Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com.Trojan.Inject3.45252.31864.14151

Overview

General Information

Sample Name:SecuriteInfo.com.Trojan.Inject3.45252.31864.14151 (renamed file extension from 14151 to exe)
Analysis ID:251363
MD5:ca737fb9bc4c18613ff5d789c53bc815
SHA1:c0d9505e802b2399c6e4b2bb47aafa3b490b115f
SHA256:ba4b2f524b82bec30f74540c124034b082a275b83a94c20ccede668f83f05a0f

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected HawkEye Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Contains functionality to register a low level keyboard hook
Installs a global keyboard hook
Maps a DLL or memory area into another process
Sample uses process hollowing technique
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Yara detected WebBrowserPassView password recovery tool
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Process Creation
Stores large binary data to the registry
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • SecuriteInfo.com.Trojan.Inject3.45252.31864.exe (PID: 4224 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject3.45252.31864.exe' MD5: CA737FB9BC4C18613FF5D789C53BC815)
    • RegAsm.exe (PID: 5408 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
      • WerFault.exe (PID: 5492 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5408 -s 1764 MD5: 80E91E3C0F5563E4049B62FCAF5D67AC)
      • vbc.exe (PID: 3820 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
        • WerFault.exe (PID: 6000 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 176 MD5: 80E91E3C0F5563E4049B62FCAF5D67AC)
      • vbc.exe (PID: 2988 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 2328 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000003.842449769.0000000004ED0000.00000004.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
  • 0x10127:$key: HawkEyeKeylogger
  • 0x12391:$salt: 099u787978786
  • 0x10768:$string1: HawkEye_Keylogger
  • 0x115bb:$string1: HawkEye_Keylogger
  • 0x122f1:$string1: HawkEye_Keylogger
  • 0x10b51:$string2: holdermail.txt
  • 0x10b71:$string2: holdermail.txt
  • 0x10a93:$string3: wallet.dat
  • 0x10aab:$string3: wallet.dat
  • 0x10ac1:$string3: wallet.dat
  • 0x11eb5:$string4: Keylog Records
  • 0x121cd:$string4: Keylog Records
  • 0x123e9:$string5: do not script -->
  • 0x1010f:$string6: \pidloc.txt
  • 0x1019d:$string7: BSPLIT
  • 0x101ad:$string7: BSPLIT
00000004.00000003.842449769.0000000004ED0000.00000004.00000001.sdmpHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
  • 0x107c0:$hawkstr1: HawkEye Keylogger
  • 0x11601:$hawkstr1: HawkEye Keylogger
  • 0x11930:$hawkstr1: HawkEye Keylogger
  • 0x11a8b:$hawkstr1: HawkEye Keylogger
  • 0x11bee:$hawkstr1: HawkEye Keylogger
  • 0x11e8d:$hawkstr1: HawkEye Keylogger
  • 0x1034e:$hawkstr2: Dear HawkEye Customers!
  • 0x11983:$hawkstr2: Dear HawkEye Customers!
  • 0x11ada:$hawkstr2: Dear HawkEye Customers!
  • 0x11c41:$hawkstr2: Dear HawkEye Customers!
  • 0x1046f:$hawkstr3: HawkEye Logger Details:
00000000.00000002.792481851.00000000059A2000.00000040.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
  • 0x7b717:$key: HawkEyeKeylogger
  • 0x7d981:$salt: 099u787978786
  • 0x7bd58:$string1: HawkEye_Keylogger
  • 0x7cbab:$string1: HawkEye_Keylogger
  • 0x7d8e1:$string1: HawkEye_Keylogger
  • 0x7c141:$string2: holdermail.txt
  • 0x7c161:$string2: holdermail.txt
  • 0x7c083:$string3: wallet.dat
  • 0x7c09b:$string3: wallet.dat
  • 0x7c0b1:$string3: wallet.dat
  • 0x7d4a5:$string4: Keylog Records
  • 0x7d7bd:$string4: Keylog Records
  • 0x7d9d9:$string5: do not script -->
  • 0x7b6ff:$string6: \pidloc.txt
  • 0x7b78d:$string7: BSPLIT
  • 0x7b79d:$string7: BSPLIT
00000000.00000002.792481851.00000000059A2000.00000040.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
    00000000.00000002.792481851.00000000059A2000.00000040.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
      Click to see the 22 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      13.2.vbc.exe.400000.0.raw.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
        13.2.vbc.exe.400000.0.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
          1.2.RegAsm.exe.400000.0.unpackRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
          • 0x7b917:$key: HawkEyeKeylogger
          • 0x7db81:$salt: 099u787978786
          • 0x7bf58:$string1: HawkEye_Keylogger
          • 0x7cdab:$string1: HawkEye_Keylogger
          • 0x7dae1:$string1: HawkEye_Keylogger
          • 0x7c341:$string2: holdermail.txt
          • 0x7c361:$string2: holdermail.txt
          • 0x7c283:$string3: wallet.dat
          • 0x7c29b:$string3: wallet.dat
          • 0x7c2b1:$string3: wallet.dat
          • 0x7d6a5:$string4: Keylog Records
          • 0x7d9bd:$string4: Keylog Records
          • 0x7dbd9:$string5: do not script -->
          • 0x7b8ff:$string6: \pidloc.txt
          • 0x7b98d:$string7: BSPLIT
          • 0x7b99d:$string7: BSPLIT
          1.2.RegAsm.exe.400000.0.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
            1.2.RegAsm.exe.400000.0.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
              Click to see the 5 entries

              Sigma Overview

              System Summary:

              barindex
              Sigma detected: Suspicious Process CreationShow sources
              Source: Process startedAuthor: Florian Roth, Daniil Yugoslavskiy, oscd.community (update): Data: Command: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt', CommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt', CommandLine|base64offset|contains: ^, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, ParentCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentProcessId: 5408, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt', ProcessId: 3820

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Antivirus / Scanner detection for submitted sampleShow sources
              Source: SecuriteInfo.com.Trojan.Inject3.45252.31864.exeAvira: detected
              Multi AV Scanner detection for submitted fileShow sources
              Source: SecuriteInfo.com.Trojan.Inject3.45252.31864.exeVirustotal: Detection: 50%Perma Link
              Source: SecuriteInfo.com.Trojan.Inject3.45252.31864.exeMetadefender: Detection: 21%Perma Link
              Source: SecuriteInfo.com.Trojan.Inject3.45252.31864.exeReversingLabs: Detection: 37%
              Source: 1.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 1.2.RegAsm.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 0.2.SecuriteInfo.com.Trojan.Inject3.45252.31864.exe.59a0000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 0.2.SecuriteInfo.com.Trojan.Inject3.45252.31864.exe.59a0000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: SecuriteInfo.com.Trojan.Inject3.45252.31864.exe, 00000000.00000002.792481851.00000000059A2000.00000040.00000001.sdmpBinary or memory string: autorun.inf
              Source: SecuriteInfo.com.Trojan.Inject3.45252.31864.exe, 00000000.00000002.792481851.00000000059A2000.00000040.00000001.sdmpBinary or memory string: [autorun]
              Source: RegAsm.exe, 00000001.00000002.879972108.0000000000402000.00000040.00000001.sdmpBinary or memory string: autorun.inf
              Source: RegAsm.exe, 00000001.00000002.879972108.0000000000402000.00000040.00000001.sdmpBinary or memory string: [autorun]
              Source: WerFault.exe, 00000004.00000003.842449769.0000000004ED0000.00000004.00000001.sdmpBinary or memory string: autorun.inf
              Source: WerFault.exe, 00000004.00000003.842449769.0000000004ED0000.00000004.00000001.sdmpBinary or memory string: [autorun]
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,13_2_00406EC3
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then call 056DA6E8h1_2_07A52DDB
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]1_2_07A52DDB
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]1_2_07A543CD
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]1_2_07E39F70
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]1_2_07E37ED0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]1_2_07E3A430
              Source: SecuriteInfo.com.Trojan.Inject3.45252.31864.exe, 00000000.00000002.792481851.00000000059A2000.00000040.00000001.sdmp, RegAsm.exe, 00000001.00000002.879972108.0000000000402000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
              Source: SecuriteInfo.com.Trojan.Inject3.45252.31864.exe, 00000000.00000002.792481851.00000000059A2000.00000040.00000001.sdmp, RegAsm.exe, 00000001.00000002.879972108.0000000000402000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
              Source: unknownDNS traffic detected: queries for: 10.76.9.0.in-addr.arpa
              Source: SecuriteInfo.com.Trojan.Inject3.45252.31864.exe, 00000000.00000002.792481851.00000000059A2000.00000040.00000001.sdmp, RegAsm.exe, 00000001.00000002.879972108.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
              Source: RegAsm.exe, 00000001.00000002.901545826.00000000062E6000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
              Source: SecuriteInfo.com.Trojan.Inject3.45252.31864.exe, 00000000.00000002.792481851.00000000059A2000.00000040.00000001.sdmp, RegAsm.exe, 00000001.00000002.879972108.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
              Source: WerFault.exe, 00000004.00000003.840546955.00000000051D0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
              Source: WerFault.exe, 00000004.00000003.840546955.00000000051D0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
              Source: WerFault.exe, 00000004.00000003.840546955.00000000051D0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
              Source: WerFault.exe, 00000004.00000003.840546955.00000000051D0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
              Source: WerFault.exe, 00000004.00000003.840546955.00000000051D0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
              Source: WerFault.exe, 00000004.00000003.840546955.00000000051D0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
              Source: WerFault.exe, 00000004.00000003.840546955.00000000051D0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
              Source: RegAsm.exe, 00000001.00000002.883257344.0000000002FE1000.00000004.00000001.sdmp, WerFault.exe, 00000004.00000003.840546955.00000000051D0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: WerFault.exe, 00000004.00000003.840546955.00000000051D0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
              Source: WerFault.exe, 00000004.00000003.840546955.00000000051D0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
              Source: WerFault.exe, 00000004.00000003.840546955.00000000051D0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
              Source: WerFault.exe, 00000004.00000003.840546955.00000000051D0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
              Source: WerFault.exe, 00000004.00000003.840546955.00000000051D0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
              Source: WerFault.exe, 00000004.00000003.840546955.00000000051D0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
              Source: WerFault.exe, 00000004.00000003.840546955.00000000051D0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
              Source: SecuriteInfo.com.Trojan.Inject3.45252.31864.exeString found in binary or memory: http://signalr.net/
              Source: SecuriteInfo.com.Trojan.Inject3.45252.31864.exe, 00000000.00000002.792481851.00000000059A2000.00000040.00000001.sdmp, RegAsm.exe, 00000001.00000002.879972108.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 00000004.00000003.842449769.0000000004ED0000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/-
              Source: RegAsm.exe, 00000001.00000002.901545826.00000000062E6000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: RegAsm.exe, 00000001.00000003.802562575.00000000061A3000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.
              Source: RegAsm.exe, 00000001.00000003.797239334.00000000061A1000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
              Source: RegAsm.exe, 00000001.00000003.797239334.00000000061A1000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com&
              Source: RegAsm.exe, 00000001.00000003.797239334.00000000061A1000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com?
              Source: RegAsm.exe, 00000001.00000003.797147698.00000000061A2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comC
              Source: RegAsm.exe, 00000001.00000003.796959007.00000000061A1000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comW
              Source: RegAsm.exe, 00000001.00000003.797239334.00000000061A1000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comZ
              Source: RegAsm.exe, 00000001.00000002.901545826.00000000062E6000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
              Source: RegAsm.exe, 00000001.00000002.901545826.00000000062E6000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
              Source: RegAsm.exe, 00000001.00000003.795402511.0000000006192000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
              Source: RegAsm.exe, 00000001.00000003.796093196.00000000061CD000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
              Source: RegAsm.exe, 00000001.00000002.901545826.00000000062E6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
              Source: RegAsm.exe, 00000001.00000002.901545826.00000000062E6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
              Source: RegAsm.exe, 00000001.00000003.795402511.0000000006192000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnx
              Source: RegAsm.exe, 00000001.00000002.901545826.00000000062E6000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
              Source: RegAsm.exe, 00000001.00000002.901545826.00000000062E6000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
              Source: WerFault.exe, 00000004.00000003.857963671.00000000010D5000.00000004.00000001.sdmpString found in binary or memory: http://www.microsoft.c
              Source: RegAsm.exe, 00000001.00000002.879972108.0000000000402000.00000040.00000001.sdmp, vbc.exe, vbc.exe, 0000000D.00000002.875431958.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
              Source: RegAsm.exe, 00000001.00000002.901545826.00000000062E6000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
              Source: RegAsm.exe, 00000001.00000002.901545826.00000000062E6000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
              Source: RegAsm.exe, 00000001.00000002.901545826.00000000062E6000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
              Source: RegAsm.exe, 00000001.00000002.883257344.0000000002FE1000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
              Source: RegAsm.exe, 00000001.00000002.901545826.00000000062E6000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
              Source: RegAsm.exe, 00000001.00000002.901545826.00000000062E6000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
              Source: RegAsm.exe, 00000001.00000003.797239334.00000000061A1000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
              Source: RegAsm.exe, 00000001.00000003.797239334.00000000061A1000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.
              Source: RegAsm.exe, 00000001.00000003.796959007.00000000061A1000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.l
              Source: RegAsm.exe, 00000001.00000003.797239334.00000000061A1000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnori
              Source: SecuriteInfo.com.Trojan.Inject3.45252.31864.exeString found in binary or memory: https://github.com/SignalR/SignalR/blob/master/LICENSE.md

              Key, Mouse, Clipboard, Microphone and Screen Capturing:

              barindex
              Contains functionality to log keystrokes (.Net Source)Show sources
              Source: 0.2.SecuriteInfo.com.Trojan.Inject3.45252.31864.exe.59a0000.3.unpack, Form1.cs.Net Code: HookKeyboard
              Source: 1.2.RegAsm.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
              Contains functionality to register a low level keyboard hookShow sources
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_07E3679C SetWindowsHookExA 0000000D,00000000,?,?1_2_07E3679C
              Installs a global keyboard hookShow sources
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_0040AC8A GetTempPathA,GetWindowsDirectoryA,GetTempFileNameA,OpenClipboard,GetLastError,DeleteFileA,13_2_0040AC8A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

              System Summary:

              barindex
              Malicious sample detected (through community Yara rule)Show sources
              Source: 00000004.00000003.842449769.0000000004ED0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000004.00000003.842449769.0000000004ED0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000002.792481851.00000000059A2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000000.00000002.792481851.00000000059A2000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000001.00000002.879972108.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000001.00000002.879972108.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000001.00000002.883257344.0000000002FE1000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000002.792231271.0000000005399000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000000.00000002.792231271.0000000005399000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000002.789276543.0000000003C95000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000000.00000002.789276543.0000000003C95000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 0.2.SecuriteInfo.com.Trojan.Inject3.45252.31864.exe.59a0000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0.2.SecuriteInfo.com.Trojan.Inject3.45252.31864.exe.59a0000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject3.45252.31864.exeCode function: 0_2_013B1C09 CreateProcessW,NtQueryInformationProcess,NtReadVirtualMemory,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtWriteVirtualMemory,NtGetContextThread,NtSetContextThread,NtResumeThread,0_2_013B1C09
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject3.45252.31864.exeCode function: 0_2_013B00AD NtOpenSection,NtMapViewOfSection,0_2_013B00AD
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_07A52A04 NtSetContextThread,1_2_07A52A04
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_07A529E0 NtResumeThread,1_2_07A529E0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_07A529F8 NtWriteVirtualMemory,1_2_07A529F8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_07A58DF9 NtSetContextThread,1_2_07A58DF9
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_07A58D41 NtWriteVirtualMemory,1_2_07A58D41
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_07A58BE1 NtResumeThread,1_2_07A58BE1
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_07A52A34 NtResumeThread,1_2_07A52A34
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_07A52A10 NtSetContextThread,1_2_07A52A10
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_07A52A1C NtResumeThread,1_2_07A52A1C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_07A52A64 NtSetContextThread,1_2_07A52A64
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_07A52A4C NtWriteVirtualMemory,1_2_07A52A4C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_07A52A58 NtSetContextThread,1_2_07A52A58
              Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\Windows\AppCompat\Programs\Amcache.hve.tmpJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02FCB29C1_2_02FCB29C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02FCC3101_2_02FCC310
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02FC99D01_2_02FC99D0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02FCDFB01_2_02FCDFB0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_07A52DE01_2_07A52DE0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_07A54BC01_2_07A54BC0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_07A552F11_2_07A552F1
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_07A500401_2_07A50040
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_07A52DDB1_2_07A52DDB
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_07E35EB81_2_07E35EB8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_07E355E81_2_07E355E8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_07E3B4801_2_07E3B480
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_07E3A4401_2_07E3A440
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_07E39B501_2_07E39B50
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_07E392E81_2_07E392E8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_07E3B4731_2_07E3B473
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_07E39B401_2_07E39B40
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_07E39B201_2_07E39B20
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_07E352A01_2_07E352A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_07E300071_2_07E30007
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_07E3001F1_2_07E3001F
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00404DDB13_2_00404DDB
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_0040BD8A13_2_0040BD8A
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00404E4C13_2_00404E4C
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00404EBD13_2_00404EBD
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00404F4E13_2_00404F4E
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00411538 appears 35 times
              Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5408 -s 1764
              Source: SecuriteInfo.com.Trojan.Inject3.45252.31864.exe, 00000000.00000002.792481851.00000000059A2000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs SecuriteInfo.com.Trojan.Inject3.45252.31864.exe
              Source: SecuriteInfo.com.Trojan.Inject3.45252.31864.exe, 00000000.00000002.792481851.00000000059A2000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs SecuriteInfo.com.Trojan.Inject3.45252.31864.exe
              Source: SecuriteInfo.com.Trojan.Inject3.45252.31864.exe, 00000000.00000002.792481851.00000000059A2000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs SecuriteInfo.com.Trojan.Inject3.45252.31864.exe
              Source: SecuriteInfo.com.Trojan.Inject3.45252.31864.exe, 00000000.00000002.792717866.0000000005A22000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs SecuriteInfo.com.Trojan.Inject3.45252.31864.exe
              Source: SecuriteInfo.com.Trojan.Inject3.45252.31864.exe, 00000000.00000002.791696480.0000000005170000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamerazJYKkoCjrLiIIn.river.exe4 vs SecuriteInfo.com.Trojan.Inject3.45252.31864.exe
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
              Source: 00000004.00000003.842449769.0000000004ED0000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000004.00000003.842449769.0000000004ED0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000000.00000002.792481851.00000000059A2000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000000.00000002.792481851.00000000059A2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000001.00000002.879972108.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000001.00000002.879972108.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000001.00000002.883257344.0000000002FE1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000000.00000002.792231271.0000000005399000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000000.00000002.792231271.0000000005399000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000000.00000002.789276543.0000000003C95000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000000.00000002.789276543.0000000003C95000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 0.2.SecuriteInfo.com.Trojan.Inject3.45252.31864.exe.59a0000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 0.2.SecuriteInfo.com.Trojan.Inject3.45252.31864.exe.59a0000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 0.2.SecuriteInfo.com.Trojan.Inject3.45252.31864.exe.59a0000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 0.2.SecuriteInfo.com.Trojan.Inject3.45252.31864.exe.59a0000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 0.2.SecuriteInfo.com.Trojan.Inject3.45252.31864.exe.59a0000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 0.2.SecuriteInfo.com.Trojan.Inject3.45252.31864.exe.59a0000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
              Source: 1.2.RegAsm.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 1.2.RegAsm.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 1.2.RegAsm.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 1.2.RegAsm.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
              Source: 0.2.SecuriteInfo.com.Trojan.Inject3.45252.31864.exe.59a0000.3.unpack, Form1.csBase64 encoded string: 'Ta2Jfga3JLt9/E73uK1VhbUkk6jqZCdloIN2u06AJMoTMeKiapqOoCfJFBjcj+Ok8ojK3Xa4zTJPtjgAWPgTDA==', 'qV6RbSlp+AMZw5SKvXWylN1rCuU8c5wmPAh3Hdmo0Ki+cXj7F0pWkNOaz5xvcV8/1lMVIeZ7DPLAHupVS+LnUQ==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
              Source: 1.2.RegAsm.exe.400000.0.unpack, Form1.csBase64 encoded string: 'Ta2Jfga3JLt9/E73uK1VhbUkk6jqZCdloIN2u06AJMoTMeKiapqOoCfJFBjcj+Ok8ojK3Xa4zTJPtjgAWPgTDA==', 'qV6RbSlp+AMZw5SKvXWylN1rCuU8c5wmPAh3Hdmo0Ki+cXj7F0pWkNOaz5xvcV8/1lMVIeZ7DPLAHupVS+LnUQ==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
              Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@11/11@2/0
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_0040ED0B FindResourceA,SizeofResource,LoadResource,LockResource,13_2_0040ED0B
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject3.45252.31864.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Trojan.Inject3.45252.31864.exe.logJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5408
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3820
              Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER49D5.tmpJump to behavior
              Source: SecuriteInfo.com.Trojan.Inject3.45252.31864.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject3.45252.31864.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject3.45252.31864.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: SecuriteInfo.com.Trojan.Inject3.45252.31864.exe, 00000000.00000002.792481851.00000000059A2000.00000040.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
              Source: SecuriteInfo.com.Trojan.Inject3.45252.31864.exe, 00000000.00000002.792481851.00000000059A2000.00000040.00000001.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
              Source: SecuriteInfo.com.Trojan.Inject3.45252.31864.exe, 00000000.00000002.792481851.00000000059A2000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
              Source: SecuriteInfo.com.Trojan.Inject3.45252.31864.exe, 00000000.00000002.792481851.00000000059A2000.00000040.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
              Source: SecuriteInfo.com.Trojan.Inject3.45252.31864.exe, 00000000.00000002.792481851.00000000059A2000.00000040.00000001.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
              Source: SecuriteInfo.com.Trojan.Inject3.45252.31864.exe, 00000000.00000002.792481851.00000000059A2000.00000040.00000001.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
              Source: SecuriteInfo.com.Trojan.Inject3.45252.31864.exe, 00000000.00000002.792481851.00000000059A2000.00000040.00000001.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
              Source: SecuriteInfo.com.Trojan.Inject3.45252.31864.exeVirustotal: Detection: 50%
              Source: SecuriteInfo.com.Trojan.Inject3.45252.31864.exeMetadefender: Detection: 21%
              Source: SecuriteInfo.com.Trojan.Inject3.45252.31864.exeReversingLabs: Detection: 37%
              Source: SecuriteInfo.com.Trojan.Inject3.45252.31864.exeString found in binary or memory: // Unsubscribe all hub proxies when we "disconnect". This is to ensure that we do not re-add functional call backs. // (instance, shouldSubscribe) registerHubProxies(proxies, false); }); /*hubs*/
              Source: SecuriteInfo.com.Trojan.Inject3.45252.31864.exeString found in binary or memory: // Unsubscribe all hub proxies when we "disconnect". This is to ensure that we do not re-add functional call backs.
              Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject3.45252.31864.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject3.45252.31864.exe'
              Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
              Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5408 -s 1764
              Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
              Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
              Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
              Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 176
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject3.45252.31864.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
              Source: SecuriteInfo.com.Trojan.Inject3.45252.31864.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: SecuriteInfo.com.Trojan.Inject3.45252.31864.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: Binary string: iphlpapi.pdbA_@ source: WerFault.exe, 00000004.00000003.845391674.0000000004CEB000.00000004.00000040.sdmp
              Source: Binary string: System.ni.pdb% source: WerFault.exe, 00000004.00000003.844938107.0000000004CF2000.00000004.00000001.sdmp
              Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 00000004.00000003.842449769.0000000004ED0000.00000004.00000001.sdmp
              Source: Binary string: System.ni.pdb" source: WerFault.exe, 00000004.00000003.845181241.0000000004BE9000.00000004.00000001.sdmp
              Source: Binary string: f:\binaries.x86ret\bin\i386\bbt\opt\bin\i386\vbc.pdb source: WerFault.exe, 0000000E.00000002.909541728.00000000054D0000.00000002.00000001.sdmp
              Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000004.00000003.821263985.000000000127D000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.885183528.00000000053E1000.00000004.00000001.sdmp
              Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000004.00000003.844862974.0000000004CE2000.00000004.00000040.sdmp
              Source: Binary string: NapiNSP.pdb source: WerFault.exe, 00000004.00000003.844938107.0000000004CF2000.00000004.00000001.sdmp
              Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000004.00000003.845063277.0000000004BD1000.00000004.00000001.sdmp
              Source: Binary string: wntdll.pdb source: WerFault.exe, 00000004.00000003.845063277.0000000004BD1000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.885183528.00000000053E1000.00000004.00000001.sdmp
              Source: Binary string: System.Management.ni.pdb*7r$ source: WerFault.exe, 00000004.00000003.845097421.0000000004BE9000.00000004.00000001.sdmp
              Source: Binary string: winnsi.pdb source: WerFault.exe, 00000004.00000003.844938107.0000000004CF2000.00000004.00000001.sdmp
              Source: Binary string: ml.pdb source: WerFault.exe, 00000004.00000003.845181241.0000000004BE9000.00000004.00000001.sdmp
              Source: Binary string: cryptsp.pdb source: WerFault.exe, 00000004.00000003.844938107.0000000004CF2000.00000004.00000001.sdmp
              Source: Binary string: System.Xml.pdb*7r$ source: WerFault.exe, 00000004.00000003.845097421.0000000004BE9000.00000004.00000001.sdmp
              Source: Binary string: advapi32.pdb source: WerFault.exe, 00000004.00000003.845391674.0000000004CEB000.00000004.00000040.sdmp
              Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000004.00000003.845391674.0000000004CEB000.00000004.00000040.sdmp
              Source: Binary string: System.Configuration.ni.pdb" source: WerFault.exe, 00000004.00000003.845181241.0000000004BE9000.00000004.00000001.sdmp
              Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 00000004.00000003.844938107.0000000004CF2000.00000004.00000001.sdmp
              Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 00000004.00000003.842449769.0000000004ED0000.00000004.00000001.sdmp, WER49D5.tmp.dmp.4.dr
              Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 00000004.00000003.842449769.0000000004ED0000.00000004.00000001.sdmp
              Source: Binary string: pnrpnsp.pdbXn source: WerFault.exe, 00000004.00000003.844938107.0000000004CF2000.00000004.00000001.sdmp
              Source: Binary string: System.Core.pdb8 source: WER49D5.tmp.dmp.4.dr
              Source: Binary string: mpr.pdb source: WerFault.exe, 00000004.00000003.844989437.0000000004CEE000.00000004.00000040.sdmp
              Source: Binary string: untime.Remoting.pdb{{ source: WerFault.exe, 00000004.00000003.845181241.0000000004BE9000.00000004.00000001.sdmp
              Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000004.00000003.842449769.0000000004ED0000.00000004.00000001.sdmp, WER49D5.tmp.dmp.4.dr
              Source: Binary string: Accessibility.pdb*7r$ source: WerFault.exe, 00000004.00000003.845097421.0000000004BE9000.00000004.00000001.sdmp
              Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: SecuriteInfo.com.Trojan.Inject3.45252.31864.exe, 00000000.00000002.792481851.00000000059A2000.00000040.00000001.sdmp, RegAsm.exe, 00000001.00000002.883257344.0000000002FE1000.00000004.00000001.sdmp
              Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: SecuriteInfo.com.Trojan.Inject3.45252.31864.exe, 00000000.00000002.792481851.00000000059A2000.00000040.00000001.sdmp, RegAsm.exe, 00000001.00000002.879972108.0000000000402000.00000040.00000001.sdmp, vbc.exe
              Source: Binary string: System.Xml.pdbx source: WerFault.exe, 00000004.00000003.842449769.0000000004ED0000.00000004.00000001.sdmp
              Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000004.00000003.844938107.0000000004CF2000.00000004.00000001.sdmp
              Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb+ source: RegAsm.exe, 00000001.00000002.905977056.00000000088FA000.00000004.00000010.sdmp
              Source: Binary string: System.Drawing.pdb< source: WER49D5.tmp.dmp.4.dr
              Source: Binary string: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.PDB source: RegAsm.exe, 00000001.00000002.905977056.00000000088FA000.00000004.00000010.sdmp
              Source: Binary string: sfc.pdb! source: WerFault.exe, 00000004.00000003.845007935.0000000004CF1000.00000004.00000040.sdmp
              Source: Binary string: Microsoft.VisualBasic.pdb`[< source: WER49D5.tmp.dmp.4.dr
              Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000004.00000003.844938107.0000000004CF2000.00000004.00000001.sdmp
              Source: Binary string: winspool.pdb source: WerFault.exe, 00000004.00000003.845391674.0000000004CEB000.00000004.00000040.sdmp
              Source: Binary string: System.Runtime.Remoting.pdbx source: WerFault.exe, 00000004.00000003.842449769.0000000004ED0000.00000004.00000001.sdmp
              Source: Binary string: System.Configuration.pdb" source: WerFault.exe, 00000004.00000003.845181241.0000000004BE9000.00000004.00000001.sdmp
              Source: Binary string: nsi.pdb source: WerFault.exe, 00000004.00000003.844938107.0000000004CF2000.00000004.00000001.sdmp
              Source: Binary string: System.Management.ni.pdbRSDSJ source: WER49D5.tmp.dmp.4.dr
              Source: Binary string: winnsi.pdbbnA source: WerFault.exe, 00000004.00000003.844938107.0000000004CF2000.00000004.00000001.sdmp
              Source: Binary string: rsaenh.pdb0i source: WerFault.exe, 00000004.00000003.844938107.0000000004CF2000.00000004.00000001.sdmp
              Source: Binary string: wbemcomn.pdbdnK source: WerFault.exe, 00000004.00000003.844938107.0000000004CF2000.00000004.00000001.sdmp
              Source: Binary string: powrprof.pdb source: WerFault.exe, 00000004.00000003.845391674.0000000004CEB000.00000004.00000040.sdmp
              Source: Binary string: mscorlib.ni.pdbRSDS source: WER49D5.tmp.dmp.4.dr
              Source: Binary string: System.Core.ni.pdb` source: WerFault.exe, 00000004.00000003.842449769.0000000004ED0000.00000004.00000001.sdmp
              Source: Binary string: ole32.pdb source: WerFault.exe, 00000004.00000003.845391674.0000000004CEB000.00000004.00000040.sdmp
              Source: Binary string: profapi.pdbq'{f source: WerFault.exe, 00000004.00000003.845391674.0000000004CEB000.00000004.00000040.sdmp
              Source: Binary string: mscorlib.pdb source: RegAsm.exe, 00000001.00000002.905977056.00000000088FA000.00000004.00000010.sdmp, WerFault.exe, 00000004.00000003.842449769.0000000004ED0000.00000004.00000001.sdmp, WER49D5.tmp.dmp.4.dr
              Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000004.00000003.844862974.0000000004CE2000.00000004.00000040.sdmp
              Source: Binary string: combase.pdb source: WerFault.exe, 00000004.00000003.845391674.0000000004CEB000.00000004.00000040.sdmp
              Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000004.00000003.845444561.0000000004CE0000.00000004.00000040.sdmp
              Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER49D5.tmp.dmp.4.dr
              Source: Binary string: Accessibility.pdb| source: WER49D5.tmp.dmp.4.dr
              Source: Binary string: Accessibility.pdbx source: WerFault.exe, 00000004.00000003.842449769.0000000004ED0000.00000004.00000001.sdmp
              Source: Binary string: apphelp.pdb source: WerFault.exe, 00000004.00000003.845063277.0000000004BD1000.00000004.00000001.sdmp
              Source: Binary string: System.Xml.ni.pdbRSDS source: WER49D5.tmp.dmp.4.dr
              Source: Binary string: rasadhlp.pdb source: WerFault.exe, 00000004.00000003.844938107.0000000004CF2000.00000004.00000001.sdmp
              Source: Binary string: ml.ni.pdb source: WerFault.exe, 00000004.00000003.845181241.0000000004BE9000.00000004.00000001.sdmp
              Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000004.00000003.844938107.0000000004CF2000.00000004.00000001.sdmp
              Source: Binary string: diasymreader.pdb_ source: WerFault.exe, 00000004.00000003.845047953.0000000004CFE000.00000004.00000040.sdmp
              Source: Binary string: System.Xml.ni.pdb< source: WerFault.exe, 00000004.00000003.842449769.0000000004ED0000.00000004.00000001.sdmp
              Source: Binary string: Accessibility.pdb source: WerFault.exe, 00000004.00000003.842449769.0000000004ED0000.00000004.00000001.sdmp, WER49D5.tmp.dmp.4.dr
              Source: Binary string: System.Management.pdbx source: WerFault.exe, 00000004.00000003.842449769.0000000004ED0000.00000004.00000001.sdmp
              Source: Binary string: iCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000004.00000002.860145189.00000000001B2000.00000004.00000010.sdmp, WerFault.exe, 0000000E.00000002.904411186.0000000000D92000.00000004.00000010.sdmp
              Source: Binary string: dnsapi.pdbnnM source: WerFault.exe, 00000004.00000003.844938107.0000000004CF2000.00000004.00000001.sdmp
              Source: Binary string: propsys.pdbK_J source: WerFault.exe, 00000004.00000003.845391674.0000000004CEB000.00000004.00000040.sdmp
              Source: Binary string: System.ni.pdb<3 source: WerFault.exe, 00000004.00000003.842449769.0000000004ED0000.00000004.00000001.sdmp
              Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 00000004.00000003.844938107.0000000004CF2000.00000004.00000001.sdmp
              Source: Binary string: winspool.pdbW_V source: WerFault.exe, 00000004.00000003.845391674.0000000004CEB000.00000004.00000040.sdmp
              Source: Binary string: fltLib.pdb source: WerFault.exe, 00000004.00000003.845391674.0000000004CEB000.00000004.00000040.sdmp
              Source: Binary string: System.Core.ni.pdb" source: WerFault.exe, 00000004.00000003.845181241.0000000004BE9000.00000004.00000001.sdmp
              Source: Binary string: f:\binaries.x86ret\bin\i386\bbt\opt\bin\i386\vbc.pdbpUNzUN source: WerFault.exe, 0000000E.00000002.909541728.00000000054D0000.00000002.00000001.sdmp
              Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 00000004.00000003.844938107.0000000004CF2000.00000004.00000001.sdmp, WER49D5.tmp.dmp.4.dr
              Source: Binary string: shell32.pdb source: WerFault.exe, 00000004.00000003.844862974.0000000004CE2000.00000004.00000040.sdmp
              Source: Binary string: msvcp_win.pdbk source: WerFault.exe, 00000004.00000003.844862974.0000000004CE2000.00000004.00000040.sdmp
              Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000004.00000003.844862974.0000000004CE2000.00000004.00000040.sdmp
              Source: Binary string: clrjit.pdb$i source: WerFault.exe, 00000004.00000003.844938107.0000000004CF2000.00000004.00000001.sdmp
              Source: Binary string: diasymreader.pdb source: WerFault.exe, 00000004.00000003.845047953.0000000004CFE000.00000004.00000040.sdmp
              Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000004.00000003.844938107.0000000004CF2000.00000004.00000001.sdmp
              Source: Binary string: wmiutils.pdb source: WerFault.exe, 00000004.00000003.844938107.0000000004CF2000.00000004.00000001.sdmp
              Source: Binary string: System.pdbx source: WerFault.exe, 00000004.00000003.842449769.0000000004ED0000.00000004.00000001.sdmp
              Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000004.00000003.845063277.0000000004BD1000.00000004.00000001.sdmp
              Source: Binary string: sechost.pdb source: WerFault.exe, 00000004.00000003.845391674.0000000004CEB000.00000004.00000040.sdmp
              Source: Binary string: propsys.pdb source: WerFault.exe, 00000004.00000003.845391674.0000000004CEB000.00000004.00000040.sdmp
              Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 00000004.00000003.844989437.0000000004CEE000.00000004.00000040.sdmp
              Source: Binary string: fastprox.pdb source: WerFault.exe, 00000004.00000003.844938107.0000000004CF2000.00000004.00000001.sdmp
              Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 00000004.00000003.844938107.0000000004CF2000.00000004.00000001.sdmp, WER49D5.tmp.dmp.4.dr
              Source: Binary string: wbemsvc.pdb source: WerFault.exe, 00000004.00000003.844938107.0000000004CF2000.00000004.00000001.sdmp
              Source: Binary string: winrnr.pdb source: WerFault.exe, 00000004.00000003.844938107.0000000004CF2000.00000004.00000001.sdmp
              Source: Binary string: msctf.pdb source: WerFault.exe, 00000004.00000003.844938107.0000000004CF2000.00000004.00000001.sdmp
              Source: Binary string: \??\C:\Windows\exe\RegAsm.pdbn source: RegAsm.exe, 00000001.00000002.905504285.0000000007EB7000.00000004.00000001.sdmp
              Source: Binary string: System.Xml.pdb source: WerFault.exe, 00000004.00000003.842449769.0000000004ED0000.00000004.00000001.sdmp, WER49D5.tmp.dmp.4.dr
              Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000004.00000003.842449769.0000000004ED0000.00000004.00000001.sdmp, WER49D5.tmp.dmp.4.dr
              Source: Binary string: WMINet_Utils.pdb/?z! source: WerFault.exe, 00000004.00000003.844938107.0000000004CF2000.00000004.00000001.sdmp
              Source: Binary string: .pdbV source: WerFault.exe, 00000004.00000003.845181241.0000000004BE9000.00000004.00000001.sdmp
              Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000004.00000003.845444561.0000000004CE0000.00000004.00000040.sdmp
              Source: Binary string: \??\C:\Windows\exe\RegAsm.pdb source: RegAsm.exe, 00000001.00000002.905504285.0000000007EB7000.00000004.00000001.sdmp
              Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 00000004.00000003.842449769.0000000004ED0000.00000004.00000001.sdmp
              Source: Binary string: Microsoft.VisualBasic.pdb" source: WerFault.exe, 00000004.00000003.845158346.0000000004BD4000.00000004.00000001.sdmp
              Source: Binary string: wuser32.pdb source: WerFault.exe, 00000004.00000003.845063277.0000000004BD1000.00000004.00000001.sdmp
              Source: Binary string: System.ni.pdb source: WerFault.exe, 00000004.00000003.844938107.0000000004CF2000.00000004.00000001.sdmp, WER49D5.tmp.dmp.4.dr
              Source: Binary string: System.Core.ni.pdbRSDS source: WER49D5.tmp.dmp.4.dr
              Source: Binary string: System.Runtime.Remoting.pdbU7sZ source: WerFault.exe, 00000004.00000003.845097421.0000000004BE9000.00000004.00000001.sdmp
              Source: Binary string: rsaenh.pdb source: WerFault.exe, 00000004.00000003.844938107.0000000004CF2000.00000004.00000001.sdmp
              Source: Binary string: anagement.pdb source: WerFault.exe, 00000004.00000003.845181241.0000000004BE9000.00000004.00000001.sdmp
              Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000004.00000003.845391674.0000000004CEB000.00000004.00000040.sdmp
              Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000004.00000003.845391674.0000000004CEB000.00000004.00000040.sdmp
              Source: Binary string: wbemcomn.pdb source: WerFault.exe, 00000004.00000003.844938107.0000000004CF2000.00000004.00000001.sdmp
              Source: Binary string: RegAsm.pdb source: WerFault.exe, 00000004.00000002.871545620.0000000000E80000.00000002.00000001.sdmp
              Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000004.00000003.845444561.0000000004CE0000.00000004.00000040.sdmp
              Source: Binary string: clr.pdb source: WerFault.exe, 00000004.00000003.844989437.0000000004CEE000.00000004.00000040.sdmp
              Source: Binary string: .ni.pdb source: WerFault.exe, 00000004.00000003.845181241.0000000004BE9000.00000004.00000001.sdmp
              Source: Binary string: ility.pdb source: WerFault.exe, 00000004.00000003.845181241.0000000004BE9000.00000004.00000001.sdmp
              Source: Binary string: i0C:\Windows\mscorlib.pdbpdblib.pdb source: RegAsm.exe, 00000001.00000002.905977056.00000000088FA000.00000004.00000010.sdmp
              Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 00000004.00000003.844938107.0000000004CF2000.00000004.00000001.sdmp
              Source: Binary string: wmswsock.pdb.i source: WerFault.exe, 00000004.00000003.844938107.0000000004CF2000.00000004.00000001.sdmp
              Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000004.00000003.845063277.0000000004BD1000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.885183528.00000000053E1000.00000004.00000001.sdmp
              Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000004.00000003.845391674.0000000004CEB000.00000004.00000040.sdmp
              Source: Binary string: RegAsm.pdb4 source: WerFault.exe, 00000004.00000002.871545620.0000000000E80000.00000002.00000001.sdmp
              Source: Binary string: mscoree.pdb source: WerFault.exe, 00000004.00000003.845063277.0000000004BD1000.00000004.00000001.sdmp
              Source: Binary string: comctl32v582.pdb/?z! source: WerFault.exe, 00000004.00000003.844938107.0000000004CF2000.00000004.00000001.sdmp
              Source: Binary string: setupapi.pdbM_L source: WerFault.exe, 00000004.00000003.845391674.0000000004CEB000.00000004.00000040.sdmp
              Source: Binary string: shell32.pdbk source: WerFault.exe, 00000004.00000003.844862974.0000000004CE2000.00000004.00000040.sdmp
              Source: Binary string: symbols\dll\mscorlib.pdb source: RegAsm.exe, 00000001.00000002.905977056.00000000088FA000.00000004.00000010.sdmp
              Source: Binary string: .pdb0 source: RegAsm.exe, 00000001.00000002.905977056.00000000088FA000.00000004.00000010.sdmp
              Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000004.00000003.845391674.0000000004CEB000.00000004.00000040.sdmp
              Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000004.00000003.844862974.0000000004CE2000.00000004.00000040.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.pdb source: RegAsm.exe, 00000001.00000002.882743278.0000000001455000.00000004.00000001.sdmp
              Source: Binary string: msvcr120_clr0400.i386.pdb% source: WerFault.exe, 00000004.00000003.844989437.0000000004CEE000.00000004.00000040.sdmp
              Source: Binary string: ws2_32.pdb"i source: WerFault.exe, 00000004.00000003.844938107.0000000004CF2000.00000004.00000001.sdmp
              Source: Binary string: System.Configuration.pdb source: WerFault.exe, 00000004.00000003.842449769.0000000004ED0000.00000004.00000001.sdmp, WER49D5.tmp.dmp.4.dr
              Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000004.00000003.845063277.0000000004BD1000.00000004.00000001.sdmp
              Source: Binary string: Kernel.Appcore.pdb,7r" source: WerFault.exe, 00000004.00000003.845444561.0000000004CE0000.00000004.00000040.sdmp
              Source: Binary string: edputil.pdb:i source: WerFault.exe, 00000004.00000003.844938107.0000000004CF2000.00000004.00000001.sdmp
              Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000004.00000003.844938107.0000000004CF2000.00000004.00000001.sdmp
              Source: Binary string: DWrite.pdb source: WerFault.exe, 00000004.00000003.844938107.0000000004CF2000.00000004.00000001.sdmp
              Source: Binary string: System.Management.pdb source: WerFault.exe, 00000004.00000003.842449769.0000000004ED0000.00000004.00000001.sdmp, WER49D5.tmp.dmp.4.dr
              Source: Binary string: System.Drawing.pdb source: WerFault.exe, 00000004.00000003.842449769.0000000004ED0000.00000004.00000001.sdmp, WER49D5.tmp.dmp.4.dr
              Source: Binary string: System.Management.ni.pdb source: WerFault.exe, 00000004.00000003.844938107.0000000004CF2000.00000004.00000001.sdmp, WER49D5.tmp.dmp.4.dr
              Source: Binary string: sfc.pdb source: WerFault.exe, 00000004.00000003.844989437.0000000004CEE000.00000004.00000040.sdmp
              Source: Binary string: nsi.pdb% source: WerFault.exe, 00000004.00000003.844938107.0000000004CF2000.00000004.00000001.sdmp
              Source: Binary string: wntdll.pdbk source: WerFault.exe, 0000000E.00000003.885183528.00000000053E1000.00000004.00000001.sdmp
              Source: Binary string: C:\Windows\mscorlib.pdb source: RegAsm.exe, 00000001.00000002.905977056.00000000088FA000.00000004.00000010.sdmp
              Source: Binary string: \??\C:\Windows\symbols\exe\RegAsm.pdb source: RegAsm.exe, 00000001.00000002.905504285.0000000007EB7000.00000004.00000001.sdmp
              Source: Binary string: mscorlib.pdb{ source: RegAsm.exe, 00000001.00000002.905977056.00000000088FA000.00000004.00000010.sdmp
              Source: Binary string: rawing.pdb source: WerFault.exe, 00000004.00000003.845181241.0000000004BE9000.00000004.00000001.sdmp
              Source: Binary string: pnrpnsp.pdb source: WerFault.exe, 00000004.00000003.844938107.0000000004CF2000.00000004.00000001.sdmp
              Source: Binary string: mscorlib.pdbx source: WerFault.exe, 00000004.00000003.842449769.0000000004ED0000.00000004.00000001.sdmp
              Source: Binary string: shcore.pdb source: WerFault.exe, 00000004.00000003.845444561.0000000004CE0000.00000004.00000040.sdmp
              Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000004.00000003.845063277.0000000004BD1000.00000004.00000001.sdmp
              Source: Binary string: b.pdbtx source: RegAsm.exe, 00000001.00000002.905298585.0000000007E40000.00000004.00000001.sdmp
              Source: Binary string: mscorlib.ni.pdb4 source: WerFault.exe, 00000004.00000003.842449769.0000000004ED0000.00000004.00000001.sdmp
              Source: Binary string: System.Windows.Forms.pdb`< source: WER49D5.tmp.dmp.4.dr
              Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000004.00000003.844938107.0000000004CF2000.00000004.00000001.sdmp
              Source: Binary string: System.Windows.Forms.pdb*7r$ source: WerFault.exe, 00000004.00000003.845063277.0000000004BD1000.00000004.00000001.sdmp
              Source: Binary string: wimm32.pdb source: WerFault.exe, 00000004.00000003.845391674.0000000004CEB000.00000004.00000040.sdmp
              Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000004.00000003.845063277.0000000004BD1000.00000004.00000001.sdmp
              Source: Binary string: setupapi.pdb source: WerFault.exe, 00000004.00000003.845391674.0000000004CEB000.00000004.00000040.sdmp
              Source: Binary string: nlaapi.pdb source: WerFault.exe, 00000004.00000003.844938107.0000000004CF2000.00000004.00000001.sdmp
              Source: Binary string: gdiplus.pdb source: WerFault.exe, 00000004.00000003.844938107.0000000004CF2000.00000004.00000001.sdmp
              Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000004.00000003.844938107.0000000004CF2000.00000004.00000001.sdmp
              Source: Binary string: profapi.pdb source: WerFault.exe, 00000004.00000003.845391674.0000000004CEB000.00000004.00000040.sdmp
              Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 00000004.00000003.844938107.0000000004CF2000.00000004.00000001.sdmp, WER49D5.tmp.dmp.4.dr
              Source: Binary string: anagement.ni.pdb source: WerFault.exe, 00000004.00000003.845181241.0000000004BE9000.00000004.00000001.sdmp
              Source: Binary string: winrnr.pdb@ng source: WerFault.exe, 00000004.00000003.844938107.0000000004CF2000.00000004.00000001.sdmp
              Source: Binary string: System.ni.pdbRSDS source: WER49D5.tmp.dmp.4.dr
              Source: Binary string: clrjit.pdb source: WerFault.exe, 00000004.00000003.844938107.0000000004CF2000.00000004.00000001.sdmp
              Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000004.00000003.844862974.0000000004CE2000.00000004.00000040.sdmp
              Source: Binary string: dhcpcsvc.pdb<i source: WerFault.exe, 00000004.00000003.844938107.0000000004CF2000.00000004.00000001.sdmp
              Source: Binary string: System.Xml.ni.pdb*7r$ source: WerFault.exe, 00000004.00000003.845097421.0000000004BE9000.00000004.00000001.sdmp
              Source: Binary string: System.Core.pdbE source: WerFault.exe, 00000004.00000003.845181241.0000000004BE9000.00000004.00000001.sdmp
              Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: SecuriteInfo.com.Trojan.Inject3.45252.31864.exe, 00000000.00000002.792481851.00000000059A2000.00000040.00000001.sdmp, RegAsm.exe, 00000001.00000002.879972108.0000000000402000.00000040.00000001.sdmp
              Source: Binary string: System.Runtime.Remoting.pdb source: WerFault.exe, 00000004.00000003.842449769.0000000004ED0000.00000004.00000001.sdmp, WER49D5.tmp.dmp.4.dr
              Source: Binary string: wmswsock.pdb source: WerFault.exe, 00000004.00000003.844938107.0000000004CF2000.00000004.00000001.sdmp
              Source: Binary string: version.pdb source: WerFault.exe, 00000004.00000003.845391674.0000000004CEB000.00000004.00000040.sdmp
              Source: Binary string: System.pdb source: WerFault.exe, 00000004.00000003.842449769.0000000004ED0000.00000004.00000001.sdmp, WER49D5.tmp.dmp.4.dr
              Source: Binary string: mscorlib.pdbx0sp source: WerFault.exe, 00000004.00000003.845097421.0000000004BE9000.00000004.00000001.sdmp
              Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000004.00000003.845444561.0000000004CE0000.00000004.00000040.sdmp
              Source: Binary string: psapi.pdb source: WerFault.exe, 00000004.00000003.844938107.0000000004CF2000.00000004.00000001.sdmp
              Source: Binary string: WMINet_Utils.pdb source: WerFault.exe, 00000004.00000003.844938107.0000000004CF2000.00000004.00000001.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.pdb! source: RegAsm.exe, 00000001.00000002.882743278.0000000001455000.00000004.00000001.sdmp
              Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000004.00000003.845391674.0000000004CEB000.00000004.00000040.sdmp
              Source: Binary string: profapi.pdb%?s" source: WerFault.exe, 00000004.00000003.844887285.0000000004CEB000.00000004.00000040.sdmp
              Source: Binary string: System.Core.pdbx source: WerFault.exe, 00000004.00000003.842449769.0000000004ED0000.00000004.00000001.sdmp
              Source: Binary string: rawing.pdb" source: WerFault.exe, 00000004.00000003.845181241.0000000004BE9000.00000004.00000001.sdmp
              Source: Binary string: mscoreei.pdb source: WerFault.exe, 00000004.00000003.845391674.0000000004CEB000.00000004.00000040.sdmp
              Source: Binary string: mscorlib.ni.pdb*7r$ source: WerFault.exe, 00000004.00000003.845097421.0000000004BE9000.00000004.00000001.sdmp
              Source: Binary string: System.Drawing.pdbx source: WerFault.exe, 00000004.00000003.842449769.0000000004ED0000.00000004.00000001.sdmp
              Source: Binary string: System.Core.pdb source: WerFault.exe, 00000004.00000003.842449769.0000000004ED0000.00000004.00000001.sdmp, WER49D5.tmp.dmp.4.dr
              Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000004.00000003.845391674.0000000004CEB000.00000004.00000040.sdmp
              Source: Binary string: comctl32.pdb source: WerFault.exe, 00000004.00000003.844938107.0000000004CF2000.00000004.00000001.sdmp
              Source: Binary string: untime.Remoting.pdb source: WerFault.exe, 00000004.00000003.845181241.0000000004BE9000.00000004.00000001.sdmp
              Source: Binary string: wbemprox.pdb source: WerFault.exe, 00000004.00000003.844938107.0000000004CF2000.00000004.00000001.sdmp
              Source: Binary string: edputil.pdb source: WerFault.exe, 00000004.00000003.844938107.0000000004CF2000.00000004.00000001.sdmp

              Data Obfuscation:

              barindex
              .NET source code contains potential unpackerShow sources
              Source: 0.2.SecuriteInfo.com.Trojan.Inject3.45252.31864.exe.59a0000.3.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 0.2.SecuriteInfo.com.Trojan.Inject3.45252.31864.exe.59a0000.3.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 0.2.SecuriteInfo.com.Trojan.Inject3.45252.31864.exe.59a0000.3.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 0.2.SecuriteInfo.com.Trojan.Inject3.45252.31864.exe.59a0000.3.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 1.2.RegAsm.exe.400000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 1.2.RegAsm.exe.400000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 1.2.RegAsm.exe.400000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 1.2.RegAsm.exe.400000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00403C3D LoadLibraryA,GetProcAddress,strcpy,13_2_00403C3D
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject3.45252.31864.exeCode function: 0_2_01331548 pushfd ; iretd 0_2_01331549
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02FCE672 push esp; ret 1_2_02FCE679
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_07A51C20 push eax; retf 0007h1_2_07A51C22
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_07A51C3F push edx; retf 0007h1_2_07A51C42
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_07A523A0 push ebp; retf 0007h1_2_07A52442
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_07A52382 push ebp; retf 0007h1_2_07A52392
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_07A522D9 push ebp; retf 0007h1_2_07A522DA
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_07E3FDA0 push ds; retf 0007h1_2_07E3FDA2
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_07E3DAC0 push es; retf 0007h1_2_07E3DAC2
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_07E3DA99 push es; retf 0007h1_2_07E3DA9A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_07E3D1A9 push esp; retf 1_2_07E3D1AA
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00411879 push ecx; ret 13_2_00411889
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_004118A0 push eax; ret 13_2_004118B4
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_004118A0 push eax; ret 13_2_004118DC
              Source: initial sampleStatic PE information: section name: .text entropy: 6.97578119683

              Hooking and other Techniques for Hiding and Protection:

              barindex
              Changes the view of files in windows explorer (hidden files and folders)Show sources
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HiddenJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_0040F64B memset,strcpy,memset,strcpy,strcat,strcpy,strcat,GetModuleHandleA,LoadLibraryExA,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,13_2_0040F64B
              Source: C:\Windows\SysWOW64\WerFault.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363} DeviceTicketJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject3.45252.31864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject3.45252.31864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject3.45252.31864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject3.45252.31864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject3.45252.31864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject3.45252.31864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject3.45252.31864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject3.45252.31864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject3.45252.31864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject3.45252.31864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject3.45252.31864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject3.45252.31864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject3.45252.31864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject3.45252.31864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject3.45252.31864.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 300000Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject3.45252.31864.exe TID: 3140Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 908Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4404Thread sleep time: -120000s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4796Thread sleep time: -140000s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5220Thread sleep time: -300000s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeFile opened: PhysicalDrive0Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeLast function: Thread delayed
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,13_2_00406EC3
              Source: WerFault.exe, 00000004.00000002.875748973.0000000004D70000.00000002.00000001.sdmp, WerFault.exe, 0000000E.00000002.910197718.0000000005660000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
              Source: WerFault.exe, 00000004.00000003.858248400.0000000001245000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
              Source: WerFault.exe, 00000004.00000002.875748973.0000000004D70000.00000002.00000001.sdmp, WerFault.exe, 0000000E.00000002.910197718.0000000005660000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
              Source: WerFault.exe, 00000004.00000002.875748973.0000000004D70000.00000002.00000001.sdmp, WerFault.exe, 0000000E.00000002.910197718.0000000005660000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
              Source: RegAsm.exe, 00000001.00000002.882363247.00000000013B7000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: WerFault.exe, 00000004.00000003.858248400.0000000001245000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWt?r
              Source: WerFault.exe, 00000004.00000002.875748973.0000000004D70000.00000002.00000001.sdmp, WerFault.exe, 0000000E.00000002.910197718.0000000005660000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_07E3BD40 LdrInitializeThunk,1_2_07E3BD40
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00403C3D LoadLibraryA,GetProcAddress,strcpy,13_2_00403C3D
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject3.45252.31864.exeCode function: 0_2_013B01CB mov eax, dword ptr fs:[00000030h]0_2_013B01CB
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject3.45252.31864.exeCode function: 0_2_013B00AD mov ecx, dword ptr fs:[00000030h]0_2_013B00AD
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject3.45252.31864.exeCode function: 0_2_013B00AD mov eax, dword ptr fs:[00000030h]0_2_013B00AD
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject3.45252.31864.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion:

              barindex
              .NET source code references suspicious native API functionsShow sources
              Source: 0.2.SecuriteInfo.com.Trojan.Inject3.45252.31864.exe.59a0000.3.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
              Source: 0.2.SecuriteInfo.com.Trojan.Inject3.45252.31864.exe.59a0000.3.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
              Source: 1.2.RegAsm.exe.400000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
              Source: 1.2.RegAsm.exe.400000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
              Maps a DLL or memory area into another processShow sources
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject3.45252.31864.exeSection loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and writeJump to behavior
              Sample uses process hollowing techniqueShow sources
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 8Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject3.45252.31864.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject3.45252.31864.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject3.45252.31864.exe VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.3