Loading ...

Play interactive tourEdit tour

Analysis Report LM Approved Invoices 081020.exe

Overview

General Information

Sample Name:LM Approved Invoices 081020.exe
Analysis ID:260845
MD5:300326a042ccb921bda24ccf62542329
SHA1:ae25411bdd81c114d4b7126d786292a4fd8b5f4b
SHA256:08543a93690c3bdcad96daea758571cec3515b8e10b80872a505d82ad73fe6be

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected HawkEye Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM_3
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Contains functionality to register a low level keyboard hook
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains strange resources
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Process Creation
Stores large binary data to the registry
Tries to load missing DLLs
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • LM Approved Invoices 081020.exe (PID: 7044 cmdline: 'C:\Users\user\Desktop\LM Approved Invoices 081020.exe' MD5: 300326A042CCB921BDA24CCF62542329)
    • schtasks.exe (PID: 7128 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\hEHpZLfzGrsnt' /XML 'C:\Users\user\AppData\Local\Temp\tmp89C2.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 7136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegSvcs.exe (PID: 4616 cmdline: {path} MD5: 2867A3817C9245F7CF518524DFD18F28)
    • RegSvcs.exe (PID: 4960 cmdline: {path} MD5: 2867A3817C9245F7CF518524DFD18F28)
    • RegSvcs.exe (PID: 4628 cmdline: {path} MD5: 2867A3817C9245F7CF518524DFD18F28)
      • WerFault.exe (PID: 5092 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 1952 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
      • vbc.exe (PID: 6892 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 6900 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
LM Approved Invoices 081020.exeSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0xba938:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\hEHpZLfzGrsnt.exeSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0xba938:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.1347883683.0000000002C4C000.00000004.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
    00000005.00000002.1347883683.0000000002C4C000.00000004.00000001.sdmpHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
    • 0x6090:$hawkstr1: HawkEye Keylogger
    • 0x8184:$hawkstr1: HawkEye Keylogger
    • 0x435c:$hawkstr2: Dear HawkEye Customers!
    • 0x60f0:$hawkstr2: Dear HawkEye Customers!
    • 0x81e4:$hawkstr2: Dear HawkEye Customers!
    • 0x4486:$hawkstr3: HawkEye Logger Details:
    00000009.00000003.1327157404.0000000005110000.00000004.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
    • 0x131ee:$key: HawkEyeKeylogger
    • 0x15440:$salt: 099u787978786
    • 0x13851:$string1: HawkEye_Keylogger
    • 0x14690:$string1: HawkEye_Keylogger
    • 0x153a0:$string1: HawkEye_Keylogger
    • 0x13c26:$string2: holdermail.txt
    • 0x13c46:$string2: holdermail.txt
    • 0x13b68:$string3: wallet.dat
    • 0x13b80:$string3: wallet.dat
    • 0x13b96:$string3: wallet.dat
    • 0x14f64:$string4: Keylog Records
    • 0x1527c:$string4: Keylog Records
    • 0x15498:$string5: do not script -->
    • 0x131d6:$string6: \pidloc.txt
    • 0x13264:$string7: BSPLIT
    • 0x13274:$string7: BSPLIT
    00000009.00000003.1327157404.0000000005110000.00000004.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
      00000009.00000003.1327157404.0000000005110000.00000004.00000001.sdmpHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
      • 0x138a9:$hawkstr1: HawkEye Keylogger
      • 0x146d6:$hawkstr1: HawkEye Keylogger
      • 0x14a05:$hawkstr1: HawkEye Keylogger
      • 0x14b60:$hawkstr1: HawkEye Keylogger
      • 0x14cc3:$hawkstr1: HawkEye Keylogger
      • 0x14f3c:$hawkstr1: HawkEye Keylogger
      • 0x13437:$hawkstr2: Dear HawkEye Customers!
      • 0x14a58:$hawkstr2: Dear HawkEye Customers!
      • 0x14baf:$hawkstr2: Dear HawkEye Customers!
      • 0x14d16:$hawkstr2: Dear HawkEye Customers!
      • 0x13558:$hawkstr3: HawkEye Logger Details:
      Click to see the 27 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.0.LM Approved Invoices 081020.exe.fc0000.0.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
      • 0xba938:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
      0.2.LM Approved Invoices 081020.exe.fc0000.0.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
      • 0xba938:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
      5.2.RegSvcs.exe.400000.0.unpackRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
      • 0x7b8ee:$key: HawkEyeKeylogger
      • 0x7db40:$salt: 099u787978786
      • 0x7bf51:$string1: HawkEye_Keylogger
      • 0x7cd90:$string1: HawkEye_Keylogger
      • 0x7daa0:$string1: HawkEye_Keylogger
      • 0x7c326:$string2: holdermail.txt
      • 0x7c346:$string2: holdermail.txt
      • 0x7c268:$string3: wallet.dat
      • 0x7c280:$string3: wallet.dat
      • 0x7c296:$string3: wallet.dat
      • 0x7d664:$string4: Keylog Records
      • 0x7d97c:$string4: Keylog Records
      • 0x7db98:$string5: do not script -->
      • 0x7b8d6:$string6: \pidloc.txt
      • 0x7b964:$string7: BSPLIT
      • 0x7b974:$string7: BSPLIT
      5.2.RegSvcs.exe.400000.0.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
        5.2.RegSvcs.exe.400000.0.unpackJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
          Click to see the 2 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Scheduled temp file as task from temp locationShow sources
          Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\hEHpZLfzGrsnt' /XML 'C:\Users\user\AppData\Local\Temp\tmp89C2.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\hEHpZLfzGrsnt' /XML 'C:\Users\user\AppData\Local\Temp\tmp89C2.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\LM Approved Invoices 081020.exe' , ParentImage: C:\Users\user\Desktop\LM Approved Invoices 081020.exe, ParentProcessId: 7044, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\hEHpZLfzGrsnt' /XML 'C:\Users\user\AppData\Local\Temp\tmp89C2.tmp', ProcessId: 7128
          Sigma detected: Suspicious Process CreationShow sources
          Source: Process startedAuthor: Florian Roth, Daniil Yugoslavskiy, oscd.community (update): Data: Command: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt', CommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt', CommandLine|base64offset|contains: ^, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, ParentCommandLine: {path}, ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentProcessId: 4628, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt', ProcessId: 6892

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: LM Approved Invoices 081020.exe.7044.0.memstrMalware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\hEHpZLfzGrsnt.exeJoe Sandbox ML: detected
          Machine Learning detection for sampleShow sources
          Source: LM Approved Invoices 081020.exeJoe Sandbox ML: detected
          Source: LM Approved Invoices 081020.exe, 00000000.00000002.1307677343.000000000480F000.00000004.00000001.sdmpBinary or memory string: autorun.inf
          Source: LM Approved Invoices 081020.exe, 00000000.00000002.1307677343.000000000480F000.00000004.00000001.sdmpBinary or memory string: [autorun]
          Source: RegSvcs.exe, 00000005.00000002.1347951859.0000000002C68000.00000004.00000001.sdmpBinary or memory string: autorun.inf
          Source: RegSvcs.exe, 00000005.00000002.1347951859.0000000002C68000.00000004.00000001.sdmpBinary or memory string: 6j[autorun]
          Source: RegSvcs.exe, 00000005.00000002.1345128464.0000000000402000.00000040.00000001.sdmpBinary or memory string: [autorun]
          Source: WerFault.exe, 00000009.00000003.1327157404.0000000005110000.00000004.00000001.sdmpBinary or memory string: autorun.inf
          Source: WerFault.exe, 00000009.00000003.1327157404.0000000005110000.00000004.00000001.sdmpBinary or memory string: [autorun]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]5_2_070DB76F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]5_2_070D24AD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then call 0506A6E8h5_2_070DB4AA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]5_2_070DB4AA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]5_2_070D2351
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then call 0506A6E8h5_2_070DB3C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]5_2_070DB3C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]5_2_070DC25D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]5_2_070DC173
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]5_2_070D2EE3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then call 0506A6E8h5_2_070DAC63
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]5_2_070DAC63
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]5_2_070DBA94
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]5_2_070D281B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]5_2_0719FE88
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]5_2_07962788
          Source: unknownDNS traffic detected: query: 35.56.3.0.in-addr.arpa replaycode: Name error (3)
          Source: LM Approved Invoices 081020.exe, 00000000.00000002.1307677343.000000000480F000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.1345128464.0000000000402000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
          Source: LM Approved Invoices 081020.exe, 00000000.00000002.1307677343.000000000480F000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.1345128464.0000000000402000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
          Source: unknownDNS traffic detected: queries for: 35.56.3.0.in-addr.arpa
          Source: LM Approved Invoices 081020.exe, 00000000.00000002.1307677343.000000000480F000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.1345128464.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
          Source: LM Approved Invoices 081020.exe, 00000000.00000002.1316620216.0000000007842000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.1351275763.0000000005B30000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: LM Approved Invoices 081020.exe, 00000000.00000002.1307677343.000000000480F000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.1345128464.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
          Source: WerFault.exe, 00000009.00000003.1326557872.0000000005410000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
          Source: WerFault.exe, 00000009.00000003.1326557872.0000000005410000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
          Source: WerFault.exe, 00000009.00000003.1326557872.0000000005410000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
          Source: WerFault.exe, 00000009.00000003.1326557872.0000000005410000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
          Source: WerFault.exe, 00000009.00000003.1326557872.0000000005410000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
          Source: WerFault.exe, 00000009.00000003.1326557872.0000000005410000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
          Source: WerFault.exe, 00000009.00000003.1326557872.0000000005410000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
          Source: LM Approved Invoices 081020.exe, 00000000.00000002.1301104915.00000000039AC000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.1346576397.00000000029A1000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.1326557872.0000000005410000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: WerFault.exe, 00000009.00000003.1326557872.0000000005410000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
          Source: WerFault.exe, 00000009.00000003.1326557872.0000000005410000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
          Source: WerFault.exe, 00000009.00000003.1326557872.0000000005410000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
          Source: WerFault.exe, 00000009.00000003.1326557872.0000000005410000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
          Source: WerFault.exe, 00000009.00000003.1326557872.0000000005410000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
          Source: WerFault.exe, 00000009.00000003.1326557872.0000000005410000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
          Source: WerFault.exe, 00000009.00000003.1326557872.0000000005410000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
          Source: LM Approved Invoices 081020.exe, 00000000.00000002.1307677343.000000000480F000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.1345128464.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 00000009.00000003.1327157404.0000000005110000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/-
          Source: LM Approved Invoices 081020.exe, 00000000.00000002.1316620216.0000000007842000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.1351275763.0000000005B30000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: LM Approved Invoices 081020.exe, 00000000.00000003.1278447823.0000000006661000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
          Source: LM Approved Invoices 081020.exe, 00000000.00000003.1278489966.0000000006661000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comcer
          Source: LM Approved Invoices 081020.exe, 00000000.00000003.1278447823.0000000006661000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comic
          Source: LM Approved Invoices 081020.exe, 00000000.00000002.1316620216.0000000007842000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.1351275763.0000000005B30000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: LM Approved Invoices 081020.exe, 00000000.00000003.1278408144.0000000006661000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comue
          Source: LM Approved Invoices 081020.exe, 00000000.00000002.1316620216.0000000007842000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.1351275763.0000000005B30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: RegSvcs.exe, 00000005.00000002.1351275763.0000000005B30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: LM Approved Invoices 081020.exe, 00000000.00000002.1316620216.0000000007842000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.1351275763.0000000005B30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: LM Approved Invoices 081020.exe, 00000000.00000002.1316620216.0000000007842000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.1351275763.0000000005B30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: LM Approved Invoices 081020.exe, 00000000.00000002.1316620216.0000000007842000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.1351275763.0000000005B30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: LM Approved Invoices 081020.exe, 00000000.00000002.1316620216.0000000007842000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.1351275763.0000000005B30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: LM Approved Invoices 081020.exe, 00000000.00000002.1316620216.0000000007842000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.1351275763.0000000005B30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: LM Approved Invoices 081020.exe, 00000000.00000002.1316620216.0000000007842000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.1351275763.0000000005B30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: LM Approved Invoices 081020.exe, 00000000.00000003.1297404654.0000000006630000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comA2J
          Source: LM Approved Invoices 081020.exe, 00000000.00000002.1316620216.0000000007842000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.1351275763.0000000005B30000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: LM Approved Invoices 081020.exe, 00000000.00000002.1316620216.0000000007842000.00000004.00000001.sdmp, LM Approved Invoices 081020.exe, 00000000.00000003.1278088711.000000000665F000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.1351275763.0000000005B30000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: LM Approved Invoices 081020.exe, 00000000.00000003.1278216227.0000000006640000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
          Source: LM Approved Invoices 081020.exe, 00000000.00000002.1316620216.0000000007842000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.1351275763.0000000005B30000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: LM Approved Invoices 081020.exe, 00000000.00000002.1316620216.0000000007842000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.1351275763.0000000005B30000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: LM Approved Invoices 081020.exe, 00000000.00000003.1278047388.000000000665F000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnl-g
          Source: LM Approved Invoices 081020.exe, 00000000.00000003.1278088711.000000000665F000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cns-mO
          Source: LM Approved Invoices 081020.exe, 00000000.00000002.1316620216.0000000007842000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.1351275763.0000000005B30000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: LM Approved Invoices 081020.exe, 00000000.00000002.1316620216.0000000007842000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.1351275763.0000000005B30000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: LM Approved Invoices 081020.exe, 00000000.00000002.1316620216.0000000007842000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.1351275763.0000000005B30000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: LM Approved Invoices 081020.exe, 00000000.00000002.1316620216.0000000007842000.00000004.00000001.sdmp, LM Approved Invoices 081020.exe, 00000000.00000003.1278959159.0000000006632000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.1351275763.0000000005B30000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: LM Approved Invoices 081020.exe, 00000000.00000003.1278959159.0000000006632000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/-cz
          Source: LM Approved Invoices 081020.exe, 00000000.00000003.1278959159.0000000006632000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/.5
          Source: LM Approved Invoices 081020.exe, 00000000.00000003.1279281470.000000000663C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/H2S
          Source: LM Approved Invoices 081020.exe, 00000000.00000003.1278959159.0000000006632000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Regu
          Source: LM Approved Invoices 081020.exe, 00000000.00000003.1279281470.000000000663C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
          Source: LM Approved Invoices 081020.exe, 00000000.00000003.1279281470.000000000663C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0-e
          Source: LM Approved Invoices 081020.exe, 00000000.00000003.1279281470.000000000663C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/d
          Source: LM Approved Invoices 081020.exe, 00000000.00000003.1278959159.0000000006632000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/d2o
          Source: LM Approved Invoices 081020.exe, 00000000.00000003.1278959159.0000000006632000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/es-e
          Source: LM Approved Invoices 081020.exe, 00000000.00000003.1279281470.000000000663C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
          Source: LM Approved Invoices 081020.exe, 00000000.00000003.1279099807.000000000663C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/s2t
          Source: LM Approved Invoices 081020.exe, 00000000.00000003.1279192018.000000000663C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/z2
          Source: LM Approved Invoices 081020.exe, 00000000.00000003.1279281470.000000000663C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/rtrW2X
          Source: LM Approved Invoices 081020.exe, 00000000.00000003.1278959159.0000000006632000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/s2t
          Source: LM Approved Invoices 081020.exe, 00000000.00000003.1278959159.0000000006632000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/wdthd
          Source: LM Approved Invoices 081020.exe, 00000000.00000003.1279281470.000000000663C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/z2
          Source: LM Approved Invoices 081020.exe, 00000000.00000003.1283014753.0000000006648000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
          Source: RegSvcs.exe, 00000005.00000002.1345128464.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
          Source: LM Approved Invoices 081020.exe, 00000000.00000002.1316620216.0000000007842000.00000004.00000001.sdmp, LM Approved Invoices 081020.exe, 00000000.00000003.1276440311.000000000663C000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.1351275763.0000000005B30000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: LM Approved Invoices 081020.exe, 00000000.00000002.1316620216.0000000007842000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.1351275763.0000000005B30000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: LM Approved Invoices 081020.exe, 00000000.00000002.1316620216.0000000007842000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.1351275763.0000000005B30000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: RegSvcs.exe, 00000005.00000002.1346644342.0000000002A0A000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
          Source: RegSvcs.exe, 00000005.00000002.1351275763.0000000005B30000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: LM Approved Invoices 081020.exe, 00000000.00000002.1316620216.0000000007842000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.1351275763.0000000005B30000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: LM Approved Invoices 081020.exe, 00000000.00000002.1316620216.0000000007842000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.1351275763.0000000005B30000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: LM Approved Invoices 081020.exe, 00000000.00000002.1316620216.0000000007842000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.1351275763.0000000005B30000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: LM Approved Invoices 081020.exe, 00000000.00000003.1278360490.0000000006660000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnue

          Key, Mouse, Clipboard, Microphone and Screen Capturing:

          barindex
          Yara detected HawkEye KeyloggerShow sources
          Source: Yara matchFile source: 00000005.00000002.1347883683.0000000002C4C000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000003.1327157404.0000000005110000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.1347856656.0000000002C3C000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.1345128464.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1307677343.000000000480F000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: LM Approved Invoices 081020.exe PID: 7044, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: WerFault.exe PID: 5092, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4628, type: MEMORY
          Source: Yara matchFile source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Contains functionality to log keystrokes (.Net Source)Show sources
          Source: 5.2.RegSvcs.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
          Contains functionality to register a low level keyboard hookShow sources
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_070D047C SetWindowsHookExA 0000000D,00000000,?,?5_2_070D047C
          Installs a global keyboard hookShow sources
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
          Source: LM Approved Invoices 081020.exe, 00000000.00000002.1298148571.0000000001800000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000005.00000002.1347883683.0000000002C4C000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000003.1327157404.0000000005110000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000009.00000003.1327157404.0000000005110000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.1347856656.0000000002C3C000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.1345128464.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000005.00000002.1345128464.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.1307677343.000000000480F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000000.00000002.1307677343.000000000480F000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: LM Approved Invoices 081020.exe
          Source: C:\Users\user\Desktop\LM Approved Invoices 081020.exeCode function: 0_2_01BD00C4 NtQueryInformationProcess,0_2_01BD00C4
          Source: C:\Users\user\Desktop\LM Approved Invoices 081020.exeCode function: 0_2_01BD0775 NtQueryInformationProcess,0_2_01BD0775
          Source: C:\Users\user\Desktop\LM Approved Invoices 081020.exeCode function: 0_2_01BDCBDC0_2_01BDCBDC
          Source: C:\Users\user\Desktop\LM Approved Invoices 081020.exeCode function: 0_2_00FC65800_2_00FC6580
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00D0B29C5_2_00D0B29C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00D0C3105_2_00D0C310
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00D0B2905_2_00D0B290
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00D099D05_2_00D099D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00D0DFD05_2_00D0DFD0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_070DE5285_2_070DE528
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_070DC5A85_2_070DC5A8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_070DF3005_2_070DF300
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_070D1F305_2_070D1F30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_070D3D285_2_070D3D28
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_070D28205_2_070D2820
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_070D1F2B5_2_070D1F2B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_070D3D235_2_070D3D23
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_070DAC635_2_070DAC63
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0719B4E05_2_0719B4E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_071900405_2_07190040
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0719BDB05_2_0719BDB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0719B1985_2_0719B198
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_071900075_2_07190007
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_07961BF05_2_07961BF0
          Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 1952
          Source: LM Approved Invoices 081020.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: hEHpZLfzGrsnt.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: LM Approved Invoices 081020.exeBinary or memory string: OriginalFilename vs LM Approved Invoices 081020.exe
          Source: LM Approved Invoices 081020.exe, 00000000.00000002.1317390440.0000000008200000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSparta.dll. vs LM Approved Invoices 081020.exe
          Source: LM Approved Invoices 081020.exe, 00000000.00000002.1301174653.00000000039BC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs LM Approved Invoices 081020.exe
          Source: LM Approved Invoices 081020.exe, 00000000.00000002.1298148571.0000000001800000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs LM Approved Invoices 081020.exe
          Source: LM Approved Invoices 081020.exe, 00000000.00000000.1273926887.0000000000FD9000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamebaXUi.exe4 vs LM Approved Invoices 081020.exe
          Source: LM Approved Invoices 081020.exe, 00000000.00000002.1317803975.000000000E190000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs LM Approved Invoices 081020.exe
          Source: LM Approved Invoices 081020.exe, 00000000.00000002.1317438489.0000000008270000.00000002.00000001.sdmpBinary or memory string: originalfilename vs LM Approved Invoices 081020.exe
          Source: LM Approved Invoices 081020.exe, 00000000.00000002.1317438489.0000000008270000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs LM Approved Invoices 081020.exe
          Source: LM Approved Invoices 081020.exe, 00000000.00000002.1307677343.000000000480F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLoreal.exe4 vs LM Approved Invoices 081020.exe
          Source: LM Approved Invoices 081020.exe, 00000000.00000002.1307677343.000000000480F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs LM Approved Invoices 081020.exe
          Source: LM Approved Invoices 081020.exe, 00000000.00000002.1307677343.000000000480F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs LM Approved Invoices 081020.exe
          Source: LM Approved Invoices 081020.exe, 00000000.00000002.1307677343.000000000480F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs LM Approved Invoices 081020.exe
          Source: LM Approved Invoices 081020.exeBinary or memory string: OriginalFilenamebaXUi.exe4 vs LM Approved Invoices 081020.exe
          Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: sfc.dllJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dllJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
          Source: LM Approved Invoices 081020.exe, type: SAMPLEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
          Source: 00000005.00000002.1347883683.0000000002C4C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000003.1327157404.0000000005110000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 00000009.00000003.1327157404.0000000005110000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.1347856656.0000000002C3C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.1345128464.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 00000005.00000002.1345128464.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000000.1273926887.0000000000FD9000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
          Source: 00000000.00000003.1292047072.0000000007C21000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
          Source: 00000000.00000002.1297602261.0000000000FD9000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
          Source: 00000000.00000002.1307677343.000000000480F000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 00000000.00000002.1298605179.0000000003461000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
          Source: 00000000.00000002.1307677343.000000000480F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: Process Memory Space: LM Approved Invoices 081020.exe PID: 7044, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
          Source: C:\Users\user\AppData\Roaming\hEHpZLfzGrsnt.exe, type: DROPPEDMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
          Source: 0.0.LM Approved Invoices 081020.exe.fc0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
          Source: 0.2.LM Approved Invoices 081020.exe.fc0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
          Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: LM Approved Invoices 081020.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: hEHpZLfzGrsnt.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: 5.2.RegSvcs.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
          Source: 5.2.RegSvcs.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
          Source: 5.2.RegSvcs.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
          Source: 5.2.RegSvcs.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
          Source: 5.2.RegSvcs.exe.400000.0.unpack, Form1.csBase64 encoded string: 'NlYlPFj3sfbL9B+Hdl5MsaC/zJhmdnavk/JjdHgSL33EhNbiPvw4h8ddePxaqSFFNJBkyK7Iw1MluhdkEUbu9A==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@15/10@1/1
          Source: C:\Users\user\Desktop\LM Approved Invoices 081020.exeFile created: C:\Users\user\AppData\Roaming\hEHpZLfzGrsnt.exeJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7136:120:WilError_01
          Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4628
          Source: C:\Users\user\Desktop\LM Approved Invoices 081020.exeFile created: C:\Users\user\AppData\Local\Temp\tmp89C2.tmpJump to behavior
          Source: LM Approved Invoices 081020.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\LM Approved Invoices 081020.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\LM Approved Invoices 081020.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\LM Approved Invoices 081020.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: LM Approved Invoices 081020.exe, 00000000.00000002.1307677343.000000000480F000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.1345128464.0000000000402000.00000040.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
          Source: LM Approved Invoices 081020.exe, 00000000.00000002.1307677343.000000000480F000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.1345128464.0000000000402000.00000040.00000001.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
          Source: LM Approved Invoices 081020.exe, 00000000.00000002.1307677343.000000000480F000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.1345128464.0000000000402000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
          Source: LM Approved Invoices 081020.exe, 00000000.00000002.1307677343.000000000480F000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.1345128464.0000000000402000.00000040.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
          Source: RegSvcs.exe, 00000005.00000002.1346644342.0000000002A0A000.00000004.00000001.sdmpBinary or memory string: SELECT * FROM FirewallProduct(@;j`
          Source: LM Approved Invoices 081020.exe, 00000000.00000002.1307677343.000000000480F000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.1345128464.0000000000402000.00000040.00000001.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
          Source: LM Approved Invoices 081020.exe, 00000000.00000002.1307677343.000000000480F000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.1345128464.0000000000402000.00000040.00000001.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
          Source: LM Approved Invoices 081020.exe, 00000000.00000002.1307677343.000000000480F000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.1345128464.0000000000402000.00000040.00000001.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
          Source: C:\Users\user\Desktop\LM Approved Invoices 081020.exeFile read: C:\Users\user\Desktop\LM Approved Invoices 081020.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\LM Approved Invoices 081020.exe 'C:\Users\user\Desktop\LM Approved Invoices 081020.exe'
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\hEHpZLfzGrsnt' /XML 'C:\Users\user\AppData\Local\Temp\tmp89C2.tmp'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
          Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 1952
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
          Source: C:\Users\user\Desktop\LM Approved Invoices 081020.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\hEHpZLfzGrsnt' /XML 'C:\Users\user\AppData\Local\Temp\tmp89C2.tmp'Jump to behavior
          Source: C:\Users\user\Desktop\LM Approved Invoices 081020.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}Jump to behavior
          Source: C:\Users\user\Desktop\LM Approved Invoices 081020.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}Jump to behavior
          Source: C:\Users\user\Desktop\LM Approved Invoices 081020.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'Jump to behavior
          Source: C:\Users\user\Desktop\LM Approved Invoices 081020.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\LM Approved Invoices 081020.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: LM Approved Invoices 081020.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: LM Approved Invoices 081020.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: rsaenh.pdb source: WerFault.exe, 00000009.00000003.1329471247.0000000004FE8000.00000004.00000040.sdmp
          Source: Binary string: anagement.pdb source: WerFault.exe, 00000009.00000003.1329611058.0000000004E57000.00000004.00000001.sdmp
          Source: Binary string: System.ni.pdb% source: WerFault.exe, 00000009.00000003.1329452901.0000000004FEF000.00000004.00000040.sdmp
          Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 00000009.00000003.1327157404.0000000005110000.00000004.00000001.sdmp
          Source: Binary string: System.ni.pdb" source: WerFault.exe, 00000009.00000003.1329602891.0000000004FFE000.00000004.00000001.sdmp
          Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000009.00000003.1317704392.00000000048AB000.00000004.00000001.sdmp
          Source: Binary string: C:\Windows\RegSvcs.pdbpdbvcs.pdb source: RegSvcs.exe, 00000005.00000003.1312100040.00000000071CC000.00000004.00000001.sdmp
          Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000009.00000003.1329471247.0000000004FE8000.00000004.00000040.sdmp
          Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000009.00000003.1329543539.0000000004E41000.00000004.00000001.sdmp
          Source: Binary string: wbemcomn.pdb source: WerFault.exe, 00000009.00000003.1329452901.0000000004FEF000.00000004.00000040.sdmp
          Source: Binary string: NapiNSP.pdb source: WerFault.exe, 00000009.00000003.1329452901.0000000004FEF000.00000004.00000040.sdmp
          Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000009.00000003.1329543539.0000000004E41000.00000004.00000001.sdmp
          Source: Binary string: profapi.pdb0 source: WerFault.exe, 00000009.00000003.1329471247.0000000004FE8000.00000004.00000040.sdmp
          Source: Binary string: Microsoft.VisualBasic.pdbp source: WERBE5F.tmp.dmp.9.dr
          Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000009.00000003.1329543539.0000000004E41000.00000004.00000001.sdmp
          Source: Binary string: ore.ni.pdb" source: WerFault.exe, 00000009.00000003.1329611058.0000000004E57000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdb source: WerFault.exe, 00000009.00000003.1329724572.0000000004FE0000.00000004.00000040.sdmp
          Source: Binary string: System.Configuration.pdb`? source: WERBE5F.tmp.dmp.9.dr
          Source: Binary string: crypt32.pdb^ source: WerFault.exe, 00000009.00000003.1329452901.0000000004FEF000.00000004.00000040.sdmp
          Source: Binary string: winnsi.pdb source: WerFault.exe, 00000009.00000003.1329452901.0000000004FEF000.00000004.00000040.sdmp
          Source: Binary string: RegSvcs.pdb source: RegSvcs.exe, 00000005.00000003.1310523414.0000000007258000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000002.1341262497.0000000000AF0000.00000002.00000001.sdmp
          Source: Binary string: clr.pdb source: WerFault.exe, 00000009.00000003.1329471247.0000000004FE8000.00000004.00000040.sdmp
          Source: Binary string: .ni.pdb source: WerFault.exe, 00000009.00000003.1329611058.0000000004E57000.00000004.00000001.sdmp
          Source: Binary string: cryptsp.pdb source: WerFault.exe, 00000009.00000003.1329471247.0000000004FE8000.00000004.00000040.sdmp
          Source: Binary string: System.Windows.Forms.pdb" source: WerFault.exe, 00000009.00000003.1329602891.0000000004FFE000.00000004.00000001.sdmp
          Source: Binary string: ility.pdb source: WerFault.exe, 00000009.00000003.1329611058.0000000004E57000.00000004.00000001.sdmp
          Source: Binary string: advapi32.pdb source: WerFault.exe, 00000009.00000003.1329724572.0000000004FE0000.00000004.00000040.sdmp
          Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000009.00000003.1329543539.0000000004E41000.00000004.00000001.sdmp
          Source: Binary string: System.Configuration.ni.pdb" source: WerFault.exe, 00000009.00000003.1329611058.0000000004E57000.00000004.00000001.sdmp
          Source: Binary string: m0C:\Windows\mscorlib.pdb source: RegSvcs.exe, 00000005.00000002.1352428233.0000000007C0A000.00000004.00000010.sdmp
          Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 00000009.00000003.1329452901.0000000004FEF000.00000004.00000040.sdmp
          Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 00000009.00000003.1327157404.0000000005110000.00000004.00000001.sdmp, WERBE5F.tmp.dmp.9.dr
          Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 00000009.00000003.1329452901.0000000004FEF000.00000004.00000040.sdmp
          Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 00000009.00000003.1327157404.0000000005110000.00000004.00000001.sdmp
          Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000009.00000003.1317901125.00000000008D6000.00000004.00000001.sdmp
          Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000009.00000003.1329543539.0000000004E41000.00000004.00000001.sdmp
          Source: Binary string: gdiplus.pdbB source: WerFault.exe, 00000009.00000003.1329452901.0000000004FEF000.00000004.00000040.sdmp
          Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000009.00000003.1327157404.0000000005110000.00000004.00000001.sdmp, WERBE5F.tmp.dmp.9.dr
          Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: LM Approved Invoices 081020.exe, 00000000.00000002.1307677343.000000000480F000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.1345128464.0000000000402000.00000040.00000001.sdmp
          Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: LM Approved Invoices 081020.exe, 00000000.00000002.1307677343.000000000480F000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.1345128464.0000000000402000.00000040.00000001.sdmp
          Source: Binary string: System.Xml.pdbx source: WerFault.exe, 00000009.00000003.1327157404.0000000005110000.00000004.00000001.sdmp
          Source: Binary string: RegSvcs.PDB source: RegSvcs.exe, 00000005.00000002.1352428233.0000000007C0A000.00000004.00000010.sdmp
          Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000009.00000003.1329471247.0000000004FE8000.00000004.00000040.sdmp
          Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb+ source: RegSvcs.exe, 00000005.00000002.1352428233.0000000007C0A000.00000004.00000010.sdmp
          Source: Binary string: mscoree.pdb source: WerFault.exe, 00000009.00000003.1329724572.0000000004FE0000.00000004.00000040.sdmp
          Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000009.00000003.1329471247.0000000004FE8000.00000004.00000040.sdmp
          Source: Binary string: rsaenh.pdb> source: WerFault.exe, 00000009.00000003.1329471247.0000000004FE8000.00000004.00000040.sdmp
          Source: Binary string: System.Runtime.Remoting.pdbx source: WerFault.exe, 00000009.00000003.1327157404.0000000005110000.00000004.00000001.sdmp
          Source: Binary string: symbols\dll\mscorlib.pdb source: RegSvcs.exe, 00000005.00000002.1352428233.0000000007C0A000.00000004.00000010.sdmp
          Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000009.00000003.1329452901.0000000004FEF000.00000004.00000040.sdmp
          Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb{ source: RegSvcs.exe, 00000005.00000003.1312100040.00000000071CC000.00000004.00000001.sdmp
          Source: Binary string: nsi.pdb source: WerFault.exe, 00000009.00000003.1329452901.0000000004FEF000.00000004.00000040.sdmp
          Source: Binary string: RegSvcs.pdb, source: RegSvcs.exe, 00000005.00000003.1308819583.0000000007225000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000002.1341262497.0000000000AF0000.00000002.00000001.sdmp
          Source: Binary string: comctl32.pdbn source: WerFault.exe, 00000009.00000003.1329452901.0000000004FEF000.00000004.00000040.sdmp
          Source: Binary string: powrprof.pdb source: WerFault.exe, 00000009.00000003.1329471247.0000000004FE8000.00000004.00000040.sdmp
          Source: Binary string: mscorlib.ni.pdbRSDS source: WERBE5F.tmp.dmp.9.dr
          Source: Binary string: System.Configuration.pdb source: WerFault.exe, 00000009.00000003.1327157404.0000000005110000.00000004.00000001.sdmp, WERBE5F.tmp.dmp.9.dr
          Source: Binary string: ole32.pdb source: WerFault.exe, 00000009.00000003.1329471247.0000000004FE8000.00000004.00000040.sdmp
          Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 00000009.00000003.1327157404.0000000005110000.00000004.00000001.sdmp
          Source: Binary string: \??\C:\Windows\exe\RegSvcs.pdb2 source: RegSvcs.exe, 00000005.00000003.1308826820.0000000007232000.00000004.00000001.sdmp
          Source: Binary string: msasn1.pdb source: WerFault.exe, 00000009.00000003.1329452901.0000000004FEF000.00000004.00000040.sdmp
          Source: Binary string: mscorlib.pdb source: RegSvcs.exe, 00000005.00000003.1312160171.0000000007227000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.1327157404.0000000005110000.00000004.00000001.sdmp, WERBE5F.tmp.dmp.9.dr
          Source: Binary string: clrjit.pdb" source: WerFault.exe, 00000009.00000003.1329471247.0000000004FE8000.00000004.00000040.sdmp
          Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000009.00000003.1329452901.0000000004FEF000.00000004.00000040.sdmp
          Source: Binary string: CMemoryExecute.pdb@ source: WerFault.exe, 00000009.00000003.1327157404.0000000005110000.00000004.00000001.sdmp
          Source: Binary string: DWrite.pdb source: WerFault.exe, 00000009.00000003.1329452901.0000000004FEF000.00000004.00000040.sdmp
          Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000009.00000003.1329471247.0000000004FE8000.00000004.00000040.sdmp
          Source: Binary string: System.Drawing.pdb source: WerFault.exe, 00000009.00000003.1329514388.0000000004FFC000.00000004.00000001.sdmp, WERBE5F.tmp.dmp.9.dr
          Source: Binary string: System.Management.pdb source: WerFault.exe, 00000009.00000003.1327157404.0000000005110000.00000004.00000001.sdmp, WERBE5F.tmp.dmp.9.dr
          Source: Binary string: combase.pdb source: WerFault.exe, 00000009.00000003.1329543539.0000000004E41000.00000004.00000001.sdmp
          Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000009.00000003.1329452901.0000000004FEF000.00000004.00000040.sdmp
          Source: Binary string: dhcpcsvc6.pdb| source: WerFault.exe, 00000009.00000003.1329452901.0000000004FEF000.00000004.00000040.sdmp
          Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WERBE5F.tmp.dmp.9.dr
          Source: Binary string: Accessibility.pdbx source: WerFault.exe, 00000009.00000003.1327157404.0000000005110000.00000004.00000001.sdmp
          Source: Binary string: System.Xml.ni.pdbRSDS source: WERBE5F.tmp.dmp.9.dr
          Source: Binary string: rasadhlp.pdb source: WerFault.exe, 00000009.00000003.1329452901.0000000004FEF000.00000004.00000040.sdmp
          Source: Binary string: ml.ni.pdb source: WerFault.exe, 00000009.00000003.1329611058.0000000004E57000.00000004.00000001.sdmp
          Source: Binary string: xecute.pdb source: WerFault.exe, 00000009.00000003.1329611058.0000000004E57000.00000004.00000001.sdmp
          Source: Binary string: wbemsvc.pdb` source: WerFault.exe, 00000009.00000003.1329452901.0000000004FEF000.00000004.00000040.sdmp
          Source: Binary string: System.Core.ni.pdbRSDSD source: WERBE5F.tmp.dmp.9.dr
          Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000009.00000003.1329452901.0000000004FEF000.00000004.00000040.sdmp
          Source: Binary string: diasymreader.pdb_ source: WerFault.exe, 00000009.00000003.1329452901.0000000004FEF000.00000004.00000040.sdmp
          Source: Binary string: oleaut32.pdb$ source: WerFault.exe, 00000009.00000003.1329471247.0000000004FE8000.00000004.00000040.sdmp
          Source: Binary string: Accessibility.pdb source: WerFault.exe, 00000009.00000003.1327157404.0000000005110000.00000004.00000001.sdmp, WERBE5F.tmp.dmp.9.dr
          Source: Binary string: System.Management.pdbx source: WerFault.exe, 00000009.00000003.1327157404.0000000005110000.00000004.00000001.sdmp
          Source: Binary string: ml.ni.pdb" source: WerFault.exe, 00000009.00000003.1329611058.0000000004E57000.00000004.00000001.sdmp
          Source: Binary string: Kernel.Appcore.pdb! source: WerFault.exe, 00000009.00000003.1329471247.0000000004FE8000.00000004.00000040.sdmp
          Source: Binary string: anagement.pdb{{ source: WerFault.exe, 00000009.00000003.1329611058.0000000004E57000.00000004.00000001.sdmp
          Source: Binary string: pnrpnsp.pdb source: WerFault.exe, 00000009.00000003.1329452901.0000000004FEF000.00000004.00000040.sdmp
          Source: Binary string: mscorlib.pdbx source: WerFault.exe, 00000009.00000003.1327157404.0000000005110000.00000004.00000001.sdmp
          Source: Binary string: shcore.pdb source: WerFault.exe, 00000009.00000003.1329471247.0000000004FE8000.00000004.00000040.sdmp
          Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 00000009.00000003.1329452901.0000000004FEF000.00000004.00000040.sdmp
          Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000009.00000003.1329543539.0000000004E41000.00000004.00000001.sdmp
          Source: Binary string: fltLib.pdb source: WerFault.exe, 00000009.00000003.1329471247.0000000004FE8000.00000004.00000040.sdmp
          Source: Binary string: CMemoryExecute.pdb source: WerFault.exe, 00000009.00000003.1327157404.0000000005110000.00000004.00000001.sdmp, WERBE5F.tmp.dmp.9.dr
          Source: Binary string: shell32.pdb source: WerFault.exe, 00000009.00000003.1329471247.0000000004FE8000.00000004.00000040.sdmp
          Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 00000009.00000003.1327157404.0000000005110000.00000004.00000001.sdmp, WERBE5F.tmp.dmp.9.dr
          Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000009.00000003.1329471247.0000000004FE8000.00000004.00000040.sdmp
          Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000009.00000003.1329452901.0000000004FEF000.00000004.00000040.sdmp
          Source: Binary string: wimm32.pdb source: WerFault.exe, 00000009.00000003.1329471247.0000000004FE8000.00000004.00000040.sdmp
          Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000009.00000003.1329471247.0000000004FE8000.00000004.00000040.sdmp
          Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 00000009.00000003.1327157404.0000000005110000.00000004.00000001.sdmp
          Source: Binary string: nlaapi.pdb source: WerFault.exe, 00000009.00000003.1329452901.0000000004FEF000.00000004.00000040.sdmp
          Source: Binary string: diasymreader.pdb source: WerFault.exe, 00000009.00000003.1329452901.0000000004FEF000.00000004.00000040.sdmp
          Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000009.00000003.1329471247.0000000004FE8000.00000004.00000040.sdmp
          Source: Binary string: mscorlib.ni.pdb% source: WerFault.exe, 00000009.00000003.1329452901.0000000004FEF000.00000004.00000040.sdmp
          Source: Binary string: wmiutils.pdb source: WerFault.exe, 00000009.00000003.1329452901.0000000004FEF000.00000004.00000040.sdmp
          Source: Binary string: gdiplus.pdb source: WerFault.exe, 00000009.00000003.1329452901.0000000004FEF000.00000004.00000040.sdmp
          Source: Binary string: System.ni.pdbT3 source: WerFault.exe, 00000009.00000003.1327157404.0000000005110000.00000004.00000001.sdmp
          Source: Binary string: version.pdbj source: WerFault.exe, 00000009.00000003.1329471247.0000000004FE8000.00000004.00000040.sdmp
          Source: Binary string: System.pdbx source: WerFault.exe, 00000009.00000003.1327157404.0000000005110000.00000004.00000001.sdmp
          Source: Binary string: System.Xml.pdb, source: WerFault.exe, 00000009.00000003.1329611058.0000000004E57000.00000004.00000001.sdmp
          Source: Binary string: profapi.pdb source: WerFault.exe, 00000009.00000003.1329471247.0000000004FE8000.00000004.00000040.sdmp
          Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000009.00000003.1329452901.0000000004FEF000.00000004.00000040.sdmp
          Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 00000009.00000003.1327157404.0000000005110000.00000004.00000001.sdmp, WERBE5F.tmp.dmp.9.dr
          Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000009.00000003.1329471247.0000000004FE8000.00000004.00000040.sdmp
          Source: Binary string: WLDP.pdb source: WerFault.exe, 00000009.00000003.1329452901.0000000004FEF000.00000004.00000040.sdmp
          Source: Binary string: sechost.pdb source: WerFault.exe, 00000009.00000003.1329543539.0000000004E41000.00000004.00000001.sdmp
          Source: Binary string: System.ni.pdbRSDS source: WERBE5F.tmp.dmp.9.dr
          Source: Binary string: clrjit.pdb source: WerFault.exe, 00000009.00000003.1329471247.0000000004FE8000.00000004.00000040.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.pdb source: RegSvcs.exe, 00000005.00000003.1308826820.0000000007232000.00000004.00000001.sdmp
          Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 00000009.00000003.1329471247.0000000004FE8000.00000004.00000040.sdmp
          Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 00000009.00000003.1327157404.0000000005110000.00000004.00000001.sdmp, WERBE5F.tmp.dmp.9.dr
          Source: Binary string: fastprox.pdb source: WerFault.exe, 00000009.00000003.1329452901.0000000004FEF000.00000004.00000040.sdmp
          Source: Binary string: wbemsvc.pdb source: WerFault.exe, 00000009.00000003.1329452901.0000000004FEF000.00000004.00000040.sdmp
          Source: Binary string: winrnr.pdb source: WerFault.exe, 00000009.00000003.1329452901.0000000004FEF000.00000004.00000040.sdmp
          Source: Binary string: msctf.pdb source: WerFault.exe, 00000009.00000003.1329452901.0000000004FEF000.00000004.00000040.sdmp
          Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: LM Approved Invoices 081020.exe, 00000000.00000002.1307677343.000000000480F000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.1345128464.0000000000402000.00000040.00000001.sdmp
          Source: Binary string: System.Runtime.Remoting.pdb source: WerFault.exe, 00000009.00000003.1327157404.0000000005110000.00000004.00000001.sdmp, WERBE5F.tmp.dmp.9.dr
          Source: Binary string: wmswsock.pdb source: WerFault.exe, 00000009.00000003.1329471247.0000000004FE8000.00000004.00000040.sdmp
          Source: Binary string: version.pdb source: WerFault.exe, 00000009.00000003.1329471247.0000000004FE8000.00000004.00000040.sdmp
          Source: Binary string: wintrust.pdb source: WerFault.exe, 00000009.00000003.1329452901.0000000004FEF000.00000004.00000040.sdmp
          Source: Binary string: System.Xml.pdb source: WerFault.exe, 00000009.00000003.1327157404.0000000005110000.00000004.00000001.sdmp, WERBE5F.tmp.dmp.9.dr
          Source: Binary string: System.pdb source: WerFault.exe, 00000009.00000003.1329514388.0000000004FFC000.00000004.00000001.sdmp, WERBE5F.tmp.dmp.9.dr
          Source: Binary string: ore.ni.pdb source: WerFault.exe, 00000009.00000003.1329611058.0000000004E57000.00000004.00000001.sdmp
          Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000009.00000003.1329514388.0000000004FFC000.00000004.00000001.sdmp, WERBE5F.tmp.dmp.9.dr
          Source: Binary string: System.Core.pdbp source: WerFault.exe, 00000009.00000003.1329611058.0000000004E57000.00000004.00000001.sdmp
          Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000009.00000003.1329471247.0000000004FE8000.00000004.00000040.sdmp
          Source: Binary string: System.Xml.pdbH source: WERBE5F.tmp.dmp.9.dr
          Source: Binary string: psapi.pdb source: WerFault.exe, 00000009.00000003.1329452901.0000000004FEF000.00000004.00000040.sdmp
          Source: Binary string: WMINet_Utils.pdb source: WerFault.exe, 00000009.00000003.1329452901.0000000004FEF000.00000004.00000040.sdmp
          Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000009.00000003.1329543539.0000000004E41000.00000004.00000001.sdmp
          Source: Binary string: System.Runtime.Remoting.pdbt; source: WERBE5F.tmp.dmp.9.dr
          Source: Binary string: System.Core.pdbx source: WerFault.exe, 00000009.00000003.1327157404.0000000005110000.00000004.00000001.sdmp
          Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000009.00000003.1317901125.00000000008D6000.00000004.00000001.sdmp
          Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000009.00000003.1329543539.0000000004E41000.00000004.00000001.sdmp
          Source: Binary string: mscoreei.pdb source: WerFault.exe, 00000009.00000003.1329543539.0000000004E41000.00000004.00000001.sdmp
          Source: Binary string: System.Drawing.pdbx source: WerFault.exe, 00000009.00000003.1327157404.0000000005110000.00000004.00000001.sdmp
          Source: Binary string: System.Core.pdb source: WerFault.exe, 00000009.00000003.1327157404.0000000005110000.00000004.00000001.sdmp, WERBE5F.tmp.dmp.9.dr
          Source: Binary string: CMemoryExecute.pdb,C source: WerFault.exe, 00000009.00000003.1327157404.0000000005110000.00000004.00000001.sdmp
          Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000009.00000003.1329471247.0000000004FE8000.00000004.00000040.sdmp
          Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 00000009.00000003.1327157404.0000000005110000.00000004.00000001.sdmp
          Source: Binary string: wuser32.pdb source: WerFault.exe, 00000009.00000003.1329471247.0000000004FE8000.00000004.00000040.sdmp
          Source: Binary string: .pdb source: RegSvcs.exe, 00000005.00000002.1352428233.0000000007C0A000.00000004.00000010.sdmp
          Source: Binary string: untime.Remoting.pdb source: WerFault.exe, 00000009.00000003.1329611058.0000000004E57000.00000004.00000001.sdmp
          Source: Binary string: comctl32.pdb source: WerFault.exe, 00000009.00000003.1329452901.0000000004FEF000.00000004.00000040.sdmp
          Source: Binary string: wbemprox.pdb source: WerFault.exe, 00000009.00000003.1329452901.0000000004FEF000.00000004.00000040.sdmp
          Source: Binary string: System.ni.pdb source: WerFault.exe, 00000009.00000003.1329514388.0000000004FFC000.00000004.00000001.sdmp, WERBE5F.tmp.dmp.9.dr
          Source: Binary string: crypt32.pdb source: WerFault.exe, 00000009.00000003.1329452901.0000000004FEF000.00000004.00000040.sdmp
          Source: Binary string: edputil.pdb source: WerFault.exe, 00000009.00000003.1329452901.0000000004FEF000.00000004.00000040.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: 5.2.RegSvcs.exe.400000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 5.2.RegSvcs.exe.400000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 5.2.RegSvcs.exe.400000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 5.2.RegSvcs.exe.400000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\Desktop\LM Approved Invoices 081020.exeCode function: 0_2_00FCA5E2 push esp; iretd 0_2_00FCA60F
          Source: C:\Users\user\Desktop\LM Approved Invoices 081020.exeCode function: 0_2_00FCA4DB push esp; iretd 0_2_00FCA60F
          Source: C:\Users\user\Desktop\LM Approved Invoices 081020.exeCode function: 0_2_00FCA4CB push cs; ret 0_2_00FCA4CC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_070D11C9 pushfd ; ret 5_2_070D11DA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0719B4D5 pushad ; ret 5_2_0719B4D6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0719B4D7 pushad ; ret 5_2_0719B4DA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0719414F push ds; ret 5_2_07194152
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0719B18C pushad ; ret 5_2_0719B18E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0719B18F pushad ; ret 5_2_0719B192
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0719AF69 pushad ; ret 5_2_0719AF6A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_07193A58 push ss; ret 5_2_07193A5A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_07193A5B push ss; ret 5_2_07193A62
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0719B89F pushad ; ret 5_2_0719B8A2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0719C8A8 pushad ; ret 5_2_0719C8A9
          Source: initial sampleStatic PE information: section name: .text entropy: 7.78860241409
          Source: initial sampleStatic PE information: section name: .text entropy: 7.78860241409
          Source: C:\Users\user\Desktop\LM Approved Invoices 081020.exeFile created: C:\Users\user\AppData\Roaming\hEHpZLfzGrsnt.exeJump to dropped file

          Boot Survival: