Loading ...

Play interactive tourEdit tour

Windows Analysis Report E-Remittance Form_z.TXT.exe

Overview

General Information

Sample Name:E-Remittance Form_z.TXT.exe
Analysis ID:465268
MD5:0c3bdc11fd6454bb67da849864170b44
SHA1:1c925518e075761758a47f677016c95f5e80c92c
SHA256:bdade907a458b6c9d2e87af5667c3b8a16aa7804535634ed662b0e07c34f64b1
Tags:exeHawkEye
Infos:

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected HawkEye Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Yara detected AntiVM autoit script
Yara detected AntiVM3
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Drops PE files with a suspicious file extension
Injects a PE file into a foreign processes
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
Antivirus or Machine Learning detection for unpacked file
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
File is packed with WinRar
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
OS version to string mapping found (often used in BOTs)
PE file contains strange resources
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sleep loop found (likely to delay execution)
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • E-Remittance Form_z.TXT.exe (PID: 5956 cmdline: 'C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe' MD5: 0C3BDC11FD6454BB67DA849864170B44)
    • urdavsa.pif (PID: 3588 cmdline: 'C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif' rpgc.htg MD5: CDBB08D4234736C4A052DC3F181E66F2)
      • wscript.exe (PID: 2520 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\82139548\run.vbs' MD5: 7075DD7B9BE8807FCA93ACD86F724884)
        • urdavsa.pif (PID: 5708 cmdline: 'C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif' rpgc.htg MD5: CDBB08D4234736C4A052DC3F181E66F2)
          • wscript.exe (PID: 5564 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\82139548\run.vbs' MD5: 7075DD7B9BE8807FCA93ACD86F724884)
            • urdavsa.pif (PID: 2232 cmdline: 'C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif' rpgc.htg MD5: CDBB08D4234736C4A052DC3F181E66F2)
              • wscript.exe (PID: 1360 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\82139548\run.vbs' MD5: 7075DD7B9BE8807FCA93ACD86F724884)
                • urdavsa.pif (PID: 5552 cmdline: 'C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif' rpgc.htg MD5: CDBB08D4234736C4A052DC3F181E66F2)
                  • RegSvcs.exe (PID: 4684 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["mailpv", "WebBrowserPassView", "browserpv"], "Version": "HawkEye Keylogger - Reborn v9{"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001C.00000002.584515573.0000000000982000.00000040.00000001.sdmpMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
  • 0x87a2e:$s1: HawkEye Keylogger
  • 0x87a97:$s1: HawkEye Keylogger
  • 0x80e71:$s2: _ScreenshotLogger
  • 0x80e3e:$s3: _PasswordStealer
0000001C.00000002.584515573.0000000000982000.00000040.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
    0000001C.00000002.586361746.0000000003234000.00000004.00000001.sdmpMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
    • 0x77bbc:$s2: _ScreenshotLogger
    • 0x78108:$s2: _ScreenshotLogger
    • 0x77b89:$s3: _PasswordStealer
    • 0x780d5:$s3: _PasswordStealer
    0000001C.00000002.586361746.0000000003234000.00000004.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
      00000019.00000003.580526774.0000000004A10000.00000004.00000001.sdmpMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
      • 0x87c4e:$s1: HawkEye Keylogger
      • 0x87cb7:$s1: HawkEye Keylogger
      • 0x81091:$s2: _ScreenshotLogger
      • 0x8105e:$s3: _PasswordStealer
      Click to see the 18 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      28.2.RegSvcs.exe.7da834a.4.unpackAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
      • 0x11bb0:$a1: logins.json
      • 0x11b10:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
      • 0x12334:$s4: \mozsqlite3.dll
      • 0x115a4:$s5: SMTP Password
      28.2.RegSvcs.exe.7da834a.4.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
        28.2.RegSvcs.exe.980000.0.unpackMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
        • 0x87c2e:$s1: HawkEye Keylogger
        • 0x87c97:$s1: HawkEye Keylogger
        • 0x81071:$s2: _ScreenshotLogger
        • 0x8103e:$s3: _PasswordStealer
        28.2.RegSvcs.exe.980000.0.unpackSUSP_NET_NAME_ConfuserExDetects ConfuserEx packed fileArnim Rupp
        • 0x87601:$name: ConfuserEx
        • 0x8630e:$compile: AssemblyTitle
        28.2.RegSvcs.exe.980000.0.unpackJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
          Click to see the 27 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Suspicious Script Execution From Temp FolderShow sources
          Source: Process startedAuthor: Florian Roth, Max Altgelt: Data: Command: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\82139548\run.vbs' , CommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\82139548\run.vbs' , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: 'C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif' rpgc.htg, ParentImage: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif, ParentProcessId: 3588, ProcessCommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\82139548\run.vbs' , ProcessId: 2520
          Sigma detected: WScript or CScript DropperShow sources
          Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (rule), oscd.community: Data: Command: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\82139548\run.vbs' , CommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\82139548\run.vbs' , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: 'C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif' rpgc.htg, ParentImage: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif, ParentProcessId: 3588, ProcessCommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\82139548\run.vbs' , ProcessId: 2520
          Sigma detected: Possible Applocker BypassShow sources
          Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif' rpgc.htg, ParentImage: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif, ParentProcessId: 5552, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 4684

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: RegSvcs.exe.4684.28.memstrminMalware Configuration Extractor: HawkEye {"Modules": ["mailpv", "WebBrowserPassView", "browserpv"], "Version": "HawkEye Keylogger - Reborn v9{"}
          Multi AV Scanner detection for domain / URLShow sources
          Source: https://a.pomf.cat/Virustotal: Detection: 7%Perma Link
          Source: http://pomf.cat/upload.phpVirustotal: Detection: 8%Perma Link
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifMetadefender: Detection: 31%Perma Link
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifReversingLabs: Detection: 46%
          Source: 28.2.RegSvcs.exe.980000.0.unpackAvira: Label: TR/Dropper.Gen
          Source: E-Remittance Form_z.TXT.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: E-Remittance Form_z.TXT.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: E-Remittance Form_z.TXT.exe
          Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: RegSvcs.exe, 0000001C.00000002.589273699.0000000007D50000.00000004.00000001.sdmp
          Source: Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: RegSvcs.exe, 0000001C.00000002.589273699.0000000007D50000.00000004.00000001.sdmp
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_009EA2DF FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,1_2_009EA2DF
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_009FAFB9 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,1_2_009FAFB9
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_00A09FD3 FindFirstFileExA,1_2_00A09FD3
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 2_2_00AC399B GetFileAttributesW,FindFirstFileW,FindClose,2_2_00AC399B
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AC399B GetFileAttributesW,FindFirstFileW,FindClose,10_2_00AC399B
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AE2408 FindFirstFileW,Sleep,FindNextFileW,FindClose,10_2_00AE2408
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AD280D FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,10_2_00AD280D
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00B08877 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,10_2_00B08877
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AECAE7 FindFirstFileW,FindNextFileW,FindClose,10_2_00AECAE7
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AC1A73 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,10_2_00AC1A73
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00ADBCB3 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,10_2_00ADBCB3
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AEDE7C FindFirstFileW,FindClose,10_2_00AEDE7C
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00ADBF17 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,10_2_00ADBF17
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifFile opened: C:\Users\user\AppDataJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifFile opened: C:\Users\user\AppData\LocalJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifFile opened: C:\Users\user\AppData\Local\Temp\82139548\rpgc.htgJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifFile opened: C:\Users\userJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifFile opened: C:\Users\user\AppData\Local\TempJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifFile opened: C:\Users\user\AppData\Local\Temp\82139548Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AD2285 InternetQueryDataAvailable,InternetReadFile,10_2_00AD2285
          Source: RegSvcs.exe, 0000001C.00000002.589273699.0000000007D50000.00000004.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
          Source: RegSvcs.exe, 0000001C.00000002.589273699.0000000007D50000.00000004.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
          Source: RegSvcs.exe, 0000001C.00000002.586361746.0000000003234000.00000004.00000001.sdmpString found in binary or memory: http://bot.whatismyipaddress.com/
          Source: urdavsa.pif.1.drString found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
          Source: urdavsa.pif.1.drString found in binary or memory: http://crl.globalsign.net/Root.crl0
          Source: urdavsa.pif.1.drString found in binary or memory: http://crl.globalsign.net/Timestamping1.crl0
          Source: urdavsa.pif.1.drString found in binary or memory: http://crl.globalsign.net/primobject.crl0N
          Source: urdavsa.pif.1.drString found in binary or memory: http://crl.globalsign.net/root.crl0
          Source: RegSvcs.exe, 0000001C.00000002.586361746.0000000003234000.00000004.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.php
          Source: urdavsa.pif, 00000019.00000003.580526774.0000000004A10000.00000004.00000001.sdmp, RegSvcs.exe, 0000001C.00000002.584515573.0000000000982000.00000040.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.php&https://a.pomf.cat/
          Source: RegSvcs.exe, 0000001C.00000002.586361746.0000000003234000.00000004.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.phpCContent-Disposition:
          Source: urdavsa.pif.1.drString found in binary or memory: http://secure.globalsign.net/cacert/ObjectSign.crt09
          Source: urdavsa.pif.1.drString found in binary or memory: http://secure.globalsign.net/cacert/PrimObject.crt0
          Source: urdavsa.pif.1.drString found in binary or memory: http://www.autoitscript.com/autoit3/0
          Source: urdavsa.pif.1.drString found in binary or memory: http://www.globalsign.net/repository/0
          Source: urdavsa.pif.1.drString found in binary or memory: http://www.globalsign.net/repository/03
          Source: urdavsa.pif.1.drString found in binary or memory: http://www.globalsign.net/repository09
          Source: RegSvcs.exe, 0000001C.00000002.589273699.0000000007D50000.00000004.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
          Source: RegSvcs.exe, 0000001C.00000002.586361746.0000000003234000.00000004.00000001.sdmpString found in binary or memory: https://a.pomf.cat/

          Key, Mouse, Clipboard, Microphone and Screen Capturing:

          barindex
          Yara detected HawkEye KeyloggerShow sources
          Source: Yara matchFile source: 28.2.RegSvcs.exe.980000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000001C.00000002.584515573.0000000000982000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001C.00000002.586361746.0000000003234000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000003.580526774.0000000004A10000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: urdavsa.pif PID: 5552, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4684, type: MEMORYSTR
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AEA0FC OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,10_2_00AEA0FC
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AFD8E9 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,10_2_00AFD8E9
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AD42E1 GetParent,GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,PostMessageW,PostMessageW,PostMessageW,10_2_00AD42E1
          Source: urdavsa.pif, 00000002.00000002.392280466.0000000000CCA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00B0C7D6 SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,10_2_00B0C7D6

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 28.2.RegSvcs.exe.7da834a.4.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 28.2.RegSvcs.exe.980000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 28.2.RegSvcs.exe.980000.0.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: 28.3.RegSvcs.exe.4aedbda.2.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 28.3.RegSvcs.exe.4aedbda.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 28.2.RegSvcs.exe.7d50000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 28.3.RegSvcs.exe.4a95890.1.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 28.2.RegSvcs.exe.7d50000.3.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 28.2.RegSvcs.exe.7da834a.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 28.3.RegSvcs.exe.4a95890.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 28.3.RegSvcs.exe.4a95bd5.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 28.2.RegSvcs.exe.7d50345.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 0000001C.00000002.584515573.0000000000982000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 0000001C.00000002.586361746.0000000003234000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 00000019.00000003.580526774.0000000004A10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 0000001C.00000002.589273699.0000000007D50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: Process Memory Space: urdavsa.pif PID: 5552, type: MEMORYSTRMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: Process Memory Space: RegSvcs.exe PID: 4684, type: MEMORYSTRMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_009E6FC6: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,1_2_009E6FC6
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AD6219 DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,10_2_00AD6219
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AC33A3 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,10_2_00AC33A3
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_009E83C01_2_009E83C0
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_00A0C0B01_2_00A0C0B0
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_009E30FC1_2_009E30FC
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_00A001131_2_00A00113
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_009F626D1_2_009F626D
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_009F33D31_2_009F33D3
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_009FF3CA1_2_009FF3CA
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_009EF5C51_2_009EF5C5
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_009EE5101_2_009EE510
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_00A005481_2_00A00548
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_00A0C55E1_2_00A0C55E
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_009E26921_2_009E2692
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_009F66A21_2_009F66A2
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_009F364E1_2_009F364E
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_00A106541_2_00A10654
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_009F589E1_2_009F589E
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_009FF8C61_2_009FF8C6
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_009F397F1_2_009F397F
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_009EE9731_2_009EE973
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_009EDADD1_2_009EDADD
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_009EBAD11_2_009EBAD1
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_00A03CBA1_2_00A03CBA
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_009FFCDE1_2_009FFCDE
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_009F6CDB1_2_009F6CDB
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_009E5D7E1_2_009E5D7E
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_009E3EAD1_2_009E3EAD
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_00A03EE91_2_00A03EE9
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_009EDF121_2_009EDF12
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 2_2_00A998F02_2_00A998F0
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 2_2_00A935F02_2_00A935F0
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 2_2_00AB088F2_2_00AB088F
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 2_2_00AAC8CE2_2_00AAC8CE
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 2_2_00AAA1372_2_00AAA137
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 2_2_00AA19032_2_00AA1903
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 2_2_00AB1F2C2_2_00AB1F2C
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 2_2_00AA37212_2_00AA3721
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 2_2_00A9F7302_2_00A9F730
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00A935F010_2_00A935F0
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00A998F010_2_00A998F0
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AA213610_2_00AA2136
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AAA13710_2_00AAA137
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AB427D10_2_00AB427D
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00ADF3A610_2_00ADF3A6
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00A998F010_2_00A998F0
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AA250810_2_00AA2508
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AD655F10_2_00AD655F
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AA372110_2_00AA3721
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00A9F73010_2_00A9F730
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AB088F10_2_00AB088F
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AA28F010_2_00AA28F0
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AAC8CE10_2_00AAC8CE
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AA190310_2_00AA1903
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00ADEAD510_2_00ADEAD5
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00B0EA2B10_2_00B0EA2B
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AB3BA110_2_00AB3BA1
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AA1D9810_2_00AA1D98
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AB0DE010_2_00AB0DE0
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AD2D2D10_2_00AD2D2D
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AD4EB710_2_00AD4EB7
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00ADCE8D10_2_00ADCE8D
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AB1F2C10_2_00AB1F2C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_0170991228_2_01709912
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_0170206828_2_01702068
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_01700C4828_2_01700C48
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_01706C2828_2_01706C28
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_017004E828_2_017004E8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_017054B828_2_017054B8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_01703F6828_2_01703F68
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_01702ECD28_2_01702ECD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_017029F828_2_017029F8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_017029E928_2_017029E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_017039D728_2_017039D7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_0170398128_2_01703981
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_0170787028_2_01707870
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_017048E028_2_017048E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_017038E628_2_017038E6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_017010E828_2_017010E8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_01703B6028_2_01703B60
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_01703B1E28_2_01703B1E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_01703BF128_2_01703BF1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_01703BCE28_2_01703BCE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_01700BA828_2_01700BA8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_01703A7728_2_01703A77
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_01703A0228_2_01703A02
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_01703ADD28_2_01703ADD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_01703AAA28_2_01703AAA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_0170056228_2_01700562
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_0170356728_2_01703567
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_0170356828_2_01703568
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_01703D4028_2_01703D40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_0170053B28_2_0170053B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_0170452828_2_01704528
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_017005ED28_2_017005ED
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_01703DDD28_2_01703DDD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_01703DA028_2_01703DA0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_017005A628_2_017005A6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_01703C7328_2_01703C73
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_01703C1D28_2_01703C1D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_0170540F28_2_0170540F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_017004D828_2_017004D8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_017054A828_2_017054A8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_0170174D28_2_0170174D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_01709F9028_2_01709F90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_01709F8628_2_01709F86
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_01703E7528_2_01703E75
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_01708E3828_2_01708E38
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_01708E2828_2_01708E28
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_01706E1028_2_01706E10
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_01703E1A28_2_01703E1A
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif 07E5F6D7EC7CCBC3D742658E9161D799934C6F7F6A3EBF560F361B4EE1730B6A
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: String function: 00AA8115 appears 39 times
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: String function: 00AA333F appears 36 times
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: String function: 00A91D10 appears 31 times
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: String function: 00AA14F7 appears 45 times
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: String function: 00AD59E6 appears 70 times
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: String function: 00AA6B90 appears 71 times
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: String function: 009FE2F0 appears 31 times
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: String function: 009FD870 appears 35 times
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: String function: 009FD940 appears 51 times
          Source: urdavsa.pif.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: E-Remittance Form_z.TXT.exe, 00000001.00000002.328087251.0000000001A70000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs E-Remittance Form_z.TXT.exe
          Source: E-Remittance Form_z.TXT.exe, 00000001.00000002.330334339.0000000005760000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameSHELL32.DLL.MUIj% vs E-Remittance Form_z.TXT.exe
          Source: E-Remittance Form_z.TXT.exe, 00000001.00000002.330306521.0000000003A20000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameWindows.Storage.dll.MUIj% vs E-Remittance Form_z.TXT.exe
          Source: E-Remittance Form_z.TXT.exe, 00000001.00000002.330172881.0000000003910000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs E-Remittance Form_z.TXT.exe
          Source: E-Remittance Form_z.TXT.exe, 00000001.00000002.330293563.0000000003A00000.00000002.00000001.sdmpBinary or memory string: originalfilename vs E-Remittance Form_z.TXT.exe
          Source: E-Remittance Form_z.TXT.exe, 00000001.00000002.330293563.0000000003A00000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs E-Remittance Form_z.TXT.exe
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dllJump to behavior
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeSection loaded: dxgidebug.dllJump to behavior
          Source: E-Remittance Form_z.TXT.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 28.2.RegSvcs.exe.7da834a.4.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 28.2.RegSvcs.exe.980000.0.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 28.2.RegSvcs.exe.980000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
          Source: 28.2.RegSvcs.exe.980000.0.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 28.3.RegSvcs.exe.4aedbda.2.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 28.3.RegSvcs.exe.4aedbda.2.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 28.2.RegSvcs.exe.7d50000.3.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 28.3.RegSvcs.exe.4a95890.1.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 28.2.RegSvcs.exe.7d50000.3.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 28.2.RegSvcs.exe.7da834a.4.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 28.3.RegSvcs.exe.4a95890.1.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 28.3.RegSvcs.exe.4a95bd5.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 28.2.RegSvcs.exe.7d50345.2.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 0000001C.00000002.584515573.0000000000982000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 0000001C.00000002.586361746.0000000003234000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 00000019.00000003.580526774.0000000004A10000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 0000001C.00000002.589273699.0000000007D50000.00000004.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: Process Memory Space: urdavsa.pif PID: 5552, type: MEMORYSTRMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: Process Memory Space: RegSvcs.exe PID: 4684, type: MEMORYSTRMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 28.2.RegSvcs.exe.980000.0.unpack, u206b????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
          Source: 28.2.RegSvcs.exe.980000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
          Source: 28.2.RegSvcs.exe.980000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'CreateDecryptor'
          Source: 28.2.RegSvcs.exe.980000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
          Source: 28.2.RegSvcs.exe.980000.0.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 28.2.RegSvcs.exe.980000.0.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 28.2.RegSvcs.exe.980000.0.unpack, u200b????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
          Source: 28.2.RegSvcs.exe.980000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
          Source: 28.2.RegSvcs.exe.980000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
          Source: 28.2.RegSvcs.exe.980000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@17/20@0/0
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_009E6D06 GetLastError,FormatMessageW,1_2_009E6D06
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AC33A3 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,10_2_00AC33A3
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AF4AEB OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,10_2_00AF4AEB
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AED606 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode,10_2_00AED606
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 2_2_00AC3EC5 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,__wcsicoll,FindCloseChangeNotification,2_2_00AC3EC5
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AFE0F6 CoInitialize,CoCreateInstance,CoUninitialize,10_2_00AFE0F6
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_009F963A FindResourceW,DeleteObject,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,1_2_009F963A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\0afb590f-6441-4e30-9017-486274a19cc9
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeFile created: C:\Users\user\AppData\Local\Temp\82139548Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\82139548\run.vbs'
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCommand line argument: sfxname1_2_009FCBB8
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCommand line argument: sfxstime1_2_009FCBB8
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCommand line argument: STARTDLG1_2_009FCBB8
          Source: E-Remittance Form_z.TXT.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeFile read: C:\Windows\win.iniJump to behavior
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeFile read: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe 'C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe'
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeProcess created: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif 'C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif' rpgc.htg
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\82139548\run.vbs'
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif 'C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif' rpgc.htg
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\82139548\run.vbs'
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif 'C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif' rpgc.htg
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\82139548\run.vbs'
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif 'C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif' rpgc.htg
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeProcess created: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif 'C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif' rpgc.htgJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\82139548\run.vbs' Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif 'C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif' rpgc.htgJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\82139548\run.vbs' Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif 'C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif' rpgc.htgJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\82139548\run.vbs' Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif 'C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif' rpgc.htgJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeFile written: C:\Users\user\AppData\Local\Temp\82139548\pojm.iniJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: E-Remittance Form_z.TXT.exeStatic file information: File size 1441541 > 1048576
          Source: E-Remittance Form_z.TXT.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
          Source: E-Remittance Form_z.TXT.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
          Source: E-Remittance Form_z.TXT.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
          Source: E-Remittance Form_z.TXT.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: E-Remittance Form_z.TXT.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
          Source: E-Remittance Form_z.TXT.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
          Source: E-Remittance Form_z.TXT.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: E-Remittance Form_z.TXT.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: E-Remittance Form_z.TXT.exe
          Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: RegSvcs.exe, 0000001C.00000002.589273699.0000000007D50000.00000004.00000001.sdmp
          Source: Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: RegSvcs.exe, 0000001C.00000002.589273699.0000000007D50000.00000004.00000001.sdmp
          Source: E-Remittance Form_z.TXT.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
          Source: E-Remittance Form_z.TXT.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
          Source: E-Remittance Form_z.TXT.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
          Source: E-Remittance Form_z.TXT.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
          Source: E-Remittance Form_z.TXT.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 2_2_00A9EE30 LoadLibraryA,GetProcAddress,2_2_00A9EE30
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeFile created: C:\Users\user\AppData\Local\Temp\82139548\__tmp_rar_sfx_access_check_6736515Jump to behavior
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_009FE336 push ecx; ret 1_2_009FE349
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_009FD870 push eax; ret 1_2_009FD88E
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 2_2_00AA6BD5 push ecx; ret 2_2_00AA6BE8
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00ABD53C push 7400ABCFh; iretd 10_2_00ABD541
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AA6BD5 push ecx; ret 10_2_00AA6BE8
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 25_2_00F44708 push esp; iretd 25_2_00F4470B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_0170326C push ss; retf 28_2_0170326D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_017032F5 push ss; retf 28_2_017032F6

          Persistence and Installation Behavior:

          barindex
          Drops PE files with a suspicious file extensionShow sources
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeFile created: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifJump to dropped file
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeFile created: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifJump to dropped file

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Uses an obfuscated file name to hide its real file extension (double extension)Show sources
          Source: Possible double extension: txt.exeStatic PE information: E-Remittance Form_z.TXT.exe
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00B0A2EA IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,10_2_00B0A2EA
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AC43FF GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,10_2_00AC43FF
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM autoit scriptShow sources
          Source: Yara matchFile source: Process Memory Space: urdavsa.pif PID: 3588, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: urdavsa.pif PID: 5708, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: urdavsa.pif PID: 2232, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: urdavsa.pif PID: 5552, type: MEMORYSTR
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4684, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: RegSvcs.exe, 0000001C.00000002.586361746.0000000003234000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: RegSvcs.exe, 0000001C.00000002.586361746.0000000003234000.00000004.00000001.sdmpBinary or memory string: WIRESHARK.EXE
          Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifWindow / User API: threadDelayed 1185Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifWindow / User API: threadDelayed 1173Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifWindow / User API: threadDelayed 1101Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifWindow / User API: threadDelayed 1097
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif TID: 5696Thread sleep count: 1185 > 30Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif TID: 5696Thread sleep count: 33 > 30Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif TID: 1972Thread sleep count: 1173 > 30Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif TID: 1972Thread sleep count: 55 > 30Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif TID: 2072Thread sleep count: 1101 > 30Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif TID: 2072Thread sleep count: 53 > 30Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif TID: 5392Thread sleep count: 1097 > 30
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif TID: 5392Thread sleep count: 80 > 30
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifThread sleep count: Count: 1185 delay: -10Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifThread sleep count: Count: 1173 delay: -10Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifThread sleep count: Count: 1101 delay: -10Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifThread sleep count: Count: 1097 delay: -10
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_009EA2DF FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,1_2_009EA2DF
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_009FAFB9 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,1_2_009FAFB9
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_00A09FD3 FindFirstFileExA,1_2_00A09FD3
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 2_2_00AC399B GetFileAttributesW,FindFirstFileW,FindClose,2_2_00AC399B
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AC399B GetFileAttributesW,FindFirstFileW,FindClose,10_2_00AC399B
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AE2408 FindFirstFileW,Sleep,FindNextFileW,FindClose,10_2_00AE2408
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AD280D FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,10_2_00AD280D
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00B08877 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,10_2_00B08877
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AECAE7 FindFirstFileW,FindNextFileW,FindClose,10_2_00AECAE7
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AC1A73 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,10_2_00AC1A73
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00ADBCB3 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,10_2_00ADBCB3
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AEDE7C FindFirstFileW,FindClose,10_2_00AEDE7C
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00ADBF17 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,10_2_00ADBF17
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_009FD353 VirtualQuery,GetSystemInfo,1_2_009FD353
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifFile opened: C:\Users\user\AppDataJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifFile opened: C:\Users\user\AppData\LocalJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifFile opened: C:\Users\user\AppData\Local\Temp\82139548\rpgc.htgJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifFile opened: C:\Users\userJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifFile opened: C:\Users\user\AppData\Local\TempJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifFile opened: C:\Users\user\AppData\Local\Temp\82139548Jump to behavior
          Source: urdavsa.pif, 00000002.00000003.386488951.0000000000B6A000.00000004.00000001.sdmpBinary or memory string: VBoxTray.exe@
          Source: urdavsa.pif, 00000002.00000003.386488951.0000000000B6A000.00000004.00000001.sdmpBinary or memory string: VboxService.exe=
          Source: urdavsa.pif, 0000000A.00000003.399515071.00000000038A1000.00000004.00000001.sdmpBinary or memory string: If ProcessExists("VMwaretray.exe") Then}
          Source: urdavsa.pif, 00000019.00000002.587663014.00000000045C0000.00000004.00000001.sdmpBinary or memory string: VMwareUser.exe5FB536C7
          Source: urdavsa.pif, 00000015.00000003.519040944.0000000001C63000.00000004.00000001.sdmpBinary or memory string: VboxService.exez
          Source: rpgc.htg.1.drBinary or memory string: If ProcessExists("VMwaretray.exe") Then
          Source: rpgc.htg.1.drBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then
          Source: urdavsa.pif, 00000015.00000003.519040944.0000000001C63000.00000004.00000001.sdmpBinary or memory string: VMwareUser.exe6BA444D6
          Source: urdavsa.pif, 00000019.00000003.526855030.00000000045C1000.00000004.00000001.sdmpBinary or memory string: If ProcessExists("VMwaretray.exe") Then
          Source: urdavsa.pif, 00000002.00000003.386488951.0000000000B6A000.00000004.00000001.sdmpBinary or memory string: VMwaretray.exer
          Source: urdavsa.pif, 00000015.00000003.517916403.0000000001C45000.00000004.00000001.sdmpBinary or memory string: rocessExists("VboxService.exe") ThenM72
          Source: urdavsa.pif, 00000019.00000002.587663014.00000000045C0000.00000004.00000001.sdmpBinary or memory string: VMwareService.exe536C7jz
          Source: urdavsa.pif, 0000000A.00000003.457166893.00000000038D3000.00000004.00000001.sdmpBinary or memory string: VMwareService.exe,r
          Source: urdavsa.pif, 00000019.00000003.526855030.00000000045C1000.00000004.00000001.sdmpBinary or memory string: If ProcessExists("VboxService.exe") ThenM72
          Source: rpgc.htg.1.drBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then
          Source: urdavsa.pif, 00000002.00000003.386488951.0000000000B6A000.00000004.00000001.sdmpBinary or memory string: VMwareService.exe637D6
          Source: urdavsa.pif, 00000019.00000002.587663014.00000000045C0000.00000004.00000001.sdmpBinary or memory string: VMwaretray.exe
          Source: rpgc.htg.1.drBinary or memory string: If ProcessExists("VboxService.exe") Then
          Source: urdavsa.pif, 00000019.00000002.587663014.00000000045C0000.00000004.00000001.sdmpBinary or memory string: VboxService.exe:~
          Source: urdavsa.pif, 00000015.00000003.519079213.0000000001C47000.00000004.00000001.sdmpBinary or memory string: Exists("VMwareUser.exe") Then
          Source: urdavsa.pif, 00000015.00000003.519040944.0000000001C63000.00000004.00000001.sdmp, urdavsa.pif, 00000019.00000002.587663014.00000000045C0000.00000004.00000001.sdmpBinary or memory string: VBoxTray.exe
          Source: urdavsa.pif, 00000019.00000003.526855030.00000000045C1000.00000004.00000001.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then
          Source: urdavsa.pif, 00000019.00000003.526855030.00000000045C1000.00000004.00000001.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Thenv
          Source: urdavsa.pif, 00000002.00000003.386488951.0000000000B6A000.00000004.00000001.sdmpBinary or memory string: VMwareUser.exeE97637D6
          Source: urdavsa.pif, 00000015.00000003.519040944.0000000001C63000.00000004.00000001.sdmpBinary or memory string: VMwareService.exeU
          Source: urdavsa.pif, 0000000A.00000003.457166893.00000000038D3000.00000004.00000001.sdmpBinary or memory string: VBoxTray.exeFs
          Source: urdavsa.pif, 0000000A.00000003.457166893.00000000038D3000.00000004.00000001.sdmpBinary or memory string: VboxService.exe
          Source: urdavsa.pif, 00000002.00000003.386710610.0000000000B66000.00000004.00000001.sdmp, urdavsa.pif, 0000000A.00000003.399515071.00000000038A1000.00000004.00000001.sdmp, urdavsa.pif, 00000015.00000003.517916403.0000000001C45000.00000004.00000001.sdmp, urdavsa.pif, 00000019.00000003.526855030.00000000045C1000.00000004.00000001.sdmpBinary or memory string: If ProcessExists("VBoxTray.exe") Then
          Source: rpgc.htg.1.drBinary or memory string: If ProcessExists("VBoxTray.exe") Then
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AEA35D BlockInput,10_2_00AEA35D
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_009FE4F5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_009FE4F5
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 2_2_00A9EE30 LoadLibraryA,GetProcAddress,2_2_00A9EE30
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_00A06AF3 mov eax, dword ptr fs:[00000030h]1_2_00A06AF3
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_00A0ACA1 GetProcessHeap,1_2_00A0ACA1
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_009FE643 SetUnhandledExceptionFilter,1_2_009FE643
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_009FE4F5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_009FE4F5
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_009FE7FB SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_009FE7FB
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_00A07BE1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00A07BE1
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 2_2_00AAA128 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00AAA128
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 2_2_00AA7CCD _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00AA7CCD
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AAF170 SetUnhandledExceptionFilter,10_2_00AAF170
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AAA128 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_2_00AAA128
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AA7CCD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_00AA7CCD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          .NET source code references suspicious native API functionsShow sources
          Source: 28.2.RegSvcs.exe.980000.0.unpack, u200d????????????????????????????????????????.csReference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
          Allocates memory in foreign processesShow sources
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 980000 protect: page execute and read and write
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 980000 value starts with: 4D5A
          Writes to foreign memory regionsShow sources
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 980000
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 624000
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AC6C61 LogonUserW,10_2_00AC6C61
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 2_2_00A9D7A0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,2_2_00A9D7A0
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AC43FF GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,10_2_00AC43FF
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AC3321 __wcsicoll,mouse_event,__wcsicoll,mouse_event,10_2_00AC3321
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeProcess created: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif 'C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif' rpgc.htgJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\82139548\run.vbs' Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif 'C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif' rpgc.htgJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\82139548\run.vbs' Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif 'C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif' rpgc.htgJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\82139548\run.vbs' Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif 'C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif' rpgc.htgJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AD602A GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,10_2_00AD602A
          Source: urdavsa.pif, 00000002.00000003.391144529.0000000000B88000.00000004.00000001.sdmp, urdavsa.pif, 0000000A.00000003.457166893.00000000038D3000.00000004.00000001.sdmp, urdavsa.pif, 00000015.00000003.519040944.0000000001C63000.00000004.00000001.sdmp, urdavsa.pif, 00000019.00000002.587663014.00000000045C0000.00000004.00000001.sdmpBinary or memory string: Program Manager
          Source: urdavsa.pif.1.drBinary or memory string: IDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript PausedblankinfoquestionstopwarningAutoIt -
          Source: urdavsa.pif, urdavsa.pif, 00000019.00000002.585558648.0000000002480000.00000002.00000001.sdmp, RegSvcs.exe, 0000001C.00000002.586038827.0000000001C10000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: urdavsa.pif, 00000019.00000002.585558648.0000000002480000.00000002.00000001.sdmp, RegSvcs.exe, 0000001C.00000002.586038827.0000000001C10000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: urdavsa.pif, 00000002.00000003.386710610.0000000000B66000.00000004.00000001.sdmp, urdavsa.pif, 0000000A.00000003.399515071.00000000038A1000.00000004.00000001.sdmp, urdavsa.pif, 00000015.00000003.517916403.0000000001C45000.00000004.00000001.sdmp, urdavsa.pif, 00000019.00000003.526855030.00000000045C1000.00000004.00000001.sdmpBinary or memory string: If WinGetText("Program Manager") = "0" Then
          Source: rpgc.htg.1.drBinary or memory string: If WinGetText("Program Manager") = "0" Then
          Source: urdavsa.pif, 00000019.00000002.585558648.0000000002480000.00000002.00000001.sdmp, RegSvcs.exe, 0000001C.00000002.586038827.0000000001C10000.00000002.00000001.sdmpBinary or memory string: &Program Manager
          Source: urdavsa.pif, 00000019.00000002.585558648.0000000002480000.00000002.00000001.sdmp, RegSvcs.exe, 0000001C.00000002.586038827.0000000001C10000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: urdavsa.pif, 00000002.00000002.391973257.0000000000B12000.00000002.00020000.sdmp, urdavsa.pif, 0000000A.00000002.458737854.0000000000B12000.00000002.00020000.sdmp, urdavsa.pif, 00000015.00000000.457959788.0000000000B12000.00000002.00020000.sdmp, urdavsa.pif, 00000019.00000002.585114275.0000000000B12000.00000002.00020000.sdmpBinary or memory string: ASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript PausedblankinfoquestionstopwarningAutoIt -
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_009FE34B cpuid 1_2_009FE34B
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: GetLocaleInfoW,GetNumberFormatW,1_2_009F9D99
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_009FCBB8 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,DeleteObject,CloseHandle,1_2_009FCBB8
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00B02BF9 GetUserNameW,10_2_00B02BF9
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 2_2_00AAE284 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,2_2_00AAE284
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_009EA995 GetVersionExW,1_2_009EA995
          Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information:

          barindex
          Yara detected HawkEye KeyloggerShow sources
          Source: Yara matchFile source: 28.2.RegSvcs.exe.980000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000001C.00000002.584515573.0000000000982000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001C.00000002.586361746.0000000003234000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000003.580526774.0000000004A10000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: urdavsa.pif PID: 5552, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4684, type: MEMORYSTR
          Yara detected MailPassViewShow sources
          Source: Yara matchFile source: 28.2.RegSvcs.exe.7da834a.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 28.3.RegSvcs.exe.4aedbda.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 28.3.RegSvcs.exe.4aedbda.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 28.2.RegSvcs.exe.7d50000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 28.3.RegSvcs.exe.4a95890.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 28.2.RegSvcs.exe.7d50000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 28.2.RegSvcs.exe.7da834a.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 28.3.RegSvcs.exe.4a95890.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 28.3.RegSvcs.exe.4a95bd5.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 28.2.RegSvcs.exe.7d50345.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000001C.00000002.589273699.0000000007D50000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001C.00000003.582261171.0000000004A95000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4684, type: MEMORYSTR
          Yara detected WebBrowserPassView password recovery toolShow sources
          Source: Yara matchFile source: 28.3.RegSvcs.exe.4a95bd5.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 28.2.RegSvcs.exe.7d50000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 28.2.RegSvcs.exe.7d50345.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 28.3.RegSvcs.exe.4a95890.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 28.2.RegSvcs.exe.7d50000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 28.3.RegSvcs.exe.4a95890.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFi