Loading ...

Play interactive tourEdit tour

Analysis Report QuotationTXCtyres.exe

Overview

General Information

Sample Name:QuotationTXCtyres.exe
Analysis ID:347605
MD5:683bd9bd416a67e5b14c59668ead6de8
SHA1:476275961878e53692cdbf7a887d6f6f61c27eee
SHA256:6f8bb9d51ef192747d5393e13349bb03f272f5a947de849835709502ef09ef68
Tags:exeHawkEye

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected HawkEye Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell adding suspicious path to exclusion list
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Changes the view of files in windows explorer (hidden files and folders)
Connects to a pastebin service (likely for C&C)
Contains functionality to log keystrokes (.Net Source)
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops PE files to the startup folder
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected WebBrowserPassView password recovery tool
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara signature match

Classification

Startup

  • System is w10x64
  • QuotationTXCtyres.exe (PID: 6320 cmdline: 'C:\Users\user\Desktop\QuotationTXCtyres.exe' MD5: 683BD9BD416A67E5B14C59668EAD6DE8)
    • powershell.exe (PID: 6780 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuotationTXCtyres.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6812 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuotationTXCtyres.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6828 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuotationTXCtyres.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6912 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\QuotationTXCtyres.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 7060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 4624 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 4408 cmdline: timeout 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • RegSvcs.exe (PID: 6800 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
    • RegSvcs.exe (PID: 6984 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
    • WerFault.exe (PID: 6896 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6320 -s 2356 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • QuotationTXCtyres.exe (PID: 6492 cmdline: 'C:\Users\user\Desktop\QuotationTXCtyres.exe' MD5: 683BD9BD416A67E5B14C59668EAD6DE8)
  • QuotationTXCtyres.exe (PID: 4748 cmdline: 'C:\Users\user\Desktop\QuotationTXCtyres.exe' MD5: 683BD9BD416A67E5B14C59668EAD6DE8)
  • QuotationTXCtyres.exe (PID: 1496 cmdline: 'C:\Users\user\Desktop\QuotationTXCtyres.exe' MD5: 683BD9BD416A67E5B14C59668EAD6DE8)
  • QuotationTXCtyres.exe (PID: 3980 cmdline: 'C:\Users\user\Desktop\QuotationTXCtyres.exe' MD5: 683BD9BD416A67E5B14C59668EAD6DE8)
  • QuotationTXCtyres.exe (PID: 3720 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuotationTXCtyres.exe' MD5: 683BD9BD416A67E5B14C59668EAD6DE8)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["Mail PassView", "mailpv", "WebBrowserPassView"], "Version": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000019.00000002.452936886.0000000000D30000.00000004.00000001.sdmpHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
  • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
00000019.00000002.469242818.0000000003A01000.00000004.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
    00000019.00000002.469242818.0000000003A01000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
      00000019.00000002.468178579.0000000002C68000.00000004.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
        00000019.00000002.468178579.0000000002C68000.00000004.00000001.sdmpHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
        • 0x25f8:$hawkstr1: HawkEye Keylogger
        • 0x2088:$hawkstr2: Dear HawkEye Customers!
        • 0x21b6:$hawkstr3: HawkEye Logger Details:
        Click to see the 10 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        25.2.RegSvcs.exe.d40000.5.raw.unpackHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
        • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
        25.2.RegSvcs.exe.3a21b50.10.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
          25.2.RegSvcs.exe.409c0d.1.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
            25.2.RegSvcs.exe.45fa72.3.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
              25.2.RegSvcs.exe.3a09930.9.raw.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
                Click to see the 28 entries

                Sigma Overview

                System Summary:

                barindex
                Sigma detected: Powershell adding suspicious path to exclusion listShow sources
                Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuotationTXCtyres.exe' -Force, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuotationTXCtyres.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\QuotationTXCtyres.exe' , ParentImage: C:\Users\user\Desktop\QuotationTXCtyres.exe, ParentProcessId: 6320, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuotationTXCtyres.exe' -Force, ProcessId: 6780

                Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Found malware configurationShow sources
                Source: RegSvcs.exe.6984.25.memstrMalware Configuration Extractor: HawkEye {"Modules": ["Mail PassView", "mailpv", "WebBrowserPassView"], "Version": ""}
                Multi AV Scanner detection for dropped fileShow sources
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuotationTXCtyres.exeReversingLabs: Detection: 26%
                Multi AV Scanner detection for submitted fileShow sources
                Source: QuotationTXCtyres.exeReversingLabs: Detection: 34%
                Machine Learning detection for dropped fileShow sources
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuotationTXCtyres.exeJoe Sandbox ML: detected
                Machine Learning detection for sampleShow sources
                Source: QuotationTXCtyres.exeJoe Sandbox ML: detected
                Source: 25.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 25.2.RegSvcs.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473

                Compliance:

                barindex
                Uses 32bit PE filesShow sources
                Source: QuotationTXCtyres.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                Uses insecure TLS / SSL version for HTTPS connectionShow sources
                Source: unknownHTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.5:49721 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.5:49742 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.5:49748 version: TLS 1.0
                Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
                Source: QuotationTXCtyres.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                Binary contains paths to debug symbolsShow sources
                Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: RegSvcs.exe, 00000019.00000002.491465902.0000000005AAF000.00000004.00000001.sdmp
                Source: Binary string: \??\C:\Windows\symbols\exe\RegSvcs.pdbA source: RegSvcs.exe, 00000019.00000003.423112617.0000000005AAF000.00000004.00000001.sdmp
                Source: Binary string: iLC:\Windows\Microsoft.VisualBasic.pdb source: QuotationTXCtyres.exe, 00000000.00000002.628973345.0000000000AF9000.00000004.00000001.sdmp
                Source: Binary string: C:\Users\user\Desktop\QuotationTXCtyres.PDB source: QuotationTXCtyres.exe, 00000000.00000002.628973345.0000000000AF9000.00000004.00000001.sdmp
                Source: Binary string: iVisualBasic.pdb source: QuotationTXCtyres.exe, 00000000.00000002.628973345.0000000000AF9000.00000004.00000001.sdmp
                Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdby source: RegSvcs.exe, 00000019.00000002.491465902.0000000005AAF000.00000004.00000001.sdmp
                Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: RegSvcs.exe, 00000019.00000002.468996361.0000000002C8C000.00000004.00000001.sdmp
                Source: Binary string: .pdb- source: QuotationTXCtyres.exe, 00000000.00000002.628973345.0000000000AF9000.00000004.00000001.sdmp
                Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbl source: powershell.exe, 00000006.00000003.567199772.000000000822B000.00000004.00000001.sdmp
                Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: RegSvcs.exe, 00000019.00000002.469242818.0000000003A01000.00000004.00000001.sdmp
                Source: Binary string: QuotationTXCtyres.PDB source: QuotationTXCtyres.exe, 00000000.00000002.628973345.0000000000AF9000.00000004.00000001.sdmp
                Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: RegSvcs.exe, 00000019.00000002.469242818.0000000003A01000.00000004.00000001.sdmp
                Source: Binary string: RegSvcs.pdb source: RegSvcs.exe, 00000019.00000003.423112617.0000000005AAF000.00000004.00000001.sdmp
                Source: Binary string: \??\C:\Windows\symbols\exe\RegSvcs.pdbo source: RegSvcs.exe, 00000019.00000003.423112617.0000000005AAF000.00000004.00000001.sdmp
                Source: Binary string: C:\Windows\RegSvcs.pdbpdbvcs.pdbI source: RegSvcs.exe, 00000019.00000003.423112617.0000000005AAF000.00000004.00000001.sdmp
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]25_2_075EFE8B

                Networking:

                barindex
                Connects to a pastebin service (likely for C&C)Show sources
                Source: unknownDNS query: name: pastebin.com
                Source: unknownDNS query: name: pastebin.com
                Source: unknownDNS query: name: pastebin.com
                Source: unknownDNS query: name: pastebin.com
                Source: Joe Sandbox ViewIP Address: 104.23.98.190 104.23.98.190
                Source: Joe Sandbox ViewIP Address: 104.23.98.190 104.23.98.190
                Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                Source: unknownHTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.5:49721 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.5:49742 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.5:49748 version: TLS 1.0
                Source: RegSvcs.exe, 00000019.00000002.469242818.0000000003A01000.00000004.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                Source: RegSvcs.exe, 00000019.00000002.469242818.0000000003A01000.00000004.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                Source: unknownDNS traffic detected: queries for: pastebin.com
                Source: RegSvcs.exe, 00000019.00000002.469242818.0000000003A01000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
                Source: powershell.exe, 00000008.00000002.622537318.0000000000C68000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.627265426.0000000003015000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                Source: RegSvcs.exe, 00000019.00000003.310958362.0000000005D2D000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                Source: powershell.exe, 00000008.00000002.657929211.00000000057B5000.00000004.00000001.sdmp, powershell.exe, 00000009.00000002.654327123.0000000005336000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.648318996.0000000005B68000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                Source: RegSvcs.exe, 00000019.00000002.469242818.0000000003A01000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                Source: powershell.exe, 0000000C.00000002.641619712.0000000004C48000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                Source: powershell.exe, 00000008.00000002.638932192.0000000004891000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png02
                Source: powershell.exe, 00000006.00000002.640798276.00000000051BF000.00000004.00000001.sdmp, powershell.exe, 00000008.00000002.638932192.0000000004891000.00000004.00000001.sdmp, powershell.exe, 00000009.00000002.633303383.000000000440F000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.641619712.0000000004C48000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                Source: QuotationTXCtyres.exe, 00000000.00000003.265036261.0000000005532000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.635939796.0000000005081000.00000004.00000001.sdmp, powershell.exe, 00000008.00000002.632625439.0000000004751000.00000004.00000001.sdmp, powershell.exe, 00000009.00000002.633056835.00000000042D1000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.636613586.0000000004B01000.00000004.00000001.sdmp, RegSvcs.exe, 00000019.00000002.457364423.0000000002A01000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: powershell.exe, 00000006.00000002.640798276.00000000051BF000.00000004.00000001.sdmp, powershell.exe, 00000008.00000002.638932192.0000000004891000.00000004.00000001.sdmp, powershell.exe, 00000009.00000002.633303383.000000000440F000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.641619712.0000000004C48000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                Source: RegSvcs.exe, 00000019.00000002.494884569.0000000005E10000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: powershell.exe, 0000000C.00000002.641619712.0000000004C48000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                Source: powershell.exe, 00000008.00000002.638932192.0000000004891000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html02
                Source: RegSvcs.exe, 00000019.00000003.328420355.0000000005D5C000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
                Source: RegSvcs.exe, 00000019.00000002.494884569.0000000005E10000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: RegSvcs.exe, 00000019.00000002.494111730.0000000005D20000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: RegSvcs.exe, 00000019.00000002.494884569.0000000005E10000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: RegSvcs.exe, 00000019.00000003.337399633.0000000005D5E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers&
                Source: RegSvcs.exe, 00000019.00000002.494884569.0000000005E10000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: RegSvcs.exe, 00000019.00000002.494884569.0000000005E10000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: RegSvcs.exe, 00000019.00000002.494884569.0000000005E10000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                Source: RegSvcs.exe, 00000019.00000003.342492866.0000000005D5E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmlXE
                Source: RegSvcs.exe, 00000019.00000003.337399633.0000000005D5E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/tio
                Source: RegSvcs.exe, 00000019.00000002.494884569.0000000005E10000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: RegSvcs.exe, 00000019.00000002.494884569.0000000005E10000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: RegSvcs.exe, 00000019.00000003.339344837.0000000005D5E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersF
                Source: RegSvcs.exe, 00000019.00000002.494884569.0000000005E10000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: RegSvcs.exe, 00000019.00000003.339089886.0000000005D5E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersP
                Source: RegSvcs.exe, 00000019.00000002.494111730.0000000005D20000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comai
                Source: RegSvcs.exe, 00000019.00000002.494111730.0000000005D20000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comiona
                Source: RegSvcs.exe, 00000019.00000002.494884569.0000000005E10000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                Source: RegSvcs.exe, 00000019.00000003.314645960.0000000005D50000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: RegSvcs.exe, 00000019.00000002.494884569.0000000005E10000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: RegSvcs.exe, 00000019.00000002.494884569.0000000005E10000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: RegSvcs.exe, 00000019.00000003.316824024.0000000005D4E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnK
                Source: RegSvcs.exe, 00000019.00000003.314645960.0000000005D50000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnh
                Source: RegSvcs.exe, 00000019.00000002.494884569.0000000005E10000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: RegSvcs.exe, 00000019.00000003.361142409.0000000005D51000.00000004.00000001.sdmp, RegSvcs.exe, 00000019.00000002.494884569.0000000005E10000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: RegSvcs.exe, 00000019.00000002.494884569.0000000005E10000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: RegSvcs.exe, 00000019.00000003.323242734.0000000005D2B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: RegSvcs.exe, 00000019.00000003.323242734.0000000005D2B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/1
                Source: RegSvcs.exe, 00000019.00000003.326313945.0000000005D2B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/G
                Source: RegSvcs.exe, 00000019.00000003.323242734.0000000005D2B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/U
                Source: RegSvcs.exe, 00000019.00000003.323242734.0000000005D2B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0/
                Source: RegSvcs.exe, 00000019.00000003.326313945.0000000005D2B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Z
                Source: RegSvcs.exe, 00000019.00000003.323242734.0000000005D2B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                Source: RegSvcs.exe, 00000019.00000003.326313945.0000000005D2B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/U
                Source: RegSvcs.exe, 00000019.00000003.326313945.0000000005D2B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/sl-s
                Source: RegSvcs.exe, 00000019.00000003.326313945.0000000005D2B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/~
                Source: powershell.exe, 00000009.00000003.535572028.0000000008B68000.00000004.00000001.sdmpString found in binary or memory: http://www.microsoft.c
                Source: powershell.exe, 00000009.00000003.531136853.0000000008B2D000.00000004.00000001.sdmpString found in binary or memory: http://www.microsoft.co
                Source: RegSvcs.exe, 00000019.00000002.469242818.0000000003A01000.00000004.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
                Source: RegSvcs.exe, 00000019.00000002.494884569.0000000005E10000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: RegSvcs.exe, 00000019.00000002.494884569.0000000005E10000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                Source: RegSvcs.exe, 00000019.00000002.494884569.0000000005E10000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: RegSvcs.exe, 00000019.00000002.494884569.0000000005E10000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                Source: RegSvcs.exe, 00000019.00000002.494884569.0000000005E10000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                Source: RegSvcs.exe, 00000019.00000002.494884569.0000000005E10000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: RegSvcs.exe, 00000019.00000002.494884569.0000000005E10000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: powershell.exe, 0000000C.00000002.648318996.0000000005B68000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
                Source: powershell.exe, 0000000C.00000002.648318996.0000000005B68000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
                Source: powershell.exe, 0000000C.00000002.648318996.0000000005B68000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
                Source: powershell.exe, 0000000C.00000002.641619712.0000000004C48000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
                Source: powershell.exe, 00000008.00000002.638932192.0000000004891000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester02
                Source: powershell.exe, 00000008.00000003.533777599.00000000051B2000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000003.499602452.00000000055A2000.00000004.00000001.sdmpString found in binary or memory: https://go.micro
                Source: powershell.exe, 00000006.00000002.660256551.00000000060E5000.00000004.00000001.sdmp, powershell.exe, 00000008.00000002.657929211.00000000057B5000.00000004.00000001.sdmp, powershell.exe, 00000009.00000002.654327123.0000000005336000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.648318996.0000000005B68000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
                Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748

                Key, Mouse, Clipboard, Microphone and Screen Capturing:

                barindex
                Yara detected HawkEye KeyloggerShow sources
                Source: Yara matchFile source: 00000019.00000002.468178579.0000000002C68000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000019.00000002.468484958.0000000002C78000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000019.00000002.443066305.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6984, type: MEMORY
                Source: Yara matchFile source: 25.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 25.2.RegSvcs.exe.408208.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 25.2.RegSvcs.exe.45fa72.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 25.2.RegSvcs.exe.409c0d.1.raw.unpack, type: UNPACKEDPE
                Contains functionality to log keystrokes (.Net Source)Show sources
                Source: 25.2.RegSvcs.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
                Installs a global keyboard hookShow sources
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe

                System Summary:

                barindex
                Malicious sample detected (through community Yara rule)Show sources
                Source: 00000019.00000002.468178579.0000000002C68000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000019.00000002.443066305.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000019.00000002.443066305.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 25.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 25.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 25.2.RegSvcs.exe.408208.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 25.2.RegSvcs.exe.408208.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 25.2.RegSvcs.exe.45fa72.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 25.2.RegSvcs.exe.45fa72.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 25.2.RegSvcs.exe.409c0d.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 25.2.RegSvcs.exe.409c0d.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Initial sample is a PE file and has a suspicious nameShow sources
                Source: initial sampleStatic PE information: Filename: QuotationTXCtyres.exe
                Source: C:\Users\user\Desktop\QuotationTXCtyres.exeCode function: 0_2_00CC4A800_2_00CC4A80
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0357BB586_2_0357BB58
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0357F96B6_2_0357F96B
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0357F6F06_2_0357F6F0
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0357DE886_2_0357DE88
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_035B40E86_2_035B40E8
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_035B5D386_2_035B5D38
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_035B85286_2_035B8528
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_035B85286_2_035B8528
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_035B85286_2_035B8528
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_035B40E86_2_035B40E8
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_035B85286_2_035B8528
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_035B85286_2_035B8528
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_035CD2D06_2_035CD2D0
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_035C00406_2_035C0040
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_035CA50F6_2_035CA50F
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_035F91806_2_035F9180
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_035FD6606_2_035FD660
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_035FB5786_2_035FB578
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_035FF5F06_2_035FF5F0
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_035FBB006_2_035FBB00
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_035F63586_2_035F6358
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_035F63686_2_035F6368
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_035FB5786_2_035FB578
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_035FCA0C6_2_035FCA0C
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_035F99B06_2_035F99B0
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_035F7DD06_2_035F7DD0
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0361F8386_2_0361F838
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0361B4686_2_0361B468
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0361B4786_2_0361B478
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_035BE3DB6_2_035BE3DB
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00B26A008_2_00B26A00
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00B27E708_2_00B27E70
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_044B84B88_2_044B84B8
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_044B0AA88_2_044B0AA8
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_044EF0688_2_044EF068
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_044E8D488_2_044E8D48
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_044EF0688_2_044EF068
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_044EA5B08_2_044EA5B0
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_044EA82B8_2_044EA82B
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_044E6A188_2_044E6A18
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_001C87109_2_001C8710
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_001C66F89_2_001C66F8
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_001C77809_2_001C7780
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_001C29B09_2_001C29B0
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_006AF2C89_2_006AF2C8
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_006AA8109_2_006AA810
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_006AAA8B9_2_006AAA8B
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_006A6C789_2_006A6C78
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_006AF2C89_2_006AF2C8
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_006A8FA89_2_006A8FA8
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00C3C9B09_2_00C3C9B0
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00C3EA109_2_00C3EA10
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00C7E81812_2_00C7E818
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_031FBD3012_2_031FBD30
                Source: C:\Users\user\Desktop\QuotationTXCtyres.exeCode function: 20_2_01574A8020_2_01574A80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 25_2_028EB29C25_2_028EB29C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 25_2_028EB1E425_2_028EB1E4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 25_2_028EC31025_2_028EC310
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 25_2_028EB29025_2_028EB290
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 25_2_028E99D025_2_028E99D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 25_2_028EDFD025_2_028EDFD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 25_2_075EB4E025_2_075EB4E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 25_2_075EEEC825_2_075EEEC8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 25_2_075EBDB025_2_075EBDB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 25_2_075EB19825_2_075EB198
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 25_2_075E000625_2_075E0006
                Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6320 -s 2356
                Source: QuotationTXCtyres.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                Source: 00000019.00000002.452936886.0000000000D30000.00000004.00000001.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 00000019.00000002.468178579.0000000002C68000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000019.00000002.453010740.0000000000D40000.00000004.00000001.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 00000019.00000002.443066305.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000019.00000002.443066305.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 25.2.RegSvcs.exe.d40000.5.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 25.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 25.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 25.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 25.2.RegSvcs.exe.2c8e168.7.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 25.2.RegSvcs.exe.2c94dd4.8.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 25.2.RegSvcs.exe.d30000.4.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 25.2.RegSvcs.exe.2a2b7a8.6.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 25.2.RegSvcs.exe.408208.2.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 25.2.RegSvcs.exe.408208.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 25.2.RegSvcs.exe.408208.2.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 25.2.RegSvcs.exe.45fa72.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 25.2.RegSvcs.exe.45fa72.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 25.2.RegSvcs.exe.409c0d.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 25.2.RegSvcs.exe.409c0d.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 25.2.RegSvcs.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 25.2.RegSvcs.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 25.2.RegSvcs.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 25.2.RegSvcs.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
                Source: 25.2.RegSvcs.exe.400000.0.unpack, Form1.csBase64 encoded string: 'v5WL2NHSlgg63F1NfR2aR6g9h0gfWR8N+GP/UFVCtJkDDYPZkr2E+r1UVbTAuMU5ECRkSfAQftTbilbZSEDKHs/x/Ht/+M4keqrxuFN0ot0=', 'jQLYiTJKF11sw5sSNstFGe3izohG9YmwBLLBbFvxDFHA3kgG80r+KIMea4T97QWo', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@33/24@7/2
                Source: C:\Users\user\Desktop\QuotationTXCtyres.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuotationTXCtyres.exeJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6320
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6836:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6900:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7060:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6796:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5064:120:WilError_01
                Source: C:\Users\user\Desktop\QuotationTXCtyres.exeFile created: C:\Users\user\AppData\Local\Temp\44e61677-7e29-4236-baa6-6da2ca395576Jump to behavior
                Source: QuotationTXCtyres.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\QuotationTXCtyres.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Users\user\Desktop\QuotationTXCtyres.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Users\user\Desktop\QuotationTXCtyres.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Users\user\Desktop\QuotationTXCtyres.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Users\user\Desktop\QuotationTXCtyres.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuotationTXCtyres.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Users\user\Desktop\QuotationTXCtyres.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\QuotationTXCtyres.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: C:\Users\user\Desktop\QuotationTXCtyres.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\QuotationTXCtyres.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Users\user\Desktop\QuotationTXCtyres.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Users\user\Desktop\QuotationTXCtyres.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: QuotationTXCtyres.exeReversingLabs: Detection: 34%
                Source: C:\Users\user\Desktop\QuotationTXCtyres.exeFile read: C:\Users\user\Desktop\QuotationTXCtyres.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\QuotationTXCtyres.exe 'C:\Users\user\Desktop\QuotationTXCtyres.exe'
                Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuotationTXCtyres.exe' -Force
                Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuotationTXCtyres.exe' -Force
                Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuotationTXCtyres.exe' -Force
                Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\QuotationTXCtyres.exe' -Force
                Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
                Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
                Source: unknownProcess created: C:\Users\user\Desktop\QuotationTXCtyres.exe 'C:\Users\user\Desktop\QuotationTXCtyres.exe'
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
                Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6320 -s 2356
                Source: unknownProcess created: C:\Users\user\Desktop\QuotationTXCtyres.exe 'C:\Users\user\Desktop\QuotationTXCtyres.exe'
                Source: unknownProcess created: C:\Users\user\Desktop\QuotationTXCtyres.exe 'C:\Users\user\Desktop\QuotationTXCtyres.exe'
                Source: unknownProcess created: C:\Users\user\Desktop\QuotationTXCtyres.exe 'C:\Users\user\Desktop\QuotationTXCtyres.exe'
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuotationTXCtyres.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuotationTXCtyres.exe'
                Source: C:\Users\user\Desktop\QuotationTXCtyres.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuotationTXCtyres.exe' -ForceJump to behavior
                Source: C:\Users\user\Desktop\QuotationTXCtyres.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuotationTXCtyres.exe' -ForceJump to behavior
                Source: C:\Users\user\Desktop\QuotationTXCtyres.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuotationTXCtyres.exe' -ForceJump to behavior
                Source: C:\Users\user\Desktop\QuotationTXCtyres.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\QuotationTXCtyres.exe' -ForceJump to behavior
                Source: C:\Users\user\Desktop\QuotationTXCtyres.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1Jump to behavior
                Source: C:\Users\user\Desktop\QuotationTXCtyres.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exeJump to behavior
                Source: C:\Users\user\Desktop\QuotationTXCtyres.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exeJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
                Source: C:\Users\user\Desktop\QuotationTXCtyres.exeProcess created: unknown unknown
                Source: C:\Users\user\Desktop\QuotationTXCtyres.exeProcess created: unknown unknown
                Source: C:\Users\user\Desktop\QuotationTXCtyres.exeProcess created: unknown unknown
                Source: C:\Users\user\Desktop\QuotationTXCtyres.exeProcess created: unknown unknown
                Source: C:\Users\user\Desktop\QuotationTXCtyres.exeProcess created: unknown unknown
                Source: C:\Users\user\Desktop\QuotationTXCtyres.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\QuotationTXCtyres.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: QuotationTXCtyres.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: QuotationTXCtyres.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                Source: QuotationTXCtyres.exeStatic file information: File size 4525056 > 1048576
                Source: QuotationTXCtyres.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x450800
                Source: QuotationTXCtyres.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: RegSvcs.exe, 00000019.00000002.491465902.0000000005AAF000.00000004.00000001.sdmp
                Source: Binary string: \??\C:\Windows\symbols\exe\RegSvcs.pdbA source: RegSvcs.exe, 00000019.00000003.423112617.0000000005AAF000.00000004.00000001.sdmp
                Source: Binary string: iLC:\Windows\Microsoft.VisualBasic.pdb source: QuotationTXCtyres.exe, 00000000.00000002.628973345.0000000000AF9000.00000004.00000001.sdmp
                Source: Binary string: C:\Users\user\Desktop\QuotationTXCtyres.PDB source: QuotationTXCtyres.exe, 00000000.00000002.628973345.0000000000AF9000.00000004.00000001.sdmp
                Source: Binary string: iVisualBasic.pdb source: QuotationTXCtyres.exe, 00000000.00000002.628973345.0000000000AF9000.00000004.00000001.sdmp
                Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdby source: RegSvcs.exe, 00000019.00000002.491465902.0000000005AAF000.00000004.00000001.sdmp
                Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: RegSvcs.exe, 00000019.00000002.468996361.0000000002C8C000.00000004.00000001.sdmp
                Source: Binary string: .pdb- source: QuotationTXCtyres.exe, 00000000.00000002.628973345.0000000000AF9000.00000004.00000001.sdmp
                Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbl source: powershell.exe, 00000006.00000003.567199772.000000000822B000.00000004.00000001.sdmp
                Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: RegSvcs.exe, 00000019.00000002.469242818.0000000003A01000.00000004.00000001.sdmp
                Source: Binary string: QuotationTXCtyres.PDB source: QuotationTXCtyres.exe, 00000000.00000002.628973345.0000000000AF9000.00000004.00000001.sdmp
                Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: RegSvcs.exe, 00000019.00000002.469242818.0000000003A01000.00000004.00000001.sdmp
                Source: Binary string: RegSvcs.pdb source: RegSvcs.exe, 00000019.00000003.423112617.0000000005AAF000.00000004.00000001.sdmp
                Source: Binary string: \??\C:\Windows\symbols\exe\RegSvcs.pdbo source: RegSvcs.exe, 00000019.00000003.423112617.0000000005AAF000.00000004.00000001.sdmp
                Source: Binary string: C:\Windows\RegSvcs.pdbpdbvcs.pdbI source: RegSvcs.exe, 00000019.00000003.423112617.0000000005AAF000.00000004.00000001.sdmp

                Data Obfuscation:

                barindex
                .NET source code contains potential unpackerShow sources
                Source: 25.2.RegSvcs.exe.400000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 25.2.RegSvcs.exe.400000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 25.2.RegSvcs.exe.400000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 25.2.RegSvcs.exe.400000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: C:\Users\user\Desktop\QuotationTXCtyres.exeCode function: 0_2_00CC8F48 push ds; iretd 0_2_00CC8F4A
                Source: C:\Users\user\Desktop\QuotationTXCtyres.exeCode function: 0_2_00CC8F40 push ds; iretd 0_2_00CC8F42
                Source: C:\Users\user\Desktop\QuotationTXCtyres.exeCode function: 0_2_00CC8F11 push ds; iretd 0_2_00CC8F12
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_035757F8 push eax; mov dword ptr [esp], edx6_2_0357580C
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_03578E01 push eax; mov dword ptr [esp], ecx6_2_03578E54
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_03575CF8 push eax; mov dword ptr [esp], edx6_2_03575CFC
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_035C5AAF push es; ret 6_2_035C5AC6
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0361281A push ebx; ret 6_2_0361287A
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_03613EB0 pushfd ; iretd 6_2_03613EB9
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00B21D20 pushfd ; ret 8_2_00B21D21
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_044B1F20 push es; ret 8_2_044B1F30
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_044E0D68 push eax; mov dword ptr [esp], edx8_2_044E0D6C
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_044E3D00 push eax; mov dword ptr [esp], ecx8_2_044E3D14
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_044E05B2 push eax; mov dword ptr [esp], edx8_2_044E05C4
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_044E6A18 pushfd ; ret 8_2_044E6D29
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_001B1ED8 push eax; mov dword ptr [esp], edx9_2_001B1EEC
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_006A0A7F push eax; mov dword ptr [esp], edx9_2_006A0A84
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_006A0E28 push eax; mov dword ptr [esp], edx9_2_006A0E2C
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_006A3F60 push eax; mov dword ptr [esp], ecx9_2_006A3F74
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00C752C9 push esp; iretd 12_2_00C752D1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00C72D68 push eax; mov dword ptr [esp], edx12_2_00C72D7C
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00C7ED1F push edi; retf 12_2_00C7ED2E
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_031F2D24 push FFFFFF8Bh; iretd 12_2_031F2D26
                Source: C:\Users\user\Desktop\QuotationTXCtyres.exeCode function: 20_2_01572BB0 push eax; mov dword ptr [esp], ecx20_2_01572D29
                Source: C:\Users\user\Desktop\QuotationTXCtyres.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuotationTXCtyres.exeJump to dropped file

                Boot Survival:

                barindex
                Creates an undocumented autostart registry key Show sources
                Source: C:\Users\user\Desktop\QuotationTXCtyres.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon shellJump to behavior
                Creates autostart registry keys with suspicious namesShow sources
                Source: C:\Users\user\Desktop\QuotationTXCtyres.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run <Unknown>Jump to behavior
                Creates multiple autostart registry keysShow sources
                Source: C:\Users\user\Desktop\QuotationTXCtyres.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run <Unknown>Jump to behavior
                Source: C:\Users\user\Desktop\QuotationTXCtyres.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run QuotationTXCtyres.exeJump to behavior
                Drops PE files to the startup folderShow sources
                Source: C:\Users\user\Desktop\QuotationTXCtyres.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuotationTXCtyres.exeJump to dropped file
                Source: C:\Users\user\Desktop\QuotationTXCtyres.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuotationTXCtyres.exeJump to behavior
                Source: C:\Users\user\Desktop\QuotationTXCtyres.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuotationTXCtyres.exeJump to behavior
                Source: C:\Users\user\Desktop\QuotationTXCtyres.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuotationTXCtyres.exe\:Zone.Identifier:$DATAJump to behavior
                Source: C:\Users\user\Desktop\QuotationTXCtyres.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run <Unknown>Jump to behavior
                Source: C:\Users\user\Desktop\QuotationTXCtyres.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run <Unknown>Jump to behavior
                Source: C:\Users\user\Desktop\QuotationTXCtyres.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run QuotationTXCtyres.exeJump to behavior
                Source: C:\Users\user\Desktop\QuotationTXCtyres.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run QuotationTXCtyres.exeJump to behavior

                Hooking and other Techniques for Hiding and Protection:

                bar