0000000005319000.00000004.00000001.sdmp
                Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 00000006.00000003.295172027.0000000005560000.00000004.00000001.sdmp, WER306A.tmp.dmp.6.dr
                Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 00000006.00000003.295172027.0000000005560000.00000004.00000001.sdmp
                Source: Binary string: \??\C:\Windows\symbols\exe\RegAsm.pdbI3 source: RegAsm.exe, 00000001.00000003.273540972.0000000008169000.00000004.00000001.sdmp
                Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000006.00000003.297558762.0000000005301000.00000004.00000001.sdmp
                Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000006.00000003.297558762.0000000005301000.00000004.00000001.sdmp
                Source: Binary string: \??\C:\Windows\exe\RegAsm.pdb!YEI source: RegAsm.exe, 00000001.00000003.273512323.0000000008146000.00000004.00000001.sdmp
                Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000006.00000003.297570110.0000000005319000.00000004.00000001.sdmp, WER306A.tmp.dmp.6.dr
                Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 00000006.00000003.295172027.0000000005560000.00000004.00000001.sdmp
                Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: PAYMENT.exe, 00000000.00000002.248812200.0000000005AA2000.00000040.00000001.sdmp, RegAsm.exe, 00000001.00000002.317819340.0000000003321000.00000004.00000001.sdmp
                Source: Binary string: System.Configuration.ni.pdbN source: WerFault.exe, 00000006.00000003.297570110.0000000005319000.00000004.00000001.sdmp
                Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: PAYMENT.exe, 00000000.00000002.248812200.0000000005AA2000.00000040.00000001.sdmp, RegAsm.exe, 00000001.00000002.320920292.0000000004329000.00000004.00000001.sdmp, vbc.exe, 0000000E.00000002.509646524.0000000000400000.00000040.00000001.sdmp
                Source: Binary string: RegAsm.pdb4 source: RegAsm.exe, 00000001.00000003.273505752.000000000813C000.00000004.00000001.sdmp
                Source: Binary string: ore.pdb, source: WerFault.exe, 00000006.00000003.297742391.0000000005319000.00000004.00000001.sdmp
                Source: Binary string: System.Xml.pdbx source: WerFault.exe, 00000006.00000003.295172027.0000000005560000.00000004.00000001.sdmp
                Source: Binary string: System.ni.pdbT3 source: WerFault.exe, 00000006.00000003.295172027.0000000005560000.00000004.00000001.sdmp
                Source: Binary string: mscoree.pdb source: WerFault.exe, 00000006.00000003.297558762.0000000005301000.00000004.00000001.sdmp
                Source: Binary string: System.pdbx source: WerFault.exe, 00000006.00000003.295172027.0000000005560000.00000004.00000001.sdmp
                Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000006.00000003.286382725.0000000002FB3000.00000004.00000001.sdmp
                Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: RegAsm.exe, 00000001.00000002.330051509.0000000008BEA000.00000004.00000010.sdmp
                Source: Binary string: System.Core.pdbN source: WerFault.exe, 00000006.00000003.297570110.0000000005319000.00000004.00000001.sdmp
                Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 00000006.00000003.297570110.0000000005319000.00000004.00000001.sdmp, WER306A.tmp.dmp.6.dr
                Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000006.00000003.297558762.0000000005301000.00000004.00000001.sdmp
                Source: Binary string: System.Runtime.Remoting.pdbx source: WerFault.exe, 00000006.00000003.295172027.0000000005560000.00000004.00000001.sdmp
                Source: Binary string: symbols\dll\mscorlib.pdb source: RegAsm.exe, 00000001.00000002.330051509.0000000008BEA000.00000004.00000010.sdmp
                Source: Binary string: .pdb0 source: RegAsm.exe, 00000001.00000002.330051509.0000000008BEA000.00000004.00000010.sdmp
                Source: Binary string: System.ni.pdbRSDS source: WER306A.tmp.dmp.6.dr
                Source: Binary string: (Pxj0C:\Windows\mscorlib.pdbpdblib.pdb source: RegAsm.exe, 00000001.00000002.330051509.0000000008BEA000.00000004.00000010.sdmp
                Source: Binary string: amjjrpjCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000006.00000002.308962475.00000000028D2000.00000004.00000010.sdmp
                Source: Binary string: System.Core.ni.pdbN source: WerFault.exe, 00000006.00000003.297570110.0000000005319000.00000004.00000001.sdmp
                Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 00000006.00000003.297570110.0000000005319000.00000004.00000001.sdmp, WER306A.tmp.dmp.6.dr
                Source: Binary string: mscorlib.ni.pdbRSDS source: WER306A.tmp.dmp.6.dr
                Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: PAYMENT.exe, 00000000.00000002.248812200.0000000005AA2000.00000040.00000001.sdmp, RegAsm.exe, 00000001.00000002.320994070.0000000004392000.00000004.00000001.sdmp, vbc.exe
                Source: Binary string: System.Runtime.Remoting.pdb source: WerFault.exe, 00000006.00000003.297570110.0000000005319000.00000004.00000001.sdmp, WER306A.tmp.dmp.6.dr
                Source: Binary string: System.Drawing.pdbN source: WerFault.exe, 00000006.00000003.297570110.0000000005319000.00000004.00000001.sdmp
                Source: Binary string: System.Configuration.pdb source: WerFault.exe, 00000006.00000003.297570110.0000000005319000.00000004.00000001.sdmp, WER306A.tmp.dmp.6.dr
                Source: Binary string: System.Xml.pdb$ source: WerFault.exe, 00000006.00000003.297570110.0000000005319000.00000004.00000001.sdmp
                Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000006.00000003.297558762.0000000005301000.00000004.00000001.sdmp
                Source: Binary string: onfiguration.pdb source: WerFault.exe, 00000006.00000003.297742391.0000000005319000.00000004.00000001.sdmp
                Source: Binary string: System.Xml.pdb source: WerFault.exe, 00000006.00000003.297570110.0000000005319000.00000004.00000001.sdmp, WER306A.tmp.dmp.6.dr
                Source: Binary string: System.pdb source: WerFault.exe, 00000006.00000003.297558762.0000000005301000.00000004.00000001.sdmp, WER306A.tmp.dmp.6.dr
                Source: Binary string: ore.ni.pdb source: WerFault.exe, 00000006.00000003.297742391.0000000005319000.00000004.00000001.sdmp
                Source: Binary string: Microsoft.VisualBasic.pdb@ source: WER306A.tmp.dmp.6.dr
                Source: Binary string: ore.pdb source: WerFault.exe, 00000006.00000003.297742391.0000000005319000.00000004.00000001.sdmp
                Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 00000006.00000003.295172027.0000000005560000.00000004.00000001.sdmp
                Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000006.00000003.297558762.0000000005301000.00000004.00000001.sdmp, WER306A.tmp.dmp.6.dr
                Source: Binary string: RegAsm.PDBU source: RegAsm.exe, 00000001.00000002.330051509.0000000008BEA000.00000004.00000010.sdmp
                Source: Binary string: System.Windows.Forms.pdbh source: WerFault.exe, 00000006.00000003.297558762.0000000005301000.00000004.00000001.sdmp
                Source: Binary string: mscorlib.pdb source: RegAsm.exe, 00000001.00000002.330051509.0000000008BEA000.00000004.00000010.sdmp, WerFault.exe, 00000006.00000003.297570110.0000000005319000.00000004.00000001.sdmp, WER306A.tmp.dmp.6.dr
                Source: Binary string: System.Core.pdbx source: WerFault.exe, 00000006.00000003.295172027.0000000005560000.00000004.00000001.sdmp
                Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000006.00000003.285527080.0000000002FC5000.00000004.00000001.sdmp
                Source: Binary string: System.Drawing.pdb source: WerFault.exe, 00000006.00000003.297570110.0000000005319000.00000004.00000001.sdmp, WER306A.tmp.dmp.6.dr
                Source: Binary string: System.Management.pdb source: WerFault.exe, 00000006.00000003.297570110.0000000005319000.00000004.00000001.sdmp, WER306A.tmp.dmp.6.dr
                Source: Binary string: System.Drawing.pdbx source: WerFault.exe, 00000006.00000003.295172027.0000000005560000.00000004.00000001.sdmp
                Source: Binary string: \??\C:\Windows\exe\RegAsm.pdb source: RegAsm.exe, 00000001.00000003.273512323.0000000008146000.00000004.00000001.sdmp
                Source: Binary string: System.Core.pdb source: WerFault.exe, 00000006.00000003.297570110.0000000005319000.00000004.00000001.sdmp, WER306A.tmp.dmp.6.dr
                Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000006.00000003.284715277.0000000002FBF000.00000004.00000001.sdmp
                Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER306A.tmp.dmp.6.dr
                Source: Binary string: System.Management.pdbN source: WerFault.exe, 00000006.00000003.297570110.0000000005319000.00000004.00000001.sdmp
                Source: Binary string: System.Configuration.pdbH source: WER306A.tmp.dmp.6.dr
                Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 00000006.00000003.295172027.0000000005560000.00000004.00000001.sdmp
                Source: Binary string: System.Configuration.pdbN source: WerFault.exe, 00000006.00000003.297570110.0000000005319000.00000004.00000001.sdmp
                Source: Binary string: Accessibility.pdbx source: WerFault.exe, 00000006.00000003.295172027.0000000005560000.00000004.00000001.sdmp
                Source: Binary string: apphelp.pdb source: WerFault.exe, 00000006.00000003.297558762.0000000005301000.00000004.00000001.sdmp
                Source: Binary string: wuser32.pdb source: WerFault.exe, 00000006.00000003.297558762.0000000005301000.00000004.00000001.sdmp
                Source: Binary string: untime.Remoting.pdb source: WerFault.exe, 00000006.00000003.297602729.0000000005319000.00000004.00000001.sdmp
                Source: Binary string: System.Xml.ni.pdbRSDS source: WER306A.tmp.dmp.6.dr
                Source: Binary string: System.ni.pdbN source: WerFault.exe, 00000006.00000003.297558762.0000000005301000.00000004.00000001.sdmp
                Source: Binary string: System.ni.pdb source: WerFault.exe, 00000006.00000003.297558762.0000000005301000.00000004.00000001.sdmp, WER306A.tmp.dmp.6.dr
                Source: Binary string: ml.ni.pdb source: WerFault.exe, 00000006.00000003.297742391.0000000005319000.00000004.00000001.sdmp

                Data Obfuscation:

                barindex
                .NET source code contains potential unpackerShow sources
                Source: 0.2.PAYMENT.exe.5aa0000.3.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 0.2.PAYMENT.exe.5aa0000.3.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 0.2.PAYMENT.exe.5aa0000.3.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 0.2.PAYMENT.exe.5aa0000.3.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 1.2.RegAsm.exe.400000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 1.2.RegAsm.exe.400000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 1.2.RegAsm.exe.400000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 1.2.RegAsm.exe.400000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_004422C7 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,13_2_004422C7
                Source: C:\Users\user\Desktop\PAYMENT.exeCode function: 0_2_009F34BE push esi; retf 0_2_009F3503
                Source: C:\Users\user\Desktop\PAYMENT.exeCode function: 0_2_009F78AD push eax; iretd 0_2_009F78D4
                Source: C:\Users\user\Desktop\PAYMENT.exeCode function: 0_2_009F580B push esi; retf 0_2_009F5814
                Source: C:\Users\user\Desktop\PAYMENT.exeCode function: 0_2_009F71DB push eax; iretd 0_2_009F71E4
                Source: C:\Users\user\Desktop\PAYMENT.exeCode function: 0_2_009F4963 push eax; iretd 0_2_009F4984
                Source: C:\Users\user\Desktop\PAYMENT.exeCode function: 0_2_009F6A6D push eax; iretd 0_2_009F6A94
                Source: C:\Users\user\Desktop\PAYMENT.exeCode function: 0_2_009F77BC push eax; iretd 0_2_009F77D4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0185E672 push esp; ret 1_2_0185E679
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00442871 push ecx; ret 13_2_00442881
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00442A90 push eax; ret 13_2_00442AA4
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00442A90 push eax; ret 13_2_00442ACC
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00446E54 push eax; ret 13_2_00446E61
                Source: initial sampleStatic PE information: section name: .text entropy: 7.27862128103

                Hooking and other Techniques for Hiding and Protection:

                barindex
                Changes the view of files in windows explorer (hidden files and folders)Show sources
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HiddenJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00441975 memset,wcscpy,memset,wcscpy,wcscat,wcscpy,wcscat,wcscpy,wcscat,GetModuleHandleW,LoadLibraryExW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,13_2_00441975
                Source: C:\Windows\SysWOW64\WerFault.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363} DeviceTicketJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: