Loading ...

Play interactive tourEdit tour

Analysis Report invoice.exe

Overview

General Information

Sample Name:invoice.exe
Analysis ID:269218
MD5:e2cc21200c21cd342b5635dd67d73fb8
SHA1:fb6d3dadfa5810360d6d2bb1cf860b5b6e642b3c
SHA256:9cee28ff70f09aa9628d5f760a033e40e320d31d3cab3d79edd0d9d86575e1e2

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected HawkEye Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM_3
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Contains functionality to register a low level keyboard hook
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Process Creation
Stores large binary data to the registry
Tries to load missing DLLs
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • invoice.exe (PID: 6924 cmdline: 'C:\Users\user\Desktop\invoice.exe' MD5: E2CC21200C21CD342B5635DD67D73FB8)
    • schtasks.exe (PID: 6996 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ETUekOi' /XML 'C:\Users\user\AppData\Local\Temp\tmp42E2.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 7004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegSvcs.exe (PID: 7040 cmdline: {path} MD5: 2867A3817C9245F7CF518524DFD18F28)
      • WerFault.exe (PID: 6480 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7040 -s 1924 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
      • vbc.exe (PID: 5816 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 4972 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.1369272001.000000000315C000.00000004.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
    00000003.00000002.1369272001.000000000315C000.00000004.00000001.sdmpHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
    • 0x6090:$hawkstr1: HawkEye Keylogger
    • 0x8184:$hawkstr1: HawkEye Keylogger
    • 0x2f4:$hawkstr2: Dear HawkEye Customers!
    • 0x60f0:$hawkstr2: Dear HawkEye Customers!
    • 0x81e4:$hawkstr2: Dear HawkEye Customers!
    • 0x41e:$hawkstr3: HawkEye Logger Details:
    00000003.00000002.1369245492.000000000314C000.00000004.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
      00000003.00000002.1369245492.000000000314C000.00000004.00000001.sdmpHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
      • 0x45d0:$hawkstr1: HawkEye Keylogger
      • 0x4088:$hawkstr2: Dear HawkEye Customers!
      • 0x41b6:$hawkstr3: HawkEye Logger Details:
      00000003.00000002.1369511735.0000000003EB9000.00000004.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
        Click to see the 24 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        13.2.vbc.exe.400000.0.raw.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
          13.2.vbc.exe.400000.0.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
            3.2.RegSvcs.exe.400000.0.unpackRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
            • 0x7b90a:$key: HawkEyeKeylogger
            • 0x7db1c:$salt: 099u787978786
            • 0x7bf4b:$string1: HawkEye_Keylogger
            • 0x7cd8a:$string1: HawkEye_Keylogger
            • 0x7da7c:$string1: HawkEye_Keylogger
            • 0x7c320:$string2: holdermail.txt
            • 0x7c340:$string2: holdermail.txt
            • 0x7c262:$string3: wallet.dat
            • 0x7c27a:$string3: wallet.dat
            • 0x7c290:$string3: wallet.dat
            • 0x7d65e:$string4: Keylog Records
            • 0x7d976:$string4: Keylog Records
            • 0x7db74:$string5: do not script -->
            • 0x7b8f2:$string6: \pidloc.txt
            • 0x7b980:$string7: BSPLIT
            • 0x7b990:$string7: BSPLIT
            3.2.RegSvcs.exe.400000.0.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
              3.2.RegSvcs.exe.400000.0.unpackJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
                Click to see the 2 entries

                Sigma Overview

                System Summary:

                barindex
                Sigma detected: Scheduled temp file as task from temp locationShow sources
                Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ETUekOi' /XML 'C:\Users\user\AppData\Local\Temp\tmp42E2.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ETUekOi' /XML 'C:\Users\user\AppData\Local\Temp\tmp42E2.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\invoice.exe' , ParentImage: C:\Users\user\Desktop\invoice.exe, ParentProcessId: 6924, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ETUekOi' /XML 'C:\Users\user\AppData\Local\Temp\tmp42E2.tmp', ProcessId: 6996
                Sigma detected: Suspicious Process CreationShow sources
                Source: Process startedAuthor: Florian Roth, Daniil Yugoslavskiy, oscd.community (update): Data: Command: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt', CommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt', CommandLine|base64offset|contains: ^, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, ParentCommandLine: {path}, ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentProcessId: 7040, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt', ProcessId: 5816

                Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Found malware configurationShow sources
                Source: invoice.exe.6924.0.memstrMalware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}
                Machine Learning detection for dropped fileShow sources
                Source: C:\Users\user\AppData\Roaming\ETUekOi.exeJoe Sandbox ML: detected
                Machine Learning detection for sampleShow sources
                Source: invoice.exeJoe Sandbox ML: detected
                Source: invoice.exe, 00000000.00000002.1304177005.00000000035C1000.00000004.00000001.sdmpBinary or memory string: autorun.inf
                Source: invoice.exe, 00000000.00000002.1304177005.00000000035C1000.00000004.00000001.sdmpBinary or memory string: [autorun]
                Source: RegSvcs.exe, 00000003.00000002.1367230092.0000000000402000.00000040.00000001.sdmpBinary or memory string: autorun.inf
                Source: RegSvcs.exe, 00000003.00000002.1367230092.0000000000402000.00000040.00000001.sdmpBinary or memory string: [autorun]
                Source: WerFault.exe, 00000008.00000003.1345327572.0000000005810000.00000004.00000001.sdmpBinary or memory string: autorun.inf
                Source: WerFault.exe, 00000008.00000003.1345327572.0000000005810000.00000004.00000001.sdmpBinary or memory string: [autorun]
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]3_2_07AE26D9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]3_2_07AE2BA1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]3_2_07C7FE8A
                Source: unknownDNS traffic detected: query: 45.97.11.0.in-addr.arpa replaycode: Name error (3)
                Source: invoice.exe, 00000000.00000002.1304177005.00000000035C1000.00000004.00000001.sdmp, RegSvcs.exe, 00000003.00000002.1369511735.0000000003EB9000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000002.1547315473.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                Source: invoice.exe, 00000000.00000002.1304177005.00000000035C1000.00000004.00000001.sdmp, RegSvcs.exe, 00000003.00000002.1369511735.0000000003EB9000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000002.1547315473.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                Source: unknownDNS traffic detected: queries for: 45.97.11.0.in-addr.arpa
                Source: invoice.exe, 00000000.00000002.1304177005.00000000035C1000.00000004.00000001.sdmp, RegSvcs.exe, 00000003.00000002.1369511735.0000000003EB9000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
                Source: RegSvcs.exe, 00000003.00000003.1302708881.0000000006023000.00000004.00000001.sdmpString found in binary or memory: http://en.wikipedia
                Source: RegSvcs.exe, 00000003.00000002.1376389528.0000000007212000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                Source: invoice.exe, 00000000.00000002.1304177005.00000000035C1000.00000004.00000001.sdmp, RegSvcs.exe, 00000003.00000002.1369511735.0000000003EB9000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                Source: WerFault.exe, 00000008.00000003.1343912611.0000000005B10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
                Source: WerFault.exe, 00000008.00000003.1343912611.0000000005B10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
                Source: WerFault.exe, 00000008.00000003.1343912611.0000000005B10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
                Source: WerFault.exe, 00000008.00000003.1343912611.0000000005B10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
                Source: WerFault.exe, 00000008.00000003.1343912611.0000000005B10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
                Source: WerFault.exe, 00000008.00000003.1343912611.0000000005B10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
                Source: WerFault.exe, 00000008.00000003.1343912611.0000000005B10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
                Source: invoice.exe, 00000000.00000002.1303879993.0000000002F2B000.00000004.00000001.sdmp, RegSvcs.exe, 00000003.00000002.1368844731.0000000002EB1000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.1343912611.0000000005B10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: WerFault.exe, 00000008.00000003.1343912611.0000000005B10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
                Source: WerFault.exe, 00000008.00000003.1343912611.0000000005B10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
                Source: WerFault.exe, 00000008.00000003.1343912611.0000000005B10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
                Source: WerFault.exe, 00000008.00000003.1343912611.0000000005B10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
                Source: WerFault.exe, 00000008.00000003.1343912611.0000000005B10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
                Source: WerFault.exe, 00000008.00000003.1343912611.0000000005B10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
                Source: WerFault.exe, 00000008.00000003.1343912611.0000000005B10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
                Source: invoice.exe, 00000000.00000002.1304177005.00000000035C1000.00000004.00000001.sdmp, RegSvcs.exe, 00000003.00000002.1367230092.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 00000008.00000003.1345327572.0000000005810000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/-
                Source: RegSvcs.exe, 00000003.00000002.1376389528.0000000007212000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: RegSvcs.exe, 00000003.00000002.1376389528.0000000007212000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: RegSvcs.exe, 00000003.00000003.1317708676.0000000006003000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: RegSvcs.exe, 00000003.00000002.1376389528.0000000007212000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: RegSvcs.exe, 00000003.00000002.1376389528.0000000007212000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: RegSvcs.exe, 00000003.00000003.1317995740.0000000006035000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
                Source: RegSvcs.exe, 00000003.00000002.1376389528.0000000007212000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: RegSvcs.exe, 00000003.00000003.1317744226.0000000006035000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlX
                Source: RegSvcs.exe, 00000003.00000002.1376389528.0000000007212000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                Source: RegSvcs.exe, 00000003.00000002.1376389528.0000000007212000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: RegSvcs.exe, 00000003.00000002.1376389528.0000000007212000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: RegSvcs.exe, 00000003.00000002.1376389528.0000000007212000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: RegSvcs.exe, 00000003.00000002.1373665961.0000000006000000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comaRQ
                Source: RegSvcs.exe, 00000003.00000003.1317708676.0000000006003000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comdsediQ
                Source: RegSvcs.exe, 00000003.00000002.1373665961.0000000006000000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comf
                Source: RegSvcs.exe, 00000003.00000002.1373665961.0000000006000000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comlvfet
                Source: RegSvcs.exe, 00000003.00000002.1376389528.0000000007212000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                Source: RegSvcs.exe, 00000003.00000003.1305614199.0000000006004000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: RegSvcs.exe, 00000003.00000003.1305153455.0000000006002000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn)
                Source: RegSvcs.exe, 00000003.00000003.1305745843.0000000006004000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                Source: RegSvcs.exe, 00000003.00000002.1376389528.0000000007212000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: RegSvcs.exe, 00000003.00000002.1376389528.0000000007212000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: RegSvcs.exe, 00000003.00000003.1305614199.0000000006004000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnF
                Source: RegSvcs.exe, 00000003.00000003.1305153455.0000000006002000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnl-s
                Source: RegSvcs.exe, 00000003.00000003.1305614199.0000000006004000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnm
                Source: RegSvcs.exe, 00000003.00000002.1376389528.0000000007212000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: RegSvcs.exe, 00000003.00000002.1376389528.0000000007212000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: RegSvcs.exe, 00000003.00000002.1376389528.0000000007212000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: RegSvcs.exe, 00000003.00000003.1309205741.0000000006002000.00000004.00000001.sdmp, RegSvcs.exe, 00000003.00000003.1308582372.0000000006002000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: RegSvcs.exe, 00000003.00000003.1309205741.0000000006002000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/.Q
                Source: RegSvcs.exe, 00000003.00000003.1308943425.0000000006004000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//-uEQ
                Source: RegSvcs.exe, 00000003.00000003.1309205741.0000000006002000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/D
                Source: RegSvcs.exe, 00000003.00000003.1309205741.0000000006002000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/EQ
                Source: RegSvcs.exe, 00000003.00000003.1308582372.0000000006002000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Norm
                Source: RegSvcs.exe, 00000003.00000003.1309205741.0000000006002000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
                Source: RegSvcs.exe, 00000003.00000003.1309205741.0000000006002000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0OR
                Source: RegSvcs.exe, 00000003.00000003.1309205741.0000000006002000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/iQ
                Source: RegSvcs.exe, 00000003.00000003.1309205741.0000000006002000.00000004.00000001.sdmp, RegSvcs.exe, 00000003.00000003.1308668284.0000000006002000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                Source: RegSvcs.exe, 00000003.00000003.1308582372.0000000006002000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/s
                Source: RegSvcs.exe, 00000003.00000003.1308943425.0000000006004000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/smevQ
                Source: RegSvcs.exe, 00000003.00000003.1309205741.0000000006002000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/vQ
                Source: RegSvcs.exe, 00000003.00000002.1369511735.0000000003EB9000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000002.1547315473.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
                Source: RegSvcs.exe, 00000003.00000002.1376389528.0000000007212000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: RegSvcs.exe, 00000003.00000002.1376389528.0000000007212000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                Source: RegSvcs.exe, 00000003.00000002.1376389528.0000000007212000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: RegSvcs.exe, 00000003.00000002.1368958577.0000000002F1A000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
                Source: RegSvcs.exe, 00000003.00000002.1376389528.0000000007212000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                Source: RegSvcs.exe, 00000003.00000003.1305745843.0000000006004000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comiJ
                Source: RegSvcs.exe, 00000003.00000002.1376389528.0000000007212000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                Source: RegSvcs.exe, 00000003.00000002.1376389528.0000000007212000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: RegSvcs.exe, 00000003.00000002.1376389528.0000000007212000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

                Key, Mouse, Clipboard, Microphone and Screen Capturing:

                barindex
                Yara detected HawkEye KeyloggerShow sources
                Source: Yara matchFile source: 00000003.00000002.1369272001.000000000315C000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1369245492.000000000314C000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000003.1345327572.0000000005810000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1304177005.00000000035C1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1367230092.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: invoice.exe PID: 6924, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7040, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: WerFault.exe PID: 6480, type: MEMORY
                Source: Yara matchFile source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Contains functionality to log keystrokes (.Net Source)Show sources
                Source: 3.2.RegSvcs.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
                Contains functionality to register a low level keyboard hookShow sources
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_07AE05B4 SetWindowsHookExA 0000000D,00000000,?,?3_2_07AE05B4
                Installs a global keyboard hookShow sources
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                System Summary:

                barindex
                Malicious sample detected (through community Yara rule)Show sources
                Source: 00000003.00000002.1369272001.000000000315C000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000003.00000002.1369245492.000000000314C000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000008.00000003.1345327572.0000000005810000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000008.00000003.1345327572.0000000005810000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000000.00000002.1304177005.00000000035C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000000.00000002.1304177005.00000000035C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000003.00000002.1367230092.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000003.00000002.1367230092.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Initial sample is a PE file and has a suspicious nameShow sources
                Source: initial sampleStatic PE information: Filename: invoice.exe
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_07C625E8 NtWriteVirtualMemory,3_2_07C625E8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_07C62488 NtUnmapViewOfSection,3_2_07C62488
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_07C625E3 NtWriteVirtualMemory,3_2_07C625E3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_07C62480 NtUnmapViewOfSection,3_2_07C62480
                Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_023D04680_2_023D0468
                Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_023D173A0_2_023D173A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0167B29C3_2_0167B29C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0167C3103_2_0167C310
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0167B29A3_2_0167B29A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_016799D03_2_016799D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0167DFB03_2_0167DFB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_07AEE3383_2_07AEE338
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_07AE22B83_2_07AE22B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_07AE2BA83_2_07AE2BA8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_07AEF0883_2_07AEF088
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_07AE3BE83_2_07AE3BE8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_07AE98C03_2_07AE98C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_07AE22A93_2_07AE22A9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_07AE3BD73_2_07AE3BD7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_07C61AB83_2_07C61AB8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_07C7B4E03_2_07C7B4E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_07C700403_2_07C70040
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_07C7EEC83_2_07C7EEC8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_07C7BDB03_2_07C7BDB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_07C7B1983_2_07C7B198
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_07C700073_2_07C70007
                Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7040 -s 1924
                Source: invoice.exeBinary or memory string: OriginalFilename vs invoice.exe
                Source: invoice.exe, 00000000.00000002.1310026761.000000000E8D0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs invoice.exe
                Source: invoice.exe, 00000000.00000002.1303879993.0000000002F2B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs invoice.exe
                Source: invoice.exe, 00000000.00000002.1299938121.00000000025C1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAmun.dll, vs invoice.exe
                Source: invoice.exe, 00000000.00000002.1310811853.000000000E9C0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs invoice.exe
                Source: invoice.exe, 00000000.00000002.1310811853.000000000E9C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs invoice.exe
                Source: invoice.exe, 00000000.00000002.1304177005.00000000035C1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs invoice.exe
                Source: invoice.exe, 00000000.00000002.1304177005.00000000035C1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs invoice.exe
                Source: invoice.exe, 00000000.00000002.1304177005.00000000035C1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs invoice.exe
                Source: invoice.exe, 00000000.00000002.1307524877.00000000045C0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLoreal.exe4 vs invoice.exe
                Source: invoice.exeBinary or memory string: OriginalFilenameX1r.exe8 vs invoice.exe
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
                Source: 00000003.00000002.1369272001.000000000315C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000003.00000002.1369245492.000000000314C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000008.00000003.1345327572.0000000005810000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000008.00000003.1345327572.0000000005810000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000000.00000002.1304177005.00000000035C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000000.00000002.1304177005.00000000035C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000003.00000002.1367230092.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000003.00000002.1367230092.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: invoice.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: ETUekOi.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: 3.2.RegSvcs.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 3.2.RegSvcs.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 3.2.RegSvcs.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 3.2.RegSvcs.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
                Source: 3.2.RegSvcs.exe.400000.0.unpack, Form1.csBase64 encoded string: '/7V6xaOb/XwaJhfT7LXWKrXGKPYrDPDunuHH1OQHvXF53kTv32BLcajGSSLezhv8Srv5GTjJjdkXRQet2dCVpw==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@11/10@1/1
                Source: C:\Users\user\Desktop\invoice.exeFile created: C:\Users\user\AppData\Roaming\ETUekOi.exeJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7040
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7004:120:WilError_01
                Source: C:\Users\user\Desktop\invoice.exeFile created: C:\Users\user\AppData\Local\Temp\tmp42E2.tmpJump to behavior
                Source: invoice.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\invoice.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\Desktop\invoice.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\invoice.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: invoice.exe, 00000000.00000002.1304177005.00000000035C1000.00000004.00000001.sdmp, RegSvcs.exe, 00000003.00000002.1369511735.0000000003EB9000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000002.1547315473.0000000000400000.00000040.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                Source: invoice.exe, 00000000.00000002.1304177005.00000000035C1000.00000004.00000001.sdmp, RegSvcs.exe, 00000003.00000002.1369511735.0000000003EB9000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000002.1547315473.0000000000400000.00000040.00000001.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                Source: invoice.exe, 00000000.00000002.1304177005.00000000035C1000.00000004.00000001.sdmp, RegSvcs.exe, 00000003.00000002.1369511735.0000000003EB9000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000002.1547315473.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                Source: invoice.exe, 00000000.00000002.1304177005.00000000035C1000.00000004.00000001.sdmp, RegSvcs.exe, 00000003.00000002.1369511735.0000000003EB9000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000002.1547315473.0000000000400000.00000040.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                Source: RegSvcs.exe, 00000003.00000002.1368958577.0000000002F1A000.00000004.00000001.sdmpBinary or memory string: SELECT * FROM FirewallProduct(@;j|
                Source: invoice.exe, 00000000.00000002.1304177005.00000000035C1000.00000004.00000001.sdmp, RegSvcs.exe, 00000003.00000002.1369511735.0000000003EB9000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000002.1547315473.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                Source: invoice.exe, 00000000.00000002.1304177005.00000000035C1000.00000004.00000001.sdmp, RegSvcs.exe, 00000003.00000002.1369511735.0000000003EB9000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000002.1547315473.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                Source: invoice.exe, 00000000.00000002.1304177005.00000000035C1000.00000004.00000001.sdmp, RegSvcs.exe, 00000003.00000002.1369511735.0000000003EB9000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000002.1547315473.0000000000400000.00000040.00000001.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                Source: C:\Users\user\Desktop\invoice.exeFile read: C:\Users\user\Desktop\invoice.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\invoice.exe 'C:\Users\user\Desktop\invoice.exe'
                Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ETUekOi' /XML 'C:\Users\user\AppData\Local\Temp\tmp42E2.tmp'
                Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
                Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7040 -s 1924
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                Source: C:\Users\user\Desktop\invoice.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ETUekOi' /XML 'C:\Users\user\AppData\Local\Temp\tmp42E2.tmp'Jump to behavior
                Source: C:\Users\user\Desktop\invoice.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'Jump to behavior
                Source: C:\Users\user\Desktop\invoice.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: invoice.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: invoice.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                Source: Binary string: rsaenh.pdb source: WerFault.exe, 00000008.00000003.1348035540.000000000340B000.00000004.00000040.sdmp
                Source: Binary string: anagement.pdb source: WerFault.exe, 00000008.00000003.1347365230.0000000003416000.00000004.00000040.sdmp
                Source: Binary string: System.ni.pdb% source: WerFault.exe, 00000008.00000003.1347287914.000000000340E000.00000004.00000040.sdmp
                Source: Binary string: System.ni.pdb" source: WerFault.exe, 00000008.00000003.1347365230.0000000003416000.00000004.00000040.sdmp
                Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 00000008.00000003.1345327572.0000000005810000.00000004.00000001.sdmp
                Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000008.00000003.1335742937.0000000003221000.00000004.00000001.sdmp
                Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000008.00000003.1348035540.000000000340B000.00000004.00000040.sdmp
                Source: Binary string: onfiguration.ni.pdb source: WerFault.exe, 00000008.00000003.1347365230.0000000003416000.00000004.00000040.sdmp
                Source: Binary string: wbemcomn.pdb source: WerFault.exe, 00000008.00000003.1347287914.000000000340E000.00000004.00000040.sdmp
                Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000008.00000003.1347319625.0000000003402000.00000004.00000040.sdmp
                Source: Binary string: NapiNSP.pdb source: WerFault.exe, 00000008.00000003.1347287914.000000000340E000.00000004.00000040.sdmp
                Source: Binary string: System.Core.pdb|R7 source: WerFault.exe, 00000008.00000003.1347287914.000000000340E000.00000004.00000040.sdmp
                Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000008.00000003.1347461776.0000000005521000.00000004.00000001.sdmp
                Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000008.00000003.1347461776.0000000005521000.00000004.00000001.sdmp
                Source: Binary string: wntdll.pdb source: WerFault.exe, 00000008.00000003.1335718400.0000000003215000.00000004.00000001.sdmp
                Source: Binary string: winnsi.pdb source: WerFault.exe, 00000008.00000003.1347287914.000000000340E000.00000004.00000040.sdmp
                Source: Binary string: onfiguration.pdb+ source: WerFault.exe, 00000008.00000003.1347365230.0000000003416000.00000004.00000040.sdmp
                Source: Binary string: ml.pdb source: WerFault.exe, 00000008.00000003.1347365230.0000000003416000.00000004.00000040.sdmp
                Source: Binary string: RegSvcs.pdb source: WerFault.exe, 00000008.00000002.1363826843.00000000033E0000.00000002.00000001.sdmp
                Source: Binary string: clr.pdb source: WerFault.exe, 00000008.00000003.1348002173.0000000003400000.00000004.00000040.sdmp
                Source: Binary string: .ni.pdb source: WerFault.exe, 00000008.00000003.1347365230.0000000003416000.00000004.00000040.sdmp
                Source: Binary string: System.Windows.Forms.pdb$ source: WER9633.tmp.dmp.8.dr
                Source: Binary string: b.pdb source: RegSvcs.exe, 00000003.00000002.1376965364.000000000763F000.00000004.00000001.sdmp
                Source: Binary string: cryptsp.pdb source: WerFault.exe, 00000008.00000003.1348035540.000000000340B000.00000004.00000040.sdmp
                Source: Binary string: DWrite.pdbx< source: WerFault.exe, 00000008.00000003.1347287914.000000000340E000.00000004.00000040.sdmp
                Source: Binary string: ility.pdb source: WerFault.exe, 00000008.00000003.1347365230.0000000003416000.00000004.00000040.sdmp
                Source: Binary string: advapi32.pdb source: WerFault.exe, 00000008.00000003.1347461776.0000000005521000.00000004.00000001.sdmp
                Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000008.00000003.1347461776.0000000005521000.00000004.00000001.sdmp
                Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 00000008.00000003.1347287914.000000000340E000.00000004.00000040.sdmp
                Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 00000008.00000003.1347500636.0000000005536000.00000004.00000001.sdmp, WER9633.tmp.dmp.8.dr
                Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 00000008.00000003.1347287914.000000000340E000.00000004.00000040.sdmp
                Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 00000008.00000003.1345327572.0000000005810000.00000004.00000001.sdmp
                Source: Binary string: comctl32.pdbP<4 source: WerFault.exe, 00000008.00000003.1347287914.000000000340E000.00000004.00000040.sdmp
                Source: Binary string: ml.pdbe source: WerFault.exe, 00000008.00000003.1347365230.0000000003416000.00000004.00000040.sdmp
                Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000008.00000003.1336294700.0000000003227000.00000004.00000001.sdmp
                Source: Binary string: rsaenh.pdb}B> source: WerFault.exe, 00000008.00000003.1348035540.000000000340B000.00000004.00000040.sdmp
                Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000008.00000003.1347319625.0000000003402000.00000004.00000040.sdmp
                Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000008.00000003.1348035540.000000000340B000.00000004.00000040.sdmp, WER9633.tmp.dmp.8.dr
                Source: Binary string: ole32.pdb| source: WerFault.exe, 00000008.00000003.1348035540.000000000340B000.00000004.00000040.sdmp
                Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: invoice.exe, 00000000.00000002.1304177005.00000000035C1000.00000004.00000001.sdmp, RegSvcs.exe, 00000003.00000002.1377735509.0000000007C50000.00000004.00000001.sdmp
                Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: invoice.exe, 00000000.00000002.1304177005.00000000035C1000.00000004.00000001.sdmp, RegSvcs.exe, 00000003.00000002.1369511735.0000000003EB9000.00000004.00000001.sdmp
                Source: Binary string: System.Xml.pdbx source: WerFault.exe, 00000008.00000003.1345327572.0000000005810000.00000004.00000001.sdmp
                Source: Binary string: indows.Forms.pdb source: WerFault.exe, 00000008.00000003.1347500636.0000000005536000.00000004.00000001.sdmp
                Source: Binary string: dwmapi.pdbJ source: WerFault.exe, 00000008.00000003.1348035540.000000000340B000.00000004.00000040.sdmp
                Source: Binary string: RegSvcs.PDB source: RegSvcs.exe, 00000003.00000002.1378103210.00000000086BA000.00000004.00000010.sdmp
                Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000008.00000003.1348035540.000000000340B000.00000004.00000040.sdmp
                Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb+ source: RegSvcs.exe, 00000003.00000002.1378103210.00000000086BA000.00000004.00000010.sdmp
                Source: Binary string: mscoree.pdb source: WerFault.exe, 00000008.00000003.1347461776.0000000005521000.00000004.00000001.sdmp
                Source: Binary string: dhcpcsvc.pdb$<8 source: WerFault.exe, 00000008.00000003.1347287914.000000000340E000.00000004.00000040.sdmp
                Source: Binary string: cryptsp.pdb, source: WerFault.exe, 00000008.00000003.1348035540.000000000340B000.00000004.00000040.sdmp
                Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000008.00000003.1348035540.000000000340B000.00000004.00000040.sdmp
                Source: Binary string: System.Runtime.Remoting.pdbx source: WerFault.exe, 00000008.00000003.1345327572.0000000005810000.00000004.00000001.sdmp
                Source: Binary string: symbols\dll\mscorlib.pdb source: RegSvcs.exe, 00000003.00000002.1378103210.00000000086BA000.00000004.00000010.sdmp
                Source: Binary string: shlwapi.pdbk source: WerFault.exe, 00000008.00000003.1347319625.0000000003402000.00000004.00000040.sdmp
                Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000008.00000003.1347287914.000000000340E000.00000004.00000040.sdmp
                Source: Binary string: nsi.pdb source: WerFault.exe, 00000008.00000003.1347287914.000000000340E000.00000004.00000040.sdmp
                Source: Binary string: RegSvcs.pdb, source: WerFault.exe, 00000008.00000002.1363826843.00000000033E0000.00000002.00000001.sdmp
                Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000008.00000003.1347319625.0000000003402000.00000004.00000040.sdmp
                Source: Binary string: powrprof.pdb source: WerFault.exe, 00000008.00000003.1348035540.000000000340B000.00000004.00000040.sdmp
                Source: Binary string: msvcr120_clr0400.i386.pdb% source: WerFault.exe, 00000008.00000003.1348035540.000000000340B000.00000004.00000040.sdmp
                Source: Binary string: dhcpcsvc6.pdbZ<> source: WerFault.exe, 00000008.00000003.1347287914.000000000340E000.00000004.00000040.sdmp
                Source: Binary string: mscorlib.ni.pdbRSDS source: WER9633.tmp.dmp.8.dr
                Source: Binary string: System.Configuration.pdb source: WerFault.exe, 00000008.00000003.1347287914.000000000340E000.00000004.00000040.sdmp, WER9633.tmp.dmp.8.dr
                Source: Binary string: .pdbtt source: WerFault.exe, 00000008.00000003.1347365230.0000000003416000.00000004.00000040.sdmp
                Source: Binary string: ole32.pdb source: WerFault.exe, 00000008.00000003.1348035540.000000000340B000.00000004.00000040.sdmp
                Source: Binary string: System.Drawing.pdbxh source: WER9633.tmp.dmp.8.dr
                Source: Binary string: wimm32.pdb6 source: WerFault.exe, 00000008.00000003.1348035540.000000000340B000.00000004.00000040.sdmp
                Source: Binary string: wbemcomn.pdb`<d source: WerFault.exe, 00000008.00000003.1347287914.000000000340E000.00000004.00000040.sdmp
                Source: Binary string: bcryptprimitives.pdbM source: WerFault.exe, 00000008.00000003.1347461776.0000000005521000.00000004.00000001.sdmp
                Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 00000008.00000003.1345327572.0000000005810000.00000004.00000001.sdmp
                Source: Binary string: shcore.pdb" source: WerFault.exe, 00000008.00000003.1348035540.000000000340B000.00000004.00000040.sdmp
                Source: Binary string: mscorlib.pdb source: RegSvcs.exe, 00000003.00000002.1378103210.00000000086BA000.00000004.00000010.sdmp, WerFault.exe, 00000008.00000003.1347287914.000000000340E000.00000004.00000040.sdmp, WER9633.tmp.dmp.8.dr
                Source: Binary string: dnsapi.pdbV< source: WerFault.exe, 00000008.00000003.1347287914.000000000340E000.00000004.00000040.sdmp
                Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000008.00000003.1347287914.000000000340E000.00000004.00000040.sdmp
                Source: Binary string: System.Configuration.pdbB source: WER9633.tmp.dmp.8.dr
                Source: Binary string: DWrite.pdb source: WerFault.exe, 00000008.00000003.1347287914.000000000340E000.00000004.00000040.sdmp
                Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000008.00000003.1348035540.000000000340B000.00000004.00000040.sdmp
                Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000008.00000003.1347287914.000000000340E000.00000004.00000040.sdmp
                Source: Binary string: System.Drawing.pdb source: WerFault.exe, 00000008.00000003.1347287914.000000000340E000.00000004.00000040.sdmp, WER9633.tmp.dmp.8.dr
                Source: Binary string: System.Management.pdb source: WerFault.exe, 00000008.00000003.1347287914.000000000340E000.00000004.00000040.sdmp, WER9633.tmp.dmp.8.dr
                Source: Binary string: combase.pdb source: WerFault.exe, 00000008.00000003.1347319625.0000000003402000.00000004.00000040.sdmp
                Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000008.00000003.1335742937.0000000003221000.00000004.00000001.sdmp
                Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER9633.tmp.dmp.8.dr
                Source: Binary string: Accessibility.pdbx source: WerFault.exe, 00000008.00000003.1345327572.0000000005810000.00000004.00000001.sdmp
                Source: Binary string: System.Xml.ni.pdbRSDS source: WER9633.tmp.dmp.8.dr
                Source: Binary string: shell32.pdb0 source: WerFault.exe, 00000008.00000003.1348035540.000000000340B000.00000004.00000040.sdmp
                Source: Binary string: rasadhlp.pdb source: WerFault.exe, 00000008.00000003.1347287914.000000000340E000.00000004.00000040.sdmp
                Source: Binary string: ml.ni.pdb source: WerFault.exe, 00000008.00000003.1347365230.0000000003416000.00000004.00000040.sdmp
                Source: Binary string: System.Core.ni.pdbRSDSD source: WER9633.tmp.dmp.8.dr
                Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000008.00000003.1347287914.000000000340E000.00000004.00000040.sdmp
                Source: Binary string: diasymreader.pdb_ source: WerFault.exe, 00000008.00000003.1347287914.000000000340E000.00000004.00000040.sdmp
                Source: Binary string: Accessibility.pdb source: WerFault.exe, 00000008.00000003.1347287914.000000000340E000.00000004.00000040.sdmp, WER9633.tmp.dmp.8.dr
                Source: Binary string: rawing.pdb source: WerFault.exe, 00000008.00000003.1347365230.0000000003416000.00000004.00000040.sdmp
                Source: Binary string: System.Management.pdbx source: WerFault.exe, 00000008.00000003.1345327572.0000000005810000.00000004.00000001.sdmp
                Source: Binary string: pnrpnsp.pdb source: WerFault.exe, 00000008.00000003.1347287914.000000000340E000.00000004.00000040.sdmp
                Source: Binary string: mscoreei.pdbk source: WerFault.exe, 00000008.00000003.1347319625.0000000003402000.00000004.00000040.sdmp
                Source: Binary string: mscorlib.pdbx source: WerFault.exe, 00000008.00000003.1345327572.0000000005810000.00000004.00000001.sdmp
                Source: Binary string: wwin32u.pdbd source: WerFault.exe, 00000008.00000003.1348035540.000000000340B000.00000004.00000040.sdmp
                Source: Binary string: wmswsock.pdbr source: WerFault.exe, 00000008.00000003.1348035540.000000000340B000.00000004.00000040.sdmp
                Source: Binary string: shcore.pdb source: WerFault.exe, 00000008.00000003.1348035540.000000000340B000.00000004.00000040.sdmp
                Source: Binary string: mscorlib.pdbp source: WER9633.tmp.dmp.8.dr
                Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 00000008.00000003.1347287914.000000000340E000.00000004.00000040.sdmp
                Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000008.00000003.1348002173.0000000003400000.00000004.00000040.sdmp
                Source: Binary string: fltLib.pdb source: WerFault.exe, 00000008.00000003.1348035540.000000000340B000.00000004.00000040.sdmp
                Source: Binary string: System.Management.pdb|R7 source: WerFault.exe, 00000008.00000003.1347287914.000000000340E000.00000004.00000040.sdmp
                Source: Binary string: shell32.pdb source: WerFault.exe, 00000008.00000003.1348035540.000000000340B000.00000004.00000040.sdmp
                Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 00000008.00000003.1347287914.000000000340E000.00000004.00000040.sdmp, WER9633.tmp.dmp.8.dr
                Source: Binary string: oleaut32.pdbF source: WerFault.exe, 00000008.00000003.1348035540.000000000340B000.00000004.00000040.sdmp
                Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000008.00000003.1348002173.0000000003400000.00000004.00000040.sdmp
                Source: Binary string: System.pdb&& source: WerFault.exe, 00000008.00000003.1347365230.0000000003416000.00000004.00000040.sdmp
                Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000008.00000003.1347287914.000000000340E000.00000004.00000040.sdmp
                Source: Binary string: wimm32.pdb source: WerFault.exe, 00000008.00000003.1348035540.000000000340B000.00000004.00000040.sdmp
                Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000008.00000003.1348035540.000000000340B000.00000004.00000040.sdmp
                Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 00000008.00000003.1345327572.0000000005810000.00000004.00000001.sdmp
                Source: Binary string: nlaapi.pdb source: WerFault.exe, 00000008.00000003.1347287914.000000000340E000.00000004.00000040.sdmp
                Source: Binary string: msctf.pdbL< source: WerFault.exe, 00000008.00000003.1347287914.000000000340E000.00000004.00000040.sdmp
                Source: Binary string: diasymreader.pdb source: WerFault.exe, 00000008.00000003.1347287914.000000000340E000.00000004.00000040.sdmp
                Source: Binary string: System.Runtime.Remoting.pdb, source: WER9633.tmp.dmp.8.dr
                Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000008.00000003.1348035540.000000000340B000.00000004.00000040.sdmp
                Source: Binary string: wmiutils.pdb source: WerFault.exe, 00000008.00000003.1347287914.000000000340E000.00000004.00000040.sdmp
                Source: Binary string: gdiplus.pdb source: WerFault.exe, 00000008.00000003.1347287914.000000000340E000.00000004.00000040.sdmp
                Source: Binary string: System.ni.pdbT3 source: WerFault.exe, 00000008.00000003.1345327572.0000000005810000.00000004.00000001.sdmp
                Source: Binary string: System.pdbx source: WerFault.exe, 00000008.00000003.1345327572.0000000005810000.00000004.00000001.sdmp
                Source: Binary string: Accessibility.pdb(Vd source: WER9633.tmp.dmp.8.dr
                Source: Binary string: version.pdbh source: WerFault.exe, 00000008.00000003.1348035540.000000000340B000.00000004.00000040.sdmp
                Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000008.00000003.1335718400.0000000003215000.00000004.00000001.sdmp
                Source: Binary string: wUxTheme.pdb@ source: WerFault.exe, 00000008.00000003.1348035540.000000000340B000.00000004.00000040.sdmp
                Source: Binary string: profapi.pdb source: WerFault.exe, 00000008.00000003.1348035540.000000000340B000.00000004.00000040.sdmp
                Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000008.00000003.1347287914.000000000340E000.00000004.00000040.sdmp
                Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 00000008.00000003.1347287914.000000000340E000.00000004.00000040.sdmp, WER9633.tmp.dmp.8.dr
                Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000008.00000003.1348002173.0000000003400000.00000004.00000040.sdmp
                Source: Binary string: iphlpapi.pdbB< source: WerFault.exe, 00000008.00000003.1347287914.000000000340E000.00000004.00000040.sdmp
                Source: Binary string: sechost.pdb source: WerFault.exe, 00000008.00000003.1347461776.0000000005521000.00000004.00000001.sdmp
                Source: Binary string: System.ni.pdbRSDS source: WER9633.tmp.dmp.8.dr
                Source: Binary string: clrjit.pdb source: WerFault.exe, 00000008.00000003.1348035540.000000000340B000.00000004.00000040.sdmp
                Source: Binary string: n0C:\Windows\mscorlib.pdb source: RegSvcs.exe, 00000003.00000002.1378103210.00000000086BA000.00000004.00000010.sdmp
                Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 00000008.00000003.1348035540.000000000340B000.00000004.00000040.sdmp
                Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 00000008.00000003.1347287914.000000000340E000.00000004.00000040.sdmp, WER9633.tmp.dmp.8.dr
                Source: Binary string: fastprox.pdb source: WerFault.exe, 00000008.00000003.1347287914.000000000340E000.00000004.00000040.sdmp
                Source: Binary string: wbemsvc.pdb source: WerFault.exe, 00000008.00000003.1347287914.000000000340E000.00000004.00000040.sdmp
                Source: Binary string: winrnr.pdb source: WerFault.exe, 00000008.00000003.1347287914.000000000340E000.00000004.00000040.sdmp
                Source: Binary string: cfgmgr32.pdbT source: WerFault.exe, 00000008.00000003.1348035540.000000000340B000.00000004.00000040.sdmp
                Source: Binary string: msctf.pdb source: WerFault.exe, 00000008.00000003.1347287914.000000000340E000.00000004.00000040.sdmp
                Source: Binary string: System.Core.pdbE source: WER9633.tmp.dmp.8.dr
                Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: invoice.exe, 00000000.00000002.1304177005.00000000035C1000.00000004.00000001.sdmp, RegSvcs.exe, 00000003.00000002.1369511735.0000000003EB9000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000002.1547315473.0000000000400000.00000040.00000001.sdmp
                Source: Binary string: System.Runtime.Remoting.pdb source: WerFault.exe, 00000008.00000003.1347287914.000000000340E000.00000004.00000040.sdmp, WER9633.tmp.dmp.8.dr
                Source: Binary string: wmswsock.pdb source: WerFault.exe, 00000008.00000003.1348035540.000000000340B000.00000004.00000040.sdmp
                Source: Binary string: version.pdb source: WerFault.exe, 00000008.00000003.1348035540.000000000340B000.00000004.00000040.sdmp
                Source: Binary string: .pdbe source: RegSvcs.exe, 00000003.00000002.1378103210.00000000086BA000.00000004.00000010.sdmp
                Source: Binary string: onfiguration.pdb source: WerFault.exe, 00000008.00000003.1347365230.0000000003416000.00000004.00000040.sdmp
                Source: Binary string: System.Xml.pdb source: WerFault.exe, 00000008.00000003.1347287914.000000000340E000.00000004.00000040.sdmp, WER9633.tmp.dmp.8.dr
                Source: Binary string: fltLib.pdbX source: WerFault.exe, 00000008.00000003.1348035540.000000000340B000.00000004.00000040.sdmp
                Source: Binary string: System.pdb source: WerFault.exe, 00000008.00000003.1347287914.000000000340E000.00000004.00000040.sdmp, WER9633.tmp.dmp.8.dr
                Source: Binary string: ore.ni.pdb source: WerFault.exe, 00000008.00000003.1347365230.0000000003416000.00000004.00000040.sdmp
                Source: Binary string: ore.pdb source: WerFault.exe, 00000008.00000003.1347365230.0000000003416000.00000004.00000040.sdmp
                Source: Binary string: bcrypt.pdbn source: WerFault.exe, 00000008.00000003.1348035540.000000000340B000.00000004.00000040.sdmp
                Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000008.00000003.1345327572.0000000005810000.00000004.00000001.sdmp, WER9633.tmp.dmp.8.dr
                Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000008.00000003.1348002173.0000000003400000.00000004.00000040.sdmp
                Source: Binary string: psapi.pdb source: WerFault.exe, 00000008.00000003.1347287914.000000000340E000.00000004.00000040.sdmp
                Source: Binary string: WMINet_Utils.pdb source: WerFault.exe, 00000008.00000003.1347287914.000000000340E000.00000004.00000040.sdmp
                Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000008.00000003.1347461776.0000000005521000.00000004.00000001.sdmp
                Source: Binary string: System.Core.pdbx source: WerFault.exe, 00000008.00000003.1345327572.0000000005810000.00000004.00000001.sdmp
                Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000008.00000003.1336294700.0000000003227000.00000004.00000001.sdmp
                Source: Binary string: mscoreei.pdb source: WerFault.exe, 00000008.00000003.1347319625.0000000003402000.00000004.00000040.sdmp
                Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000008.00000003.1347461776.0000000005521000.00000004.00000001.sdmp
                Source: Binary string: System.Drawing.pdbx source: WerFault.exe, 00000008.00000003.1345327572.0000000005810000.00000004.00000001.sdmp
                Source: Binary string: winnsi.pdb.<" source: WerFault.exe, 00000008.00000003.1347287914.000000000340E000.00000004.00000040.sdmp
                Source: Binary string: System.Core.pdb source: WerFault.exe, 00000008.00000003.1347287914.000000000340E000.00000004.00000040.sdmp, WER9633.tmp.dmp.8.dr
                Source: Binary string: combase.pdbk source: WerFault.exe, 00000008.00000003.1347319625.0000000003402000.00000004.00000040.sdmp
                Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000008.00000003.1348035540.000000000340B000.00000004.00000040.sdmp
                Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 00000008.00000003.1345327572.0000000005810000.00000004.00000001.sdmp
                Source: Binary string: wuser32.pdb source: WerFault.exe, 00000008.00000003.1348035540.000000000340B000.00000004.00000040.sdmp
                Source: Binary string: .pdb source: RegSvcs.exe, 00000003.00000002.1378103210.00000000086BA000.00000004.00000010.sdmp
                Source: Binary string: powrprof.pdb^ source: WerFault.exe, 00000008.00000003.1348035540.000000000340B000.00000004.00000040.sdmp
                Source: Binary string: comctl32.pdb source: WerFault.exe, 00000008.00000003.1347287914.000000000340E000.00000004.00000040.sdmp
                Source: Binary string: untime.Remoting.pdb source: WerFault.exe, 00000008.00000003.1347365230.0000000003416000.00000004.00000040.sdmp
                Source: Binary string: wbemprox.pdb source: WerFault.exe, 00000008.00000003.1347287914.000000000340E000.00000004.00000040.sdmp
                Source: Binary string: System.ni.pdb source: WerFault.exe, 00000008.00000003.1347287914.000000000340E000.00000004.00000040.sdmp, WER9633.tmp.dmp.8.dr
                Source: Binary string: edputil.pdb source: WerFault.exe, 00000008.00000003.1347287914.000000000340E000.00000004.00000040.sdmp

                Data Obfuscation:

                barindex
                .NET source code contains potential unpackerShow sources
                Source: 3.2.RegSvcs.exe.400000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 3.2.RegSvcs.exe.400000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 3.2.RegSvcs.exe.400000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 3.2.RegSvcs.exe.400000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0167E672 push esp; ret 3_2_0167E679
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_07AEE32F push edx; ret 3_2_07AEE332
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_07AEE32B push edx; ret 3_2_07AEE32E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_07AEE2AB push ebx; ret 3_2_07AEE32A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_07AEE2A3 push ecx; ret 3_2_07AEE2AA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_07AEE2A1 push edx; ret 3_2_07AEE2A2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_07AEA2EB push es; ret 3_2_07AEA2F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_07AEE1B9 push eax; ret 3_2_07AEE1BA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_07AEE1FB push eax; ret 3_2_07AEE202
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_07AEE1F9 push ecx; ret 3_2_07AEE1FA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_07AEF079 pushad ; ret 3_2_07AEF07A
                Source: initial sampleStatic PE information: section name: .text entropy: 7.90896537062
                Source: initial sampleStatic PE information: section name: .text entropy: 7.90896537062
                Source: C:\Users\user\Desktop\invoice.exeFile created: C:\Users\user\AppData\Roaming\ETUekOi.exeJump to dropped file

                Boot Survival:

                barindex
                Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ETUekOi' /XML 'C:\Users\user\AppData\Local\Temp\tmp42E2.tmp'

                Hooking and other Techniques for Hiding and Protection:

                barindex
                Changes the view of files in windows explorer (hidden files and folders)Show sources
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HiddenJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363} DeviceTicketJump to behavior
                Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX