Loading ...

Play interactive tourEdit tour

Windows Analysis Report E-Remittance Form_z.TXT.exe

Overview

General Information

Sample Name:E-Remittance Form_z.TXT.exe
Analysis ID:465268
MD5:0c3bdc11fd6454bb67da849864170b44
SHA1:1c925518e075761758a47f677016c95f5e80c92c
SHA256:bdade907a458b6c9d2e87af5667c3b8a16aa7804535634ed662b0e07c34f64b1
Tags:exeHawkEye
Infos:

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected HawkEye Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Yara detected AntiVM autoit script
Yara detected AntiVM3
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Drops PE files with a suspicious file extension
Injects a PE file into a foreign processes
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
Antivirus or Machine Learning detection for unpacked file
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
File is packed with WinRar
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
OS version to string mapping found (often used in BOTs)
PE file contains strange resources
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sleep loop found (likely to delay execution)
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • E-Remittance Form_z.TXT.exe (PID: 5956 cmdline: 'C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe' MD5: 0C3BDC11FD6454BB67DA849864170B44)
    • urdavsa.pif (PID: 3588 cmdline: 'C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif' rpgc.htg MD5: CDBB08D4234736C4A052DC3F181E66F2)
      • wscript.exe (PID: 2520 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\82139548\run.vbs' MD5: 7075DD7B9BE8807FCA93ACD86F724884)
        • urdavsa.pif (PID: 5708 cmdline: 'C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif' rpgc.htg MD5: CDBB08D4234736C4A052DC3F181E66F2)
          • wscript.exe (PID: 5564 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\82139548\run.vbs' MD5: 7075DD7B9BE8807FCA93ACD86F724884)
            • urdavsa.pif (PID: 2232 cmdline: 'C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif' rpgc.htg MD5: CDBB08D4234736C4A052DC3F181E66F2)
              • wscript.exe (PID: 1360 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\82139548\run.vbs' MD5: 7075DD7B9BE8807FCA93ACD86F724884)
                • urdavsa.pif (PID: 5552 cmdline: 'C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif' rpgc.htg MD5: CDBB08D4234736C4A052DC3F181E66F2)
                  • RegSvcs.exe (PID: 4684 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["mailpv", "WebBrowserPassView", "browserpv"], "Version": "HawkEye Keylogger - Reborn v9{"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001C.00000002.584515573.0000000000982000.00000040.00000001.sdmpMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
  • 0x87a2e:$s1: HawkEye Keylogger
  • 0x87a97:$s1: HawkEye Keylogger
  • 0x80e71:$s2: _ScreenshotLogger
  • 0x80e3e:$s3: _PasswordStealer
0000001C.00000002.584515573.0000000000982000.00000040.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
    0000001C.00000002.586361746.0000000003234000.00000004.00000001.sdmpMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
    • 0x77bbc:$s2: _ScreenshotLogger
    • 0x78108:$s2: _ScreenshotLogger
    • 0x77b89:$s3: _PasswordStealer
    • 0x780d5:$s3: _PasswordStealer
    0000001C.00000002.586361746.0000000003234000.00000004.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
      00000019.00000003.580526774.0000000004A10000.00000004.00000001.sdmpMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
      • 0x87c4e:$s1: HawkEye Keylogger
      • 0x87cb7:$s1: HawkEye Keylogger
      • 0x81091:$s2: _ScreenshotLogger
      • 0x8105e:$s3: _PasswordStealer
      Click to see the 18 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      28.2.RegSvcs.exe.7da834a.4.unpackAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
      • 0x11bb0:$a1: logins.json
      • 0x11b10:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
      • 0x12334:$s4: \mozsqlite3.dll
      • 0x115a4:$s5: SMTP Password
      28.2.RegSvcs.exe.7da834a.4.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
        28.2.RegSvcs.exe.980000.0.unpackMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
        • 0x87c2e:$s1: HawkEye Keylogger
        • 0x87c97:$s1: HawkEye Keylogger
        • 0x81071:$s2: _ScreenshotLogger
        • 0x8103e:$s3: _PasswordStealer
        28.2.RegSvcs.exe.980000.0.unpackSUSP_NET_NAME_ConfuserExDetects ConfuserEx packed fileArnim Rupp
        • 0x87601:$name: ConfuserEx
        • 0x8630e:$compile: AssemblyTitle
        28.2.RegSvcs.exe.980000.0.unpackJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
          Click to see the 27 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Suspicious Script Execution From Temp FolderShow sources
          Source: Process startedAuthor: Florian Roth, Max Altgelt: Data: Command: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\82139548\run.vbs' , CommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\82139548\run.vbs' , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: 'C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif' rpgc.htg, ParentImage: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif, ParentProcessId: 3588, ProcessCommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\82139548\run.vbs' , ProcessId: 2520
          Sigma detected: WScript or CScript DropperShow sources
          Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (rule), oscd.community: Data: Command: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\82139548\run.vbs' , CommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\82139548\run.vbs' , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: 'C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif' rpgc.htg, ParentImage: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif, ParentProcessId: 3588, ProcessCommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\82139548\run.vbs' , ProcessId: 2520
          Sigma detected: Possible Applocker BypassShow sources
          Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif' rpgc.htg, ParentImage: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif, ParentProcessId: 5552, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 4684

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: RegSvcs.exe.4684.28.memstrminMalware Configuration Extractor: HawkEye {"Modules": ["mailpv", "WebBrowserPassView", "browserpv"], "Version": "HawkEye Keylogger - Reborn v9{"}
          Multi AV Scanner detection for domain / URLShow sources
          Source: https://a.pomf.cat/Virustotal: Detection: 7%Perma Link
          Source: http://pomf.cat/upload.phpVirustotal: Detection: 8%Perma Link
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifMetadefender: Detection: 31%Perma Link
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifReversingLabs: Detection: 46%
          Source: 28.2.RegSvcs.exe.980000.0.unpackAvira: Label: TR/Dropper.Gen
          Source: E-Remittance Form_z.TXT.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: E-Remittance Form_z.TXT.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: E-Remittance Form_z.TXT.exe
          Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: RegSvcs.exe, 0000001C.00000002.589273699.0000000007D50000.00000004.00000001.sdmp
          Source: Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: RegSvcs.exe, 0000001C.00000002.589273699.0000000007D50000.00000004.00000001.sdmp
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_009EA2DF FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_009FAFB9 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_00A09FD3 FindFirstFileExA,
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 2_2_00AC399B GetFileAttributesW,FindFirstFileW,FindClose,
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AC399B GetFileAttributesW,FindFirstFileW,FindClose,
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AE2408 FindFirstFileW,Sleep,FindNextFileW,FindClose,
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AD280D FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00B08877 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AECAE7 FindFirstFileW,FindNextFileW,FindClose,
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AC1A73 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00ADBCB3 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AEDE7C FindFirstFileW,FindClose,
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00ADBF17 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifFile opened: C:\Users\user\AppData
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifFile opened: C:\Users\user\AppData\Local
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifFile opened: C:\Users\user\AppData\Local\Temp\82139548\rpgc.htg
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifFile opened: C:\Users\user
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifFile opened: C:\Users\user\AppData\Local\Temp
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifFile opened: C:\Users\user\AppData\Local\Temp\82139548
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AD2285 InternetQueryDataAvailable,InternetReadFile,
          Source: RegSvcs.exe, 0000001C.00000002.589273699.0000000007D50000.00000004.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
          Source: RegSvcs.exe, 0000001C.00000002.589273699.0000000007D50000.00000004.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
          Source: RegSvcs.exe, 0000001C.00000002.586361746.0000000003234000.00000004.00000001.sdmpString found in binary or memory: http://bot.whatismyipaddress.com/
          Source: urdavsa.pif.1.drString found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
          Source: urdavsa.pif.1.drString found in binary or memory: http://crl.globalsign.net/Root.crl0
          Source: urdavsa.pif.1.drString found in binary or memory: http://crl.globalsign.net/Timestamping1.crl0
          Source: urdavsa.pif.1.drString found in binary or memory: http://crl.globalsign.net/primobject.crl0N
          Source: urdavsa.pif.1.drString found in binary or memory: http://crl.globalsign.net/root.crl0
          Source: RegSvcs.exe, 0000001C.00000002.586361746.0000000003234000.00000004.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.php
          Source: urdavsa.pif, 00000019.00000003.580526774.0000000004A10000.00000004.00000001.sdmp, RegSvcs.exe, 0000001C.00000002.584515573.0000000000982000.00000040.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.php&https://a.pomf.cat/
          Source: RegSvcs.exe, 0000001C.00000002.586361746.0000000003234000.00000004.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.phpCContent-Disposition:
          Source: urdavsa.pif.1.drString found in binary or memory: http://secure.globalsign.net/cacert/ObjectSign.crt09
          Source: urdavsa.pif.1.drString found in binary or memory: http://secure.globalsign.net/cacert/PrimObject.crt0
          Source: urdavsa.pif.1.drString found in binary or memory: http://www.autoitscript.com/autoit3/0
          Source: urdavsa.pif.1.drString found in binary or memory: http://www.globalsign.net/repository/0
          Source: urdavsa.pif.1.drString found in binary or memory: http://www.globalsign.net/repository/03
          Source: urdavsa.pif.1.drString found in binary or memory: http://www.globalsign.net/repository09
          Source: RegSvcs.exe, 0000001C.00000002.589273699.0000000007D50000.00000004.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
          Source: RegSvcs.exe, 0000001C.00000002.586361746.0000000003234000.00000004.00000001.sdmpString found in binary or memory: https://a.pomf.cat/

          Key, Mouse, Clipboard, Microphone and Screen Capturing:

          barindex
          Yara detected HawkEye KeyloggerShow sources
          Source: Yara matchFile source: 28.2.RegSvcs.exe.980000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000001C.00000002.584515573.0000000000982000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001C.00000002.586361746.0000000003234000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000003.580526774.0000000004A10000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: urdavsa.pif PID: 5552, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4684, type: MEMORYSTR
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AEA0FC OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AFD8E9 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AD42E1 GetParent,GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,PostMessageW,PostMessageW,PostMessageW,
          Source: urdavsa.pif, 00000002.00000002.392280466.0000000000CCA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00B0C7D6 SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 28.2.RegSvcs.exe.7da834a.4.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 28.2.RegSvcs.exe.980000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 28.2.RegSvcs.exe.980000.0.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: 28.3.RegSvcs.exe.4aedbda.2.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 28.3.RegSvcs.exe.4aedbda.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 28.2.RegSvcs.exe.7d50000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 28.3.RegSvcs.exe.4a95890.1.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 28.2.RegSvcs.exe.7d50000.3.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 28.2.RegSvcs.exe.7da834a.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 28.3.RegSvcs.exe.4a95890.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 28.3.RegSvcs.exe.4a95bd5.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 28.2.RegSvcs.exe.7d50345.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 0000001C.00000002.584515573.0000000000982000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 0000001C.00000002.586361746.0000000003234000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 00000019.00000003.580526774.0000000004A10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 0000001C.00000002.589273699.0000000007D50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: Process Memory Space: urdavsa.pif PID: 5552, type: MEMORYSTRMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: Process Memory Space: RegSvcs.exe PID: 4684, type: MEMORYSTRMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_009E6FC6: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AD6219 DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AC33A3 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_009E83C0
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_00A0C0B0
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_009E30FC
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_00A00113
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_009F626D
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_009F33D3
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_009FF3CA
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_009EF5C5
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_009EE510
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_00A00548
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_00A0C55E
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_009E2692
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_009F66A2
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_009F364E
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_00A10654
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_009F589E
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_009FF8C6
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_009F397F
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_009EE973
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_009EDADD
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_009EBAD1
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_00A03CBA
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_009FFCDE
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_009F6CDB
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_009E5D7E
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_009E3EAD
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_00A03EE9
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_009EDF12
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 2_2_00A998F0
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 2_2_00A935F0
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 2_2_00AB088F
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 2_2_00AAC8CE
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 2_2_00AAA137
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 2_2_00AA1903
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 2_2_00AB1F2C
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 2_2_00AA3721
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 2_2_00A9F730
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00A935F0
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00A998F0
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AA2136
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AAA137
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AB427D
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00ADF3A6
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00A998F0
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AA2508
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AD655F
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AA3721
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00A9F730
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AB088F
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AA28F0
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AAC8CE
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AA1903
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00ADEAD5
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00B0EA2B
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AB3BA1
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AA1D98
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AB0DE0
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AD2D2D
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AD4EB7
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00ADCE8D
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AB1F2C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_01709912
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_01702068
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_01700C48
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_01706C28
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_017004E8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_017054B8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_01703F68
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_01702ECD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_017029F8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_017029E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_017039D7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_01703981
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_01707870
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_017048E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_017038E6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_017010E8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_01703B60
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_01703B1E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_01703BF1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_01703BCE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_01700BA8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_01703A77
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_01703A02
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_01703ADD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_01703AAA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_01700562
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_01703567
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_01703568
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_01703D40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_0170053B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_01704528
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_017005ED
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_01703DDD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_01703DA0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_017005A6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_01703C73
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_01703C1D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_0170540F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_017004D8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_017054A8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_0170174D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_01709F90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_01709F86
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_01703E75
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_01708E38
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_01708E28
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_01706E10
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_01703E1A
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif 07E5F6D7EC7CCBC3D742658E9161D799934C6F7F6A3EBF560F361B4EE1730B6A
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: String function: 00AA8115 appears 39 times
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: String function: 00AA333F appears 36 times
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: String function: 00A91D10 appears 31 times
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: String function: 00AA14F7 appears 45 times
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: String function: 00AD59E6 appears 70 times
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: String function: 00AA6B90 appears 71 times
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: String function: 009FE2F0 appears 31 times
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: String function: 009FD870 appears 35 times
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: String function: 009FD940 appears 51 times
          Source: urdavsa.pif.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: E-Remittance Form_z.TXT.exe, 00000001.00000002.328087251.0000000001A70000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs E-Remittance Form_z.TXT.exe
          Source: E-Remittance Form_z.TXT.exe, 00000001.00000002.330334339.0000000005760000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameSHELL32.DLL.MUIj% vs E-Remittance Form_z.TXT.exe
          Source: E-Remittance Form_z.TXT.exe, 00000001.00000002.330306521.0000000003A20000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameWindows.Storage.dll.MUIj% vs E-Remittance Form_z.TXT.exe
          Source: E-Remittance Form_z.TXT.exe, 00000001.00000002.330172881.0000000003910000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs E-Remittance Form_z.TXT.exe
          Source: E-Remittance Form_z.TXT.exe, 00000001.00000002.330293563.0000000003A00000.00000002.00000001.sdmpBinary or memory string: originalfilename vs E-Remittance Form_z.TXT.exe
          Source: E-Remittance Form_z.TXT.exe, 00000001.00000002.330293563.0000000003A00000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs E-Remittance Form_z.TXT.exe
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dll
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dll
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dll
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dll
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dll
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeSection loaded: dxgidebug.dll
          Source: E-Remittance Form_z.TXT.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 28.2.RegSvcs.exe.7da834a.4.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 28.2.RegSvcs.exe.980000.0.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 28.2.RegSvcs.exe.980000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
          Source: 28.2.RegSvcs.exe.980000.0.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 28.3.RegSvcs.exe.4aedbda.2.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 28.3.RegSvcs.exe.4aedbda.2.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 28.2.RegSvcs.exe.7d50000.3.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 28.3.RegSvcs.exe.4a95890.1.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 28.2.RegSvcs.exe.7d50000.3.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 28.2.RegSvcs.exe.7da834a.4.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 28.3.RegSvcs.exe.4a95890.1.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 28.3.RegSvcs.exe.4a95bd5.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 28.2.RegSvcs.exe.7d50345.2.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 0000001C.00000002.584515573.0000000000982000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 0000001C.00000002.586361746.0000000003234000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 00000019.00000003.580526774.0000000004A10000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 0000001C.00000002.589273699.0000000007D50000.00000004.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: Process Memory Space: urdavsa.pif PID: 5552, type: MEMORYSTRMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: Process Memory Space: RegSvcs.exe PID: 4684, type: MEMORYSTRMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 28.2.RegSvcs.exe.980000.0.unpack, u206b????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
          Source: 28.2.RegSvcs.exe.980000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
          Source: 28.2.RegSvcs.exe.980000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'CreateDecryptor'
          Source: 28.2.RegSvcs.exe.980000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
          Source: 28.2.RegSvcs.exe.980000.0.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 28.2.RegSvcs.exe.980000.0.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 28.2.RegSvcs.exe.980000.0.unpack, u200b????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
          Source: 28.2.RegSvcs.exe.980000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
          Source: 28.2.RegSvcs.exe.980000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
          Source: 28.2.RegSvcs.exe.980000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@17/20@0/0
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_009E6D06 GetLastError,FormatMessageW,
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AC33A3 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AF4AEB OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AED606 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode,
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 2_2_00AC3EC5 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,__wcsicoll,FindCloseChangeNotification,
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AFE0F6 CoInitialize,CoCreateInstance,CoUninitialize,
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_009F963A FindResourceW,DeleteObject,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\0afb590f-6441-4e30-9017-486274a19cc9
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeFile created: C:\Users\user\AppData\Local\Temp\82139548Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\82139548\run.vbs'
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCommand line argument: sfxname
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCommand line argument: sfxstime
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCommand line argument: STARTDLG
          Source: E-Remittance Form_z.TXT.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeFile read: C:\Windows\win.iniJump to behavior
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeFile read: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe 'C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe'
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeProcess created: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif 'C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif' rpgc.htg
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\82139548\run.vbs'
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif 'C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif' rpgc.htg
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\82139548\run.vbs'
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif 'C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif' rpgc.htg
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\82139548\run.vbs'
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif 'C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif' rpgc.htg
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeProcess created: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif 'C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif' rpgc.htg
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\82139548\run.vbs'
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif 'C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif' rpgc.htg
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\82139548\run.vbs'
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif 'C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif' rpgc.htg
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\82139548\run.vbs'
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif 'C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif' rpgc.htg
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeFile written: C:\Users\user\AppData\Local\Temp\82139548\pojm.iniJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: E-Remittance Form_z.TXT.exeStatic file information: File size 1441541 > 1048576
          Source: E-Remittance Form_z.TXT.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
          Source: E-Remittance Form_z.TXT.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
          Source: E-Remittance Form_z.TXT.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
          Source: E-Remittance Form_z.TXT.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: E-Remittance Form_z.TXT.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
          Source: E-Remittance Form_z.TXT.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
          Source: E-Remittance Form_z.TXT.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: E-Remittance Form_z.TXT.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: E-Remittance Form_z.TXT.exe
          Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: RegSvcs.exe, 0000001C.00000002.589273699.0000000007D50000.00000004.00000001.sdmp
          Source: Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: RegSvcs.exe, 0000001C.00000002.589273699.0000000007D50000.00000004.00000001.sdmp
          Source: E-Remittance Form_z.TXT.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
          Source: E-Remittance Form_z.TXT.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
          Source: E-Remittance Form_z.TXT.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
          Source: E-Remittance Form_z.TXT.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
          Source: E-Remittance Form_z.TXT.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 2_2_00A9EE30 LoadLibraryA,GetProcAddress,
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeFile created: C:\Users\user\AppData\Local\Temp\82139548\__tmp_rar_sfx_access_check_6736515Jump to behavior
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_009FE336 push ecx; ret
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_009FD870 push eax; ret
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 2_2_00AA6BD5 push ecx; ret
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00ABD53C push 7400ABCFh; iretd
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AA6BD5 push ecx; ret
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 25_2_00F44708 push esp; iretd
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_0170326C push ss; retf
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_2_017032F5 push ss; retf

          Persistence and Installation Behavior:

          barindex
          Drops PE files with a suspicious file extensionShow sources
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeFile created: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifJump to dropped file
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeFile created: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifJump to dropped file

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Uses an obfuscated file name to hide its real file extension (double extension)Show sources
          Source: Possible double extension: txt.exeStatic PE information: E-Remittance Form_z.TXT.exe
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00B0A2EA IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AC43FF GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM autoit scriptShow sources
          Source: Yara matchFile source: Process Memory Space: urdavsa.pif PID: 3588, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: urdavsa.pif PID: 5708, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: urdavsa.pif PID: 2232, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: urdavsa.pif PID: 5552, type: MEMORYSTR
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4684, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: RegSvcs.exe, 0000001C.00000002.586361746.0000000003234000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: RegSvcs.exe, 0000001C.00000002.586361746.0000000003234000.00000004.00000001.sdmpBinary or memory string: WIRESHARK.EXE
          Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-Timer
          Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-Timer
          Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-Timer
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifWindow / User API: threadDelayed 1185
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifWindow / User API: threadDelayed 1173
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifWindow / User API: threadDelayed 1101
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifWindow / User API: threadDelayed 1097
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif TID: 5696Thread sleep count: 1185 > 30
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif TID: 5696Thread sleep count: 33 > 30
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif TID: 1972Thread sleep count: 1173 > 30
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif TID: 1972Thread sleep count: 55 > 30
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif TID: 2072Thread sleep count: 1101 > 30
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif TID: 2072Thread sleep count: 53 > 30
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif TID: 5392Thread sleep count: 1097 > 30
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif TID: 5392Thread sleep count: 80 > 30
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifThread sleep count: Count: 1185 delay: -10
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifThread sleep count: Count: 1173 delay: -10
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifThread sleep count: Count: 1101 delay: -10
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifThread sleep count: Count: 1097 delay: -10
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_009EA2DF FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_009FAFB9 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_00A09FD3 FindFirstFileExA,
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 2_2_00AC399B GetFileAttributesW,FindFirstFileW,FindClose,
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AC399B GetFileAttributesW,FindFirstFileW,FindClose,
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AE2408 FindFirstFileW,Sleep,FindNextFileW,FindClose,
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AD280D FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00B08877 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AECAE7 FindFirstFileW,FindNextFileW,FindClose,
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AC1A73 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00ADBCB3 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AEDE7C FindFirstFileW,FindClose,
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00ADBF17 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_009FD353 VirtualQuery,GetSystemInfo,
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifFile opened: C:\Users\user\AppData
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifFile opened: C:\Users\user\AppData\Local
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifFile opened: C:\Users\user\AppData\Local\Temp\82139548\rpgc.htg
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifFile opened: C:\Users\user
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifFile opened: C:\Users\user\AppData\Local\Temp
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifFile opened: C:\Users\user\AppData\Local\Temp\82139548
          Source: urdavsa.pif, 00000002.00000003.386488951.0000000000B6A000.00000004.00000001.sdmpBinary or memory string: VBoxTray.exe@
          Source: urdavsa.pif, 00000002.00000003.386488951.0000000000B6A000.00000004.00000001.sdmpBinary or memory string: VboxService.exe=
          Source: urdavsa.pif, 0000000A.00000003.399515071.00000000038A1000.00000004.00000001.sdmpBinary or memory string: If ProcessExists("VMwaretray.exe") Then}
          Source: urdavsa.pif, 00000019.00000002.587663014.00000000045C0000.00000004.00000001.sdmpBinary or memory string: VMwareUser.exe5FB536C7
          Source: urdavsa.pif, 00000015.00000003.519040944.0000000001C63000.00000004.00000001.sdmpBinary or memory string: VboxService.exez
          Source: rpgc.htg.1.drBinary or memory string: If ProcessExists("VMwaretray.exe") Then
          Source: rpgc.htg.1.drBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then
          Source: urdavsa.pif, 00000015.00000003.519040944.0000000001C63000.00000004.00000001.sdmpBinary or memory string: VMwareUser.exe6BA444D6
          Source: urdavsa.pif, 00000019.00000003.526855030.00000000045C1000.00000004.00000001.sdmpBinary or memory string: If ProcessExists("VMwaretray.exe") Then
          Source: urdavsa.pif, 00000002.00000003.386488951.0000000000B6A000.00000004.00000001.sdmpBinary or memory string: VMwaretray.exer
          Source: urdavsa.pif, 00000015.00000003.517916403.0000000001C45000.00000004.00000001.sdmpBinary or memory string: rocessExists("VboxService.exe") ThenM72
          Source: urdavsa.pif, 00000019.00000002.587663014.00000000045C0000.00000004.00000001.sdmpBinary or memory string: VMwareService.exe536C7jz
          Source: urdavsa.pif, 0000000A.00000003.457166893.00000000038D3000.00000004.00000001.sdmpBinary or memory string: VMwareService.exe,r
          Source: urdavsa.pif, 00000019.00000003.526855030.00000000045C1000.00000004.00000001.sdmpBinary or memory string: If ProcessExists("VboxService.exe") ThenM72
          Source: rpgc.htg.1.drBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then
          Source: urdavsa.pif, 00000002.00000003.386488951.0000000000B6A000.00000004.00000001.sdmpBinary or memory string: VMwareService.exe637D6
          Source: urdavsa.pif, 00000019.00000002.587663014.00000000045C0000.00000004.00000001.sdmpBinary or memory string: VMwaretray.exe
          Source: rpgc.htg.1.drBinary or memory string: If ProcessExists("VboxService.exe") Then
          Source: urdavsa.pif, 00000019.00000002.587663014.00000000045C0000.00000004.00000001.sdmpBinary or memory string: VboxService.exe:~
          Source: urdavsa.pif, 00000015.00000003.519079213.0000000001C47000.00000004.00000001.sdmpBinary or memory string: Exists("VMwareUser.exe") Then
          Source: urdavsa.pif, 00000015.00000003.519040944.0000000001C63000.00000004.00000001.sdmp, urdavsa.pif, 00000019.00000002.587663014.00000000045C0000.00000004.00000001.sdmpBinary or memory string: VBoxTray.exe
          Source: urdavsa.pif, 00000019.00000003.526855030.00000000045C1000.00000004.00000001.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then
          Source: urdavsa.pif, 00000019.00000003.526855030.00000000045C1000.00000004.00000001.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Thenv
          Source: urdavsa.pif, 00000002.00000003.386488951.0000000000B6A000.00000004.00000001.sdmpBinary or memory string: VMwareUser.exeE97637D6
          Source: urdavsa.pif, 00000015.00000003.519040944.0000000001C63000.00000004.00000001.sdmpBinary or memory string: VMwareService.exeU
          Source: urdavsa.pif, 0000000A.00000003.457166893.00000000038D3000.00000004.00000001.sdmpBinary or memory string: VBoxTray.exeFs
          Source: urdavsa.pif, 0000000A.00000003.457166893.00000000038D3000.00000004.00000001.sdmpBinary or memory string: VboxService.exe
          Source: urdavsa.pif, 00000002.00000003.386710610.0000000000B66000.00000004.00000001.sdmp, urdavsa.pif, 0000000A.00000003.399515071.00000000038A1000.00000004.00000001.sdmp, urdavsa.pif, 00000015.00000003.517916403.0000000001C45000.00000004.00000001.sdmp, urdavsa.pif, 00000019.00000003.526855030.00000000045C1000.00000004.00000001.sdmpBinary or memory string: If ProcessExists("VBoxTray.exe") Then
          Source: rpgc.htg.1.drBinary or memory string: If ProcessExists("VBoxTray.exe") Then
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifProcess information queried: ProcessInformation
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AEA35D BlockInput,
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_009FE4F5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 2_2_00A9EE30 LoadLibraryA,GetProcAddress,
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_00A06AF3 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_00A0ACA1 GetProcessHeap,
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_009FE643 SetUnhandledExceptionFilter,
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_009FE4F5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_009FE7FB SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_00A07BE1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 2_2_00AAA128 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 2_2_00AA7CCD _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AAF170 SetUnhandledExceptionFilter,
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AAA128 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AA7CCD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          .NET source code references suspicious native API functionsShow sources
          Source: 28.2.RegSvcs.exe.980000.0.unpack, u200d????????????????????????????????????????.csReference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
          Allocates memory in foreign processesShow sources
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 980000 protect: page execute and read and write
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 980000 value starts with: 4D5A
          Writes to foreign memory regionsShow sources
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 980000
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 624000
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AC6C61 LogonUserW,
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 2_2_00A9D7A0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AC43FF GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AC3321 __wcsicoll,mouse_event,__wcsicoll,mouse_event,
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeProcess created: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif 'C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif' rpgc.htg
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\82139548\run.vbs'
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif 'C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif' rpgc.htg
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\82139548\run.vbs'
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif 'C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif' rpgc.htg
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\82139548\run.vbs'
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif 'C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif' rpgc.htg
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AD602A GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,
          Source: urdavsa.pif, 00000002.00000003.391144529.0000000000B88000.00000004.00000001.sdmp, urdavsa.pif, 0000000A.00000003.457166893.00000000038D3000.00000004.00000001.sdmp, urdavsa.pif, 00000015.00000003.519040944.0000000001C63000.00000004.00000001.sdmp, urdavsa.pif, 00000019.00000002.587663014.00000000045C0000.00000004.00000001.sdmpBinary or memory string: Program Manager
          Source: urdavsa.pif.1.drBinary or memory string: IDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript PausedblankinfoquestionstopwarningAutoIt -
          Source: urdavsa.pif, urdavsa.pif, 00000019.00000002.585558648.0000000002480000.00000002.00000001.sdmp, RegSvcs.exe, 0000001C.00000002.586038827.0000000001C10000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: urdavsa.pif, 00000019.00000002.585558648.0000000002480000.00000002.00000001.sdmp, RegSvcs.exe, 0000001C.00000002.586038827.0000000001C10000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: urdavsa.pif, 00000002.00000003.386710610.0000000000B66000.00000004.00000001.sdmp, urdavsa.pif, 0000000A.00000003.399515071.00000000038A1000.00000004.00000001.sdmp, urdavsa.pif, 00000015.00000003.517916403.0000000001C45000.00000004.00000001.sdmp, urdavsa.pif, 00000019.00000003.526855030.00000000045C1000.00000004.00000001.sdmpBinary or memory string: If WinGetText("Program Manager") = "0" Then
          Source: rpgc.htg.1.drBinary or memory string: If WinGetText("Program Manager") = "0" Then
          Source: urdavsa.pif, 00000019.00000002.585558648.0000000002480000.00000002.00000001.sdmp, RegSvcs.exe, 0000001C.00000002.586038827.0000000001C10000.00000002.00000001.sdmpBinary or memory string: &Program Manager
          Source: urdavsa.pif, 00000019.00000002.585558648.0000000002480000.00000002.00000001.sdmp, RegSvcs.exe, 0000001C.00000002.586038827.0000000001C10000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: urdavsa.pif, 00000002.00000002.391973257.0000000000B12000.00000002.00020000.sdmp, urdavsa.pif, 0000000A.00000002.458737854.0000000000B12000.00000002.00020000.sdmp, urdavsa.pif, 00000015.00000000.457959788.0000000000B12000.00000002.00020000.sdmp, urdavsa.pif, 00000019.00000002.585114275.0000000000B12000.00000002.00020000.sdmpBinary or memory string: ASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript PausedblankinfoquestionstopwarningAutoIt -
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_009FE34B cpuid
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: GetLocaleInfoW,GetNumberFormatW,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_009FCBB8 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,DeleteObject,CloseHandle,
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00B02BF9 GetUserNameW,
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 2_2_00AAE284 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,
          Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exeCode function: 1_2_009EA995 GetVersionExW,
          Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information:

          barindex
          Yara detected HawkEye KeyloggerShow sources
          Source: Yara matchFile source: 28.2.RegSvcs.exe.980000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000001C.00000002.584515573.0000000000982000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001C.00000002.586361746.0000000003234000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000003.580526774.0000000004A10000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: urdavsa.pif PID: 5552, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4684, type: MEMORYSTR
          Yara detected MailPassViewShow sources
          Source: Yara matchFile source: 28.2.RegSvcs.exe.7da834a.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 28.3.RegSvcs.exe.4aedbda.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 28.3.RegSvcs.exe.4aedbda.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 28.2.RegSvcs.exe.7d50000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 28.3.RegSvcs.exe.4a95890.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 28.2.RegSvcs.exe.7d50000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 28.2.RegSvcs.exe.7da834a.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 28.3.RegSvcs.exe.4a95890.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 28.3.RegSvcs.exe.4a95bd5.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 28.2.RegSvcs.exe.7d50345.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000001C.00000002.589273699.0000000007D50000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001C.00000003.582261171.0000000004A95000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4684, type: MEMORYSTR
          Yara detected WebBrowserPassView password recovery toolShow sources
          Source: Yara matchFile source: 28.3.RegSvcs.exe.4a95bd5.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 28.2.RegSvcs.exe.7d50000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 28.2.RegSvcs.exe.7d50345.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 28.3.RegSvcs.exe.4a95890.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 28.2.RegSvcs.exe.7d50000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 28.3.RegSvcs.exe.4a95890.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 28.3.RegSvcs.exe.4a95bd5.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 28.2.RegSvcs.exe.7d50345.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000001C.00000002.589273699.0000000007D50000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001C.00000003.582261171.0000000004A95000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4684, type: MEMORYSTR
          Source: urdavsa.pifBinary or memory string: WIN_XP
          Source: urdavsa.pifBinary or memory string: WIN_XPe
          Source: urdavsa.pifBinary or memory string: WIN_VISTA
          Source: urdavsa.pif.1.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 8, 1USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte!
          Source: urdavsa.pifBinary or memory string: WIN_7
          Source: urdavsa.pifBinary or memory string: WIN_8
          Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4684, type: MEMORYSTR

          Remote Access Functionality:

          barindex
          Detected HawkEye RatShow sources
          Source: urdavsa.pif, 00000019.00000003.580526774.0000000004A10000.00000004.00000001.sdmpString found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
          Source: RegSvcs.exe, 0000001C.00000002.584515573.0000000000982000.00000040.00000001.sdmpString found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
          Yara detected HawkEye KeyloggerShow sources
          Source: Yara matchFile source: 28.2.RegSvcs.exe.980000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000001C.00000002.584515573.0000000000982000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001C.00000002.586361746.0000000003234000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000003.580526774.0000000004A10000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: urdavsa.pif PID: 5552, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4684, type: MEMORYSTR
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AFC06C OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00B065D3 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,
          Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pifCode function: 10_2_00AF4EFB socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts2Scripting11DLL Side-Loading1Exploitation for Privilege Escalation1Disable or Modify Tools11Input Capture31System Time Discovery2Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
          Default AccountsNative API11Valid Accounts2DLL Side-Loading1Deobfuscate/Decode Files or Information11LSASS MemoryAccount Discovery1Remote Desktop ProtocolInput Capture31Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsCommand and Scripting Interpreter2Logon Script (Windows)Valid Accounts2Scripting11Security Account ManagerFile and Directory Discovery4SMB/Windows Admin SharesClipboard Data2Automated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Access Token Manipulation21Obfuscated Files or Information12NTDSSystem Information Discovery36Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptProcess Injection312Software Packing2LSA SecretsQuery Registry1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonDLL Side-Loading1Cached Domain CredentialsSecurity Software Discovery221VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsMasquerading2DCSyncVirtualization/Sandbox Evasion2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobValid Accounts2Proc FilesystemProcess Discovery3Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Virtualization/Sandbox Evasion2/etc/passwd and /etc/shadowApplication Window Discovery11Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
          Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Access Token Manipulation21Network SniffingSystem Owner/User Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
          Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronProcess Injection312Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process