Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com.Trojan.Inject3.45252.31790.17182

Overview

General Information

Sample Name:SecuriteInfo.com.Trojan.Inject3.45252.31790.17182 (renamed file extension from 17182 to exe)
Analysis ID:251578
MD5:dd7b5ff06ef9585a48ed588afb0369ad
SHA1:20c33735d7715bcfadd493ce553fc9c6e2b5e375
SHA256:99ee2dd0a0d5bc919d4b1e69eb636945f361989c6c6cb61cbcf3c4246bd588b8

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected HawkEye Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Contains functionality to register a low level keyboard hook
Installs a global keyboard hook
Maps a DLL or memory area into another process
Sample uses process hollowing technique
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected WebBrowserPassView password recovery tool
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Process Creation
Stores large binary data to the registry
Tries to load missing DLLs
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • SecuriteInfo.com.Trojan.Inject3.45252.31790.exe (PID: 3812 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject3.45252.31790.exe' MD5: DD7B5FF06EF9585A48ED588AFB0369AD)
    • RegAsm.exe (PID: 5316 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
    • RegAsm.exe (PID: 5308 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
      • WerFault.exe (PID: 472 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5308 -s 1976 MD5: 80E91E3C0F5563E4049B62FCAF5D67AC)
      • vbc.exe (PID: 2348 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
        • conhost.exe (PID: 4588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • vbc.exe (PID: 3168 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
        • WerFault.exe (PID: 5328 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 176 MD5: 80E91E3C0F5563E4049B62FCAF5D67AC)
      • vbc.exe (PID: 2620 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.906840120.0000000003C91000.00000004.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
    00000000.00000002.784538064.0000000005752000.00000004.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
    • 0x7b937:$key: HawkEyeKeylogger
    • 0x7dba1:$salt: 099u787978786
    • 0x7bf78:$string1: HawkEye_Keylogger
    • 0x7cdcb:$string1: HawkEye_Keylogger
    • 0x7db01:$string1: HawkEye_Keylogger
    • 0x7c361:$string2: holdermail.txt
    • 0x7c381:$string2: holdermail.txt
    • 0x7c2a3:$string3: wallet.dat
    • 0x7c2bb:$string3: wallet.dat
    • 0x7c2d1:$string3: wallet.dat
    • 0x7d6c5:$string4: Keylog Records
    • 0x7d9dd:$string4: Keylog Records
    • 0x7dbf9:$string5: do not script -->
    • 0x7b91f:$string6: \pidloc.txt
    • 0x7b9ad:$string7: BSPLIT
    • 0x7b9bd:$string7: BSPLIT
    00000000.00000002.784538064.0000000005752000.00000004.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
      00000000.00000002.784538064.0000000005752000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
        00000000.00000002.784538064.0000000005752000.00000004.00000001.sdmpHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
        • 0x7bfd0:$hawkstr1: HawkEye Keylogger
        • 0x7ce11:$hawkstr1: HawkEye Keylogger
        • 0x7d140:$hawkstr1: HawkEye Keylogger
        • 0x7d29b:$hawkstr1: HawkEye Keylogger
        • 0x7d3fe:$hawkstr1: HawkEye Keylogger
        • 0x7d69d:$hawkstr1: HawkEye Keylogger
        • 0x7bb5e:$hawkstr2: Dear HawkEye Customers!
        • 0x7d193:$hawkstr2: Dear HawkEye Customers!
        • 0x7d2ea:$hawkstr2: Dear HawkEye Customers!
        • 0x7d451:$hawkstr2: Dear HawkEye Customers!
        • 0x7bc7f:$hawkstr3: HawkEye Logger Details:
        Click to see the 22 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        13.2.vbc.exe.400000.0.raw.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
          13.2.vbc.exe.400000.0.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
            2.2.RegAsm.exe.400000.0.unpackRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
            • 0x7b917:$key: HawkEyeKeylogger
            • 0x7db81:$salt: 099u787978786
            • 0x7bf58:$string1: HawkEye_Keylogger
            • 0x7cdab:$string1: HawkEye_Keylogger
            • 0x7dae1:$string1: HawkEye_Keylogger
            • 0x7c341:$string2: holdermail.txt
            • 0x7c361:$string2: holdermail.txt
            • 0x7c283:$string3: wallet.dat
            • 0x7c29b:$string3: wallet.dat
            • 0x7c2b1:$string3: wallet.dat
            • 0x7d6a5:$string4: Keylog Records
            • 0x7d9bd:$string4: Keylog Records
            • 0x7dbd9:$string5: do not script -->
            • 0x7b8ff:$string6: \pidloc.txt
            • 0x7b98d:$string7: BSPLIT
            • 0x7b99d:$string7: BSPLIT
            2.2.RegAsm.exe.400000.0.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
              2.2.RegAsm.exe.400000.0.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                Click to see the 5 entries

                Sigma Overview

                System Summary:

                barindex
                Sigma detected: Suspicious Process CreationShow sources
                Source: Process startedAuthor: Florian Roth, Daniil Yugoslavskiy, oscd.community (update): Data: Command: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt', CommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt', CommandLine|base64offset|contains: ^, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, ParentCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentProcessId: 5308, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt', ProcessId: 2348

                Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Antivirus / Scanner detection for submitted sampleShow sources
                Source: SecuriteInfo.com.Trojan.Inject3.45252.31790.exeAvira: detected
                Multi AV Scanner detection for submitted fileShow sources
                Source: SecuriteInfo.com.Trojan.Inject3.45252.31790.exeVirustotal: Detection: 55%Perma Link
                Source: SecuriteInfo.com.Trojan.Inject3.45252.31790.exeMetadefender: Detection: 21%Perma Link
                Source: SecuriteInfo.com.Trojan.Inject3.45252.31790.exeReversingLabs: Detection: 50%
                Source: 2.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 2.2.RegAsm.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 0.2.SecuriteInfo.com.Trojan.Inject3.45252.31790.exe.5d60000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 0.2.SecuriteInfo.com.Trojan.Inject3.45252.31790.exe.5d60000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: SecuriteInfo.com.Trojan.Inject3.45252.31790.exe, 00000000.00000002.784538064.0000000005752000.00000004.00000001.sdmpBinary or memory string: autorun.inf
                Source: SecuriteInfo.com.Trojan.Inject3.45252.31790.exe, 00000000.00000002.784538064.0000000005752000.00000004.00000001.sdmpBinary or memory string: [autorun]
                Source: RegAsm.exe, 00000002.00000002.895258977.0000000000402000.00000040.00000001.sdmpBinary or memory string: autorun.inf
                Source: RegAsm.exe, 00000002.00000002.895258977.0000000000402000.00000040.00000001.sdmpBinary or memory string: [autorun]
                Source: WerFault.exe, 00000005.00000003.844549361.0000000004CD0000.00000004.00000001.sdmpBinary or memory string: autorun.inf
                Source: WerFault.exe, 00000005.00000003.844549361.0000000004CD0000.00000004.00000001.sdmpBinary or memory string: [autorun]
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,13_2_00408441
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,13_2_00407E0E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then call 0526A6E8h2_2_077C2497
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]2_2_077C2497
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]2_2_079BA430
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]2_2_079B9F70
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]2_2_079B7ED0
                Source: unknownDNS traffic detected: query: 146.215.12.0.in-addr.arpa replaycode: Name error (3)
                Source: SecuriteInfo.com.Trojan.Inject3.45252.31790.exe, 00000000.00000002.784538064.0000000005752000.00000004.00000001.sdmp, RegAsm.exe, 00000002.00000002.907160437.0000000003CF7000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000002.903412417.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                Source: SecuriteInfo.com.Trojan.Inject3.45252.31790.exe, 00000000.00000002.784538064.0000000005752000.00000004.00000001.sdmp, RegAsm.exe, 00000002.00000002.907160437.0000000003CF7000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000002.903412417.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                Source: vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                Source: vbc.exe, 0000000D.00000003.901980243.0000000000AFC000.00000004.00000001.sdmpString found in binary or memory: tps://go.microsoft.com/fwlink/?LinkId=517287https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                Source: vbc.exe, 0000000D.00000003.901980243.0000000000AFC000.00000004.00000001.sdmpString found in binary or memory: tps://go.microsoft.com/fwlink/?LinkId=517287https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                Source: unknownDNS traffic detected: queries for: 146.215.12.0.in-addr.arpa
                Source: SecuriteInfo.com.Trojan.Inject3.45252.31790.exe, 00000000.00000002.784538064.0000000005752000.00000004.00000001.sdmp, RegAsm.exe, 00000002.00000002.907160437.0000000003CF7000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
                Source: RegAsm.exe, 00000002.00000003.785225245.0000000005D64000.00000004.00000001.sdmpString found in binary or memory: http://en.w
                Source: RegAsm.exe, 00000002.00000002.915693909.0000000005E56000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                Source: SecuriteInfo.com.Trojan.Inject3.45252.31790.exe, 00000000.00000002.784538064.0000000005752000.00000004.00000001.sdmp, RegAsm.exe, 00000002.00000002.907160437.0000000003CF7000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                Source: WerFault.exe, 00000005.00000003.842445376.0000000005270000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
                Source: WerFault.exe, 00000005.00000003.842445376.0000000005270000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
                Source: WerFault.exe, 00000005.00000003.842445376.0000000005270000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
                Source: WerFault.exe, 00000005.00000003.842445376.0000000005270000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
                Source: WerFault.exe, 00000005.00000003.842445376.0000000005270000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
                Source: WerFault.exe, 00000005.00000003.842445376.0000000005270000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
                Source: WerFault.exe, 00000005.00000003.842445376.0000000005270000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
                Source: RegAsm.exe, 00000002.00000002.900436799.0000000002C91000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.842445376.0000000005270000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: WerFault.exe, 00000005.00000003.842445376.0000000005270000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
                Source: WerFault.exe, 00000005.00000003.842445376.0000000005270000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
                Source: WerFault.exe, 00000005.00000003.842445376.0000000005270000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
                Source: WerFault.exe, 00000005.00000003.842445376.0000000005270000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
                Source: WerFault.exe, 00000005.00000003.842445376.0000000005270000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
                Source: WerFault.exe, 00000005.00000003.842445376.0000000005270000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
                Source: WerFault.exe, 00000005.00000003.842445376.0000000005270000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
                Source: SecuriteInfo.com.Trojan.Inject3.45252.31790.exeString found in binary or memory: http://signalr.net/
                Source: SecuriteInfo.com.Trojan.Inject3.45252.31790.exe, 00000000.00000002.784538064.0000000005752000.00000004.00000001.sdmp, RegAsm.exe, 00000002.00000002.895258977.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 00000005.00000003.844549361.0000000004CD0000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/-
                Source: RegAsm.exe, 00000002.00000002.915693909.0000000005E56000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: RegAsm.exe, 00000002.00000003.790822684.0000000005D64000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                Source: RegAsm.exe, 00000002.00000003.790932573.0000000005D67000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com$
                Source: RegAsm.exe, 00000002.00000003.790822684.0000000005D64000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTC
                Source: RegAsm.exe, 00000002.00000002.915693909.0000000005E56000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: RegAsm.exe, 00000002.00000003.790822684.0000000005D64000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.
                Source: RegAsm.exe, 00000002.00000002.915693909.0000000005E56000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                Source: RegAsm.exe, 00000002.00000003.789134378.0000000005D9D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: RegAsm.exe, 00000002.00000003.789758146.0000000005D9D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                Source: RegAsm.exe, 00000002.00000002.915693909.0000000005E56000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: RegAsm.exe, 00000002.00000002.915693909.0000000005E56000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: RegAsm.exe, 00000002.00000003.788736418.0000000005D62000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnj
                Source: RegAsm.exe, 00000002.00000002.915693909.0000000005E56000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: RegAsm.exe, 00000002.00000002.915693909.0000000005E56000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: RegAsm.exe, 00000002.00000003.795623640.0000000005D67000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.3
                Source: RegAsm.exe, 00000002.00000002.906840120.0000000003C91000.00000004.00000001.sdmp, RegAsm.exe, 00000002.00000002.907160437.0000000003CF7000.00000004.00000001.sdmp, vbc.exe, vbc.exe, 0000000D.00000002.903412417.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
                Source: RegAsm.exe, 00000002.00000002.915693909.0000000005E56000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: RegAsm.exe, 00000002.00000002.915693909.0000000005E56000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                Source: RegAsm.exe, 00000002.00000002.915693909.0000000005E56000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: RegAsm.exe, 00000002.00000002.900436799.0000000002C91000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
                Source: RegAsm.exe, 00000002.00000002.915693909.0000000005E56000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                Source: RegAsm.exe, 00000002.00000002.915693909.0000000005E56000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                Source: RegAsm.exe, 00000002.00000002.915693909.0000000005E56000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: RegAsm.exe, 00000002.00000003.790822684.0000000005D64000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn(
                Source: RegAsm.exe, 00000002.00000003.790822684.0000000005D64000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.q)
                Source: SecuriteInfo.com.Trojan.Inject3.45252.31790.exeString found in binary or memory: https://github.com/SignalR/SignalR/blob/master/LICENSE.md
                Source: vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
                Source: vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin

                Key, Mouse, Clipboard, Microphone and Screen Capturing:

                barindex
                Contains functionality to log keystrokes (.Net Source)Show sources
                Source: 0.2.SecuriteInfo.com.Trojan.Inject3.45252.31790.exe.5d60000.3.unpack, Form1.cs.Net Code: HookKeyboard
                Source: 2.2.RegAsm.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
                Contains functionality to register a low level keyboard hookShow sources
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_079B679C SetWindowsHookExA 0000000D,00000000,?,?2_2_079B679C
                Installs a global keyboard hookShow sources
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_0040D674 OpenClipboard,GetLastError,DeleteFileW,13_2_0040D674
                Source: SecuriteInfo.com.Trojan.Inject3.45252.31790.exe, 00000000.00000002.780232527.00000000013AB000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                System Summary:

                barindex
                Malicious sample detected (through community Yara rule)Show sources
                Source: 00000000.00000002.784538064.0000000005752000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000000.00000002.784538064.0000000005752000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000005.00000003.844549361.0000000004CD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000005.00000003.844549361.0000000004CD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000002.00000002.895258977.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000002.00000002.895258977.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000000.00000002.781217923.00000000040F5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000000.00000002.781217923.00000000040F5000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000000.00000002.784830562.0000000005D62000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000000.00000002.784830562.0000000005D62000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000002.00000002.900436799.0000000002C91000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0.2.SecuriteInfo.com.Trojan.Inject3.45252.31790.exe.5d60000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0.2.SecuriteInfo.com.Trojan.Inject3.45252.31790.exe.5d60000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject3.45252.31790.exeCode function: 0_2_017500AD NtOpenSection,NtMapViewOfSection,0_2_017500AD
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject3.45252.31790.exeCode function: 0_2_01751C09 CreateProcessW,NtQueryInformationProcess,NtReadVirtualMemory,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtTerminateProcess,NtUnmapViewOfSection,NtWriteVirtualMemory,NtGetContextThread,NtSetContextThread,NtResumeThread,0_2_01751C09
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_077C432C NtResumeThread,2_2_077C432C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_077C4320 NtSetContextThread,2_2_077C4320
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_077C4308 NtWriteVirtualMemory,2_2_077C4308
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_077C4374 NtSetContextThread,2_2_077C4374
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_077C4368 NtWriteVirtualMemory,2_2_077C4368
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_077C4350 NtResumeThread,2_2_077C4350
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_077C4314 NtSetContextThread,2_2_077C4314
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_077C438C NtResumeThread,2_2_077C438C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_077C4380 NtSetContextThread,2_2_077C4380
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_077C42F0 NtResumeThread,2_2_077C42F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_077C8D41 NtWriteVirtualMemory,2_2_077C8D41
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_077C8DF8 NtSetContextThread,2_2_077C8DF8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_077C8BE1 NtResumeThread,2_2_077C8BE1
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,FindCloseChangeNotification,_wcsicmp,FindCloseChangeNotification,FreeLibrary,13_2_00408836
                Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\Windows\AppCompat\Programs\Amcache.hve.tmpJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_02B1B29C2_2_02B1B29C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_02B1C3102_2_02B1C310
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_02B199D02_2_02B199D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_02B1DFD02_2_02B1DFD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_077C24A82_2_077C24A8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_077C81C02_2_077C81C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_077C00402_2_077C0040
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_077C49F72_2_077C49F7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_077C51502_2_077C5150
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_077C24972_2_077C2497
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_079B55E82_2_079B55E8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_079BB4802_2_079BB480
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_079BA4402_2_079BA440
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_079B92E82_2_079B92E8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_079B5EB82_2_079B5EB8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_079B9B502_2_079B9B50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_079BB4702_2_079BB470
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_079B52A02_2_079B52A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_079B00072_2_079B0007
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_079B9B432_2_079B9B43
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_0040441913_2_00404419
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_0040451613_2_00404516
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_0041353813_2_00413538
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_004145A113_2_004145A1
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_0040E63913_2_0040E639
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_004337AF13_2_004337AF
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_004399B113_2_004399B1
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_0043DAE713_2_0043DAE7
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00405CF613_2_00405CF6
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00403F8513_2_00403F85
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00411F9913_2_00411F99
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00442A90 appears 36 times
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004141D6 appears 88 times
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413F8E appears 66 times
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413E2D appears 34 times
                Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5308 -s 1976
                Source: SecuriteInfo.com.Trojan.Inject3.45252.31790.exe, 00000000.00000002.780232527.00000000013AB000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Trojan.Inject3.45252.31790.exe
                Source: SecuriteInfo.com.Trojan.Inject3.45252.31790.exe, 00000000.00000002.784538064.0000000005752000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs SecuriteInfo.com.Trojan.Inject3.45252.31790.exe
                Source: SecuriteInfo.com.Trojan.Inject3.45252.31790.exe, 00000000.00000002.784538064.0000000005752000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs SecuriteInfo.com.Trojan.Inject3.45252.31790.exe
                Source: SecuriteInfo.com.Trojan.Inject3.45252.31790.exe, 00000000.00000002.784538064.0000000005752000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs SecuriteInfo.com.Trojan.Inject3.45252.31790.exe
                Source: SecuriteInfo.com.Trojan.Inject3.45252.31790.exe, 00000000.00000002.784538064.0000000005752000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs SecuriteInfo.com.Trojan.Inject3.45252.31790.exe
                Source: SecuriteInfo.com.Trojan.Inject3.45252.31790.exe, 00000000.00000002.783932559.0000000005530000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDxnZWlpBvOOuoWSn.river.exe4 vs SecuriteInfo.com.Trojan.Inject3.45252.31790.exe
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
                Source: 00000000.00000002.784538064.0000000005752000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000000.00000002.784538064.0000000005752000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000005.00000003.844549361.0000000004CD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000005.00000003.844549361.0000000004CD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000002.00000002.895258977.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000002.00000002.895258977.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000000.00000002.781217923.00000000040F5000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000000.00000002.781217923.00000000040F5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000000.00000002.784830562.0000000005D62000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000000.00000002.784830562.0000000005D62000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000002.00000002.900436799.0000000002C91000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0.2.SecuriteInfo.com.Trojan.Inject3.45252.31790.exe.5d60000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0.2.SecuriteInfo.com.Trojan.Inject3.45252.31790.exe.5d60000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0.2.SecuriteInfo.com.Trojan.Inject3.45252.31790.exe.5d60000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 0.2.SecuriteInfo.com.Trojan.Inject3.45252.31790.exe.5d60000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 0.2.SecuriteInfo.com.Trojan.Inject3.45252.31790.exe.5d60000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 0.2.SecuriteInfo.com.Trojan.Inject3.45252.31790.exe.5d60000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
                Source: 2.2.RegAsm.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 2.2.RegAsm.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 2.2.RegAsm.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 2.2.RegAsm.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
                Source: 0.2.SecuriteInfo.com.Trojan.Inject3.45252.31790.exe.5d60000.3.unpack, Form1.csBase64 encoded string: 'Ta2Jfga3JLt9/E73uK1VhbUkk6jqZCdloIN2u06AJMoTMeKiapqOoCfJFBjcj+Ok8ojK3Xa4zTJPtjgAWPgTDA==', 'qV6RbSlp+AMZw5SKvXWylN1rCuU8c5wmPAh3Hdmo0Ki+cXj7F0pWkNOaz5xvcV8/1lMVIeZ7DPLAHupVS+LnUQ==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: 2.2.RegAsm.exe.400000.0.unpack, Form1.csBase64 encoded string: 'Ta2Jfga3JLt9/E73uK1VhbUkk6jqZCdloIN2u06AJMoTMeKiapqOoCfJFBjcj+Ok8ojK3Xa4zTJPtjgAWPgTDA==', 'qV6RbSlp+AMZw5SKvXWylN1rCuU8c5wmPAh3Hdmo0Ki+cXj7F0pWkNOaz5xvcV8/1lMVIeZ7DPLAHupVS+LnUQ==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@14/13@1/0
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00415AFD GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,13_2_00415AFD
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00415F87 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,13_2_00415F87
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00411196 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,FindCloseChangeNotification,free,Process32NextW,FindCloseChangeNotification,13_2_00411196
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00411EF8 FindResourceW,SizeofResource,LoadResource,LockResource,13_2_00411EF8
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject3.45252.31790.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Trojan.Inject3.45252.31790.exe.logJump to behavior
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4588:120:WilError_01
                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5308
                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3168
                Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER4221.tmpJump to behavior
                Source: SecuriteInfo.com.Trojan.Inject3.45252.31790.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject3.45252.31790.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSystem information queried: HandleInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject3.45252.31790.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: SecuriteInfo.com.Trojan.Inject3.45252.31790.exe, 00000000.00000002.784538064.0000000005752000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                Source: SecuriteInfo.com.Trojan.Inject3.45252.31790.exe, 00000000.00000002.784538064.0000000005752000.00000004.00000001.sdmp, vbc.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                Source: SecuriteInfo.com.Trojan.Inject3.45252.31790.exe, 00000000.00000002.784538064.0000000005752000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000002.903412417.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                Source: SecuriteInfo.com.Trojan.Inject3.45252.31790.exe, 00000000.00000002.784538064.0000000005752000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                Source: SecuriteInfo.com.Trojan.Inject3.45252.31790.exe, 00000000.00000002.784538064.0000000005752000.00000004.00000001.sdmp, vbc.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                Source: SecuriteInfo.com.Trojan.Inject3.45252.31790.exe, 00000000.00000002.784538064.0000000005752000.00000004.00000001.sdmp, vbc.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                Source: SecuriteInfo.com.Trojan.Inject3.45252.31790.exe, 00000000.00000002.784538064.0000000005752000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                Source: SecuriteInfo.com.Trojan.Inject3.45252.31790.exeVirustotal: Detection: 55%
                Source: SecuriteInfo.com.Trojan.Inject3.45252.31790.exeMetadefender: Detection: 21%
                Source: SecuriteInfo.com.Trojan.Inject3.45252.31790.exeReversingLabs: Detection: 50%
                Source: SecuriteInfo.com.Trojan.Inject3.45252.31790.exeString found in binary or memory: // Unsubscribe all hub proxies when we "disconnect". This is to ensure that we do not re-add functional call backs. // (instance, shouldSubscribe) registerHubProxies(proxies, false); }); /*hubs*/
                Source: SecuriteInfo.com.Trojan.Inject3.45252.31790.exeString found in binary or memory: // Unsubscribe all hub proxies when we "disconnect". This is to ensure that we do not re-add functional call backs.
                Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject3.45252.31790.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject3.45252.31790.exe'
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5308 -s 1976
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 176
                Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject3.45252.31790.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject3.45252.31790.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: SecuriteInfo.com.Trojan.Inject3.45252.31790.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
                Source: SecuriteInfo.com.Trojan.Inject3.45252.31790.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                Source: Binary string: System.Configuration.pdbZ source: WerFault.exe, 00000005.00000003.847285549.0000000004D4B000.00000004.00000001.sdmp
                Source: Binary string: CMemoryExecute.pdb4= source: WerFault.exe, 00000005.00000003.844549361.0000000004CD0000.00000004.00000001.sdmp
                Source: Binary string: System.ni.pdb% source: WerFault.exe, 00000005.00000003.847049618.0000000004D43000.00000004.00000001.sdmp
                Source: Binary string: System.ni.pdb" source: WerFault.exe, 00000005.00000003.847285549.0000000004D4B000.00000004.00000001.sdmp
                Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 00000005.00000003.844549361.0000000004CD0000.00000004.00000001.sdmp
                Source: Binary string: f:\binaries.x86ret\bin\i386\bbt\opt\bin\i386\vbc.pdb source: WerFault.exe, 0000000F.00000002.925615086.0000000005760000.00000002.00000001.sdmp
                Source: Binary string: System.Xml.pdbk source: WerFault.exe, 00000005.00000003.847049618.0000000004D43000.00000004.00000001.sdmp
                Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000005.00000003.830740145.0000000000A50000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.907405745.00000000055C1000.00000004.00000001.sdmp
                Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000005.00000003.846985585.0000000004D32000.00000004.00000040.sdmp
                Source: Binary string: NapiNSP.pdb source: WerFault.exe, 00000005.00000003.847049618.0000000004D43000.00000004.00000001.sdmp
                Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000005.00000003.847403251.0000000004D60000.00000004.00000001.sdmp
                Source: Binary string: wntdll.pdb source: WerFault.exe, 00000005.00000003.830670400.0000000000A44000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.907405745.00000000055C1000.00000004.00000001.sdmp
                Source: Binary string: winnsi.pdb source: WerFault.exe, 00000005.00000003.847049618.0000000004D43000.00000004.00000001.sdmp
                Source: Binary string: ml.pdb source: WerFault.exe, 00000005.00000003.847285549.0000000004D4B000.00000004.00000001.sdmp
                Source: Binary string: cryptsp.pdb source: WerFault.exe, 00000005.00000003.847049618.0000000004D43000.00000004.00000001.sdmp
                Source: Binary string: pnrpnsp.pdbJlTa source: WerFault.exe, 00000005.00000003.847049618.0000000004D43000.00000004.00000001.sdmp
                Source: Binary string: advapi32.pdb source: WerFault.exe, 00000005.00000003.847210240.0000000004D3B000.00000004.00000040.sdmp
                Source: Binary string: System.Drawing.pdb8f source: WER4221.tmp.dmp.5.dr
                Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000005.00000003.847210240.0000000004D3B000.00000004.00000040.sdmp
                Source: Binary string: System.Configuration.ni.pdb" source: WerFault.exe, 00000005.00000003.847285549.0000000004D4B000.00000004.00000001.sdmp
                Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 00000005.00000003.847049618.0000000004D43000.00000004.00000001.sdmp
                Source: Binary string: CMemoryExecute.pdbk source: WerFault.exe, 00000005.00000003.847049618.0000000004D43000.00000004.00000001.sdmp
                Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 00000005.00000003.847371760.0000000004D7C000.00000004.00000001.sdmp, WER4221.tmp.dmp.5.dr
                Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 00000005.00000003.844549361.0000000004CD0000.00000004.00000001.sdmp
                Source: Binary string: Microsoft.VisualBasic.pdbX source: WER4221.tmp.dmp.5.dr
                Source: Binary string: mpr.pdb source: WerFault.exe, 00000005.00000003.847102219.0000000004D41000.00000004.00000040.sdmp
                Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000005.00000003.847102219.0000000004D41000.00000004.00000040.sdmp, WER4221.tmp.dmp.5.dr
                Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: SecuriteInfo.com.Trojan.Inject3.45252.31790.exe, 00000000.00000002.784538064.0000000005752000.00000004.00000001.sdmp, RegAsm.exe, 00000002.00000002.895258977.0000000000402000.00000040.00000001.sdmp
                Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: SecuriteInfo.com.Trojan.Inject3.45252.31790.exe, 00000000.00000002.784538064.0000000005752000.00000004.00000001.sdmp, RegAsm.exe, 00000002.00000002.906840120.0000000003C91000.00000004.00000001.sdmp
                Source: Binary string: System.Xml.pdbx source: WerFault.exe, 00000005.00000003.844549361.0000000004CD0000.00000004.00000001.sdmp
                Source: Binary string: System.Configuration.ni.pdbM source: WerFault.exe, 00000005.00000003.847049618.0000000004D43000.00000004.00000001.sdmp
                Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000005.00000003.847049618.0000000004D43000.00000004.00000001.sdmp
                Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb+ source: RegAsm.exe, 00000002.00000002.920951056.000000000847A000.00000004.00000010.sdmp
                Source: Binary string: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.PDB source: RegAsm.exe, 00000002.00000002.920951056.000000000847A000.00000004.00000010.sdmp
                Source: Binary string: sfc.pdb! source: WerFault.exe, 00000005.00000003.847102219.0000000004D41000.00000004.00000040.sdmp
                Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000005.00000003.847049618.0000000004D43000.00000004.00000001.sdmp
                Source: Binary string: winspool.pdb source: WerFault.exe, 00000005.00000003.847210240.0000000004D3B000.00000004.00000040.sdmp
                Source: Binary string: System.Runtime.Remoting.pdbx source: WerFault.exe, 00000005.00000003.844549361.0000000004CD0000.00000004.00000001.sdmp
                Source: Binary string: nsi.pdb source: WerFault.exe, 00000005.00000003.847049618.0000000004D43000.00000004.00000001.sdmp
                Source: Binary string: System.Core.ni.pdbM source: WerFault.exe, 00000005.00000003.847049618.0000000004D43000.00000004.00000001.sdmp
                Source: Binary string: System.Management.ni.pdbRSDSJ source: WER4221.tmp.dmp.5.dr
                Source: Binary string: sfc.pdbN source: WerFault.exe, 00000005.00000003.847080809.0000000004D3E000.00000004.00000040.sdmp
                Source: Binary string: gdiplus.pdbhm source: WerFault.exe, 00000005.00000003.847049618.0000000004D43000.00000004.00000001.sdmp
                Source: Binary string: powrprof.pdb source: WerFault.exe, 00000005.00000003.847210240.0000000004D3B000.00000004.00000040.sdmp
                Source: Binary string: mscorlib.ni.pdbRSDS source: WER4221.tmp.dmp.5.dr
                Source: Binary string: ole32.pdb source: WerFault.exe, 00000005.00000003.847210240.0000000004D3B000.00000004.00000040.sdmp
                Source: Binary string: System.Core.ni.pdb` source: WerFault.exe, 00000005.00000003.844549361.0000000004CD0000.00000004.00000001.sdmp
                Source: Binary string: clrjit.pdb\m source: WerFault.exe, 00000005.00000003.847049618.0000000004D43000.00000004.00000001.sdmp
                Source: Binary string: msasn1.pdb source: WerFault.exe, 00000005.00000003.847049618.0000000004D43000.00000004.00000001.sdmp
                Source: Binary string: mscorlib.pdb source: RegAsm.exe, 00000002.00000002.920951056.000000000847A000.00000004.00000010.sdmp, WerFault.exe, 00000005.00000003.847371760.0000000004D7C000.00000004.00000001.sdmp, WER4221.tmp.dmp.5.dr
                Source: Binary string: System.pdbM source: WerFault.exe, 00000005.00000003.847049618.0000000004D43000.00000004.00000001.sdmp
                Source: Binary string: wmiutils.pdb(l+T source: WerFault.exe, 00000005.00000003.847049618.0000000004D43000.00000004.00000001.sdmp
                Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000005.00000003.847425309.0000000004D38000.00000004.00000040.sdmp
                Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000005.00000003.847487014.0000000004D30000.00000004.00000040.sdmp
                Source: Binary string: combase.pdb source: WerFault.exe, 00000005.00000003.847210240.0000000004D3B000.00000004.00000040.sdmp
                Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000005.00000003.830740145.0000000000A50000.00000004.00000001.sdmp
                Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER4221.tmp.dmp.5.dr
                Source: Binary string: System.Runtime.Remoting.pdbk source: WerFault.exe, 00000005.00000003.847049618.0000000004D43000.00000004.00000001.sdmp
                Source: Binary string: Accessibility.pdbx source: WerFault.exe, 00000005.00000003.844549361.0000000004CD0000.00000004.00000001.sdmp
                Source: Binary string: apphelp.pdb source: WerFault.exe, 00000005.00000003.847403251.0000000004D60000.00000004.00000001.sdmp
                Source: Binary string: System.Xml.ni.pdbRSDS source: WER4221.tmp.dmp.5.dr
                Source: Binary string: rasadhlp.pdb source: WerFault.exe, 00000005.00000003.847049618.0000000004D43000.00000004.00000001.sdmp
                Source: Binary string: System.ni.pdbM source: WerFault.exe, 00000005.00000003.847049618.0000000004D43000.00000004.00000001.sdmp
                Source: Binary string: ml.ni.pdb source: WerFault.exe, 00000005.00000003.847285549.0000000004D4B000.00000004.00000001.sdmp
                Source: Binary string: xecute.pdb source: WerFault.exe, 00000005.00000003.847285549.0000000004D4B000.00000004.00000001.sdmp
                Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000005.00000003.847049618.0000000004D43000.00000004.00000001.sdmp
                Source: Binary string: diasymreader.pdb_ source: WerFault.exe, 00000005.00000003.847403251.0000000004D60000.00000004.00000001.sdmp
                Source: Binary string: System.Xml.ni.pdb< source: WerFault.exe, 00000005.00000003.844549361.0000000004CD0000.00000004.00000001.sdmp
                Source: Binary string: Accessibility.pdb source: WerFault.exe, 00000005.00000003.847049618.0000000004D43000.00000004.00000001.sdmp, vbc.exe, 0000000B.00000003.900339853.0000000000703000.00000004.00000001.sdmp, WER4221.tmp.dmp.5.dr
                Source: Binary string: msctf.pdbdm source: WerFault.exe, 00000005.00000003.847049618.0000000004D43000.00000004.00000001.sdmp
                Source: Binary string: System.Management.pdbx source: WerFault.exe, 00000005.00000003.844549361.0000000004CD0000.00000004.00000001.sdmp
                Source: Binary string: iCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000005.00000002.861817477.0000000000332000.00000004.00000010.sdmp, WerFault.exe, 0000000F.00000002.921966298.00000000032A2000.00000004.00000010.sdmp
                Source: Binary string: System.ni.pdb<3 source: WerFault.exe, 00000005.00000003.844549361.0000000004CD0000.00000004.00000001.sdmp
                Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 00000005.00000003.847049618.0000000004D43000.00000004.00000001.sdmp
                Source: Binary string: System.Management.pdbk source: WerFault.exe, 00000005.00000003.847049618.0000000004D43000.00000004.00000001.sdmp
                Source: Binary string: fltLib.pdb source: WerFault.exe, 00000005.00000003.847210240.0000000004D3B000.00000004.00000040.sdmp
                Source: Binary string: System.Core.ni.pdb" source: WerFault.exe, 00000005.00000003.847285549.0000000004D4B000.00000004.00000001.sdmp
                Source: Binary string: f:\binaries.x86ret\bin\i386\bbt\opt\bin\i386\vbc.pdbpUNzUN source: WerFault.exe, 0000000F.00000002.925615086.0000000005760000.00000002.00000001.sdmp
                Source: Binary string: winrnr.pdb0l source: WerFault.exe, 00000005.00000003.847049618.0000000004D43000.00000004.00000001.sdmp
                Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 00000005.00000003.847049618.0000000004D43000.00000004.00000001.sdmp, WER4221.tmp.dmp.5.dr
                Source: Binary string: shell32.pdb source: WerFault.exe, 00000005.00000003.846985585.0000000004D32000.00000004.00000040.sdmp
                Source: Binary string: msvcp_win.pdbk source: WerFault.exe, 00000005.00000003.846985585.0000000004D32000.00000004.00000040.sdmp
                Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000005.00000003.846985585.0000000004D32000.00000004.00000040.sdmp
                Source: Binary string: rawing.pdb{{ source: WerFault.exe, 00000005.00000003.847285549.0000000004D4B000.00000004.00000001.sdmp
                Source: Binary string: WLDP.pdb>l source: WerFault.exe, 00000005.00000003.847049618.0000000004D43000.00000004.00000001.sdmp
                Source: Binary string: diasymreader.pdb source: WerFault.exe, 00000005.00000003.847403251.0000000004D60000.00000004.00000001.sdmp
                Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000005.00000003.847049618.0000000004D43000.00000004.00000001.sdmp
                Source: Binary string: System.Xml.ni.pdbk source: WerFault.exe, 00000005.00000003.847049618.0000000004D43000.00000004.00000001.sdmp
                Source: Binary string: wmiutils.pdb source: WerFault.exe, 00000005.00000003.847049618.0000000004D43000.00000004.00000001.sdmp
                Source: Binary string: System.pdbx source: WerFault.exe, 00000005.00000003.844549361.0000000004CD0000.00000004.00000001.sdmp
                Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000005.00000003.847403251.0000000004D60000.00000004.00000001.sdmp
                Source: Binary string: sechost.pdb source: WerFault.exe, 00000005.00000003.847210240.0000000004D3B000.00000004.00000040.sdmp
                Source: Binary string: propsys.pdb source: WerFault.exe, 00000005.00000003.847210240.0000000004D3B000.00000004.00000040.sdmp
                Source: Binary string: wgdi32full.pdbn source: WerFault.exe, 00000005.00000003.847403251.0000000004D60000.00000004.00000001.sdmp
                Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 00000005.00000003.847102219.0000000004D41000.00000004.00000040.sdmp
                Source: Binary string: fastprox.pdb source: WerFault.exe, 00000005.00000003.847049618.0000000004D43000.00000004.00000001.sdmp
                Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 00000005.00000003.847049618.0000000004D43000.00000004.00000001.sdmp, WER4221.tmp.dmp.5.dr
                Source: Binary string: wbemsvc.pdb source: WerFault.exe, 00000005.00000003.847049618.0000000004D43000.00000004.00000001.sdmp
                Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: RegAsm.exe, 00000002.00000003.807386660.0000000007A51000.00000004.00000001.sdmp
                Source: Binary string: Microsoft.VisualBasic.pdbM source: WerFault.exe, 00000005.00000003.847161173.0000000004D7B000.00000004.00000001.sdmp
                Source: Binary string: winrnr.pdb source: WerFault.exe, 00000005.00000003.847049618.0000000004D43000.00000004.00000001.sdmp
                Source: Binary string: msctf.pdb source: WerFault.exe, 00000005.00000003.847049618.0000000004D43000.00000004.00000001.sdmp
                Source: Binary string: WMINet_Utils.pdb{ source: WerFault.exe, 00000005.00000003.847126144.0000000004D46000.00000004.00000040.sdmp
                Source: Binary string: System.Management.ni.pdbk source: WerFault.exe, 00000005.00000003.847049618.0000000004D43000.00000004.00000001.sdmp
                Source: Binary string: System.Xml.pdb source: WerFault.exe, 00000005.00000003.847049618.0000000004D43000.00000004.00000001.sdmp, WER4221.tmp.dmp.5.dr
                Source: Binary string: System.Windows.Forms.pdbk source: WerFault.exe, 00000005.00000003.847161173.0000000004D7B000.00000004.00000001.sdmp
                Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000005.00000003.847371760.0000000004D7C000.00000004.00000001.sdmp, WER4221.tmp.dmp.5.dr
                Source: Binary string: cryptsp.pdbbm source: WerFault.exe, 00000005.00000003.847049618.0000000004D43000.00000004.00000001.sdmp
                Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000005.00000003.847487014.0000000004D30000.00000004.00000040.sdmp
                Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 00000005.00000003.844549361.0000000004CD0000.00000004.00000001.sdmp
                Source: Binary string: Microsoft.VisualBasic.pdb" source: WerFault.exe, 00000005.00000003.847371760.0000000004D7C000.00000004.00000001.sdmp
                Source: Binary string: wuser32.pdb source: WerFault.exe, 00000005.00000003.847403251.0000000004D60000.00000004.00000001.sdmp
                Source: Binary string: System.ni.pdb source: WerFault.exe, 00000005.00000003.847049618.0000000004D43000.00000004.00000001.sdmp, WER4221.tmp.dmp.5.dr
                Source: Binary string: System.Core.ni.pdbRSDS source: WER4221.tmp.dmp.5.dr
                Source: Binary string: rsaenh.pdb source: WerFault.exe, 00000005.00000003.847049618.0000000004D43000.00000004.00000001.sdmp
                Source: Binary string: anagement.pdb source: WerFault.exe, 00000005.00000003.847285549.0000000004D4B000.00000004.00000001.sdmp
                Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000005.00000003.847210240.0000000004D3B000.00000004.00000040.sdmp
                Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000005.00000003.847210240.0000000004D3B000.00000004.00000040.sdmp
                Source: Binary string: wbemcomn.pdb source: WerFault.exe, 00000005.00000003.847049618.0000000004D43000.00000004.00000001.sdmp
                Source: Binary string: Microsoft.Vsa.pdb source: vbc.exe, 0000000B.00000003.900032672.000000000070C000.00000004.00000001.sdmp
                Source: Binary string: profapi.pdb0 source: WerFault.exe, 00000005.00000003.847210240.0000000004D3B000.00000004.00000040.sdmp
                Source: Binary string: RegAsm.pdb source: WerFault.exe, 00000005.00000002.864429256.0000000000810000.00000002.00000001.sdmp
                Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000005.00000003.847487014.0000000004D30000.00000004.00000040.sdmp
                Source: Binary string: clr.pdb source: WerFault.exe, 00000005.00000003.847102219.0000000004D41000.00000004.00000040.sdmp
                Source: Binary string: .ni.pdb source: WerFault.exe, 00000005.00000003.847285549.0000000004D4B000.00000004.00000001.sdmp
                Source: Binary string: ility.pdb source: WerFault.exe, 00000005.00000003.847285549.0000000004D4B000.00000004.00000001.sdmp
                Source: Binary string: i0C:\Windows\mscorlib.pdbpdblib.pdb source: RegAsm.exe, 00000002.00000002.920951056.000000000847A000.00000004.00000010.sdmp
                Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 00000005.00000003.847049618.0000000004D43000.00000004.00000001.sdmp
                Source: Binary string: anagement.pdb&& source: WerFault.exe, 00000005.00000003.847285549.0000000004D4B000.00000004.00000001.sdmp
                Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000005.00000003.824602343.0000000000A56000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.907405745.00000000055C1000.00000004.00000001.sdmp
                Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000005.00000003.847210240.0000000004D3B000.00000004.00000040.sdmp
                Source: Binary string: RegAsm.pdb4 source: WerFault.exe, 00000005.00000002.864429256.0000000000810000.00000002.00000001.sdmp
                Source: Binary string: mscoree.pdb source: WerFault.exe, 00000005.00000003.847403251.0000000004D60000.00000004.00000001.sdmp
                Source: Binary string: CLBCatQ.pdb$l source: WerFault.exe, 00000005.00000003.847049618.0000000004D43000.00000004.00000001.sdmp
                Source: Binary string: profapi.pdbd source: WerFault.exe, 00000005.00000003.847008354.0000000004D3B000.00000004.00000040.sdmp
                Source: Binary string: bility.pdb source: vbc.exe, 0000000B.00000003.900339853.0000000000703000.00000004.00000001.sdmp
                Source: Binary string: shell32.pdbk source: WerFault.exe, 00000005.00000003.846985585.0000000004D32000.00000004.00000040.sdmp
                Source: Binary string: Kernel.Appcore.pdbm source: WerFault.exe, 00000005.00000003.847487014.0000000004D30000.00000004.00000040.sdmp
                Source: Binary string: .pdb0 source: RegAsm.exe, 00000002.00000002.920951056.000000000847A000.00000004.00000010.sdmp
                Source: Binary string: symbols\dll\mscorlib.pdb source: RegAsm.exe, 00000002.00000002.920951056.000000000847A000.00000004.00000010.sdmp
                Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000005.00000003.847210240.0000000004D3B000.00000004.00000040.sdmp
                Source: Binary string: wUxTheme.pdbVm source: WerFault.exe, 00000005.00000003.847049618.0000000004D43000.00000004.00000001.sdmp
                Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000005.00000003.846985585.0000000004D32000.00000004.00000040.sdmp
                Source: Binary string: msvcr120_clr0400.i386.pdb% source: WerFault.exe, 00000005.00000003.847102219.0000000004D41000.00000004.00000040.sdmp
                Source: Binary string: System.Configuration.pdb source: WerFault.exe, 00000005.00000003.847049618.0000000004D43000.00000004.00000001.sdmp, WER4221.tmp.dmp.5.dr
                Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000005.00000003.847403251.0000000004D60000.00000004.00000001.sdmp
                Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000005.00000003.847049618.0000000004D43000.00000004.00000001.sdmp
                Source: Binary string: DWrite.pdb source: WerFault.exe, 00000005.00000003.847049618.0000000004D43000.00000004.00000001.sdmp
                Source: Binary string: Accessibility.pdbbility.pdbBSJB source: vbc.exe, 0000000B.00000003.900339853.0000000000703000.00000004.00000001.sdmp
                Source: Binary string: System.Management.pdb source: WerFault.exe, 00000005.00000003.847049618.0000000004D43000.00000004.00000001.sdmp, WER4221.tmp.dmp.5.dr
                Source: Binary string: System.Drawing.pdb source: WerFault.exe, 00000005.00000003.847049618.0000000004D43000.00000004.00000001.sdmp, WER4221.tmp.dmp.5.dr
                Source: Binary string: System.Management.ni.pdb source: WerFault.exe, 00000005.00000003.847049618.0000000004D43000.00000004.00000001.sdmp, WER4221.tmp.dmp.5.dr
                Source: Binary string: comctl32v582.pdbn source: WerFault.exe, 00000005.00000003.847049618.0000000004D43000.00000004.00000001.sdmp
                Source: Binary string: sfc.pdb source: WerFault.exe, 00000005.00000003.847102219.0000000004D41000.00000004.00000040.sdmp
                Source: Binary string: wbemcomn.pdb"l!T source: WerFault.exe, 00000005.00000003.847049618.0000000004D43000.00000004.00000001.sdmp
                Source: Binary string: nsi.pdb% source: WerFault.exe, 00000005.00000003.847049618.0000000004D43000.00000004.00000001.sdmp
                Source: Binary string: wntdll.pdbk source: WerFault.exe, 0000000F.00000003.907405745.00000000055C1000.00000004.00000001.sdmp
                Source: Binary string: wmswsock.pdb~m source: WerFault.exe, 00000005.00000003.847049618.0000000004D43000.00000004.00000001.sdmp
                Source: Binary string: C:\Windows\mscorlib.pdb source: RegAsm.exe, 00000002.00000002.920951056.000000000847A000.00000004.00000010.sdmp
                Source: Binary string: b.pdb5, source: RegAsm.exe, 00000002.00000003.881194083.0000000007A6B000.00000004.00000001.sdmp
                Source: Binary string: rawing.pdb source: WerFault.exe, 00000005.00000003.847285549.0000000004D4B000.00000004.00000001.sdmp
                Source: Binary string: pnrpnsp.pdb source: WerFault.exe, 00000005.00000003.847049618.0000000004D43000.00000004.00000001.sdmp
                Source: Binary string: mscorlib.pdbx source: WerFault.exe, 00000005.00000003.844549361.0000000004CD0000.00000004.00000001.sdmp
                Source: Binary string: shcore.pdb source: WerFault.exe, 00000005.00000003.847487014.0000000004D30000.00000004.00000040.sdmp
                Source: Binary string: shlwapi.pdb) source: WerFault.exe, 00000005.00000003.847210240.0000000004D3B000.00000004.00000040.sdmp
                Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000005.00000003.847403251.0000000004D60000.00000004.00000001.sdmp
                Source: Binary string: CMemoryExecute.pdb source: WerFault.exe, 00000005.00000003.847049618.0000000004D43000.00000004.00000001.sdmp, WER4221.tmp.dmp.5.dr
                Source: Binary string: mscorlib.ni.pdb4 source: WerFault.exe, 00000005.00000003.844549361.0000000004CD0000.00000004.00000001.sdmp
                Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000005.00000003.847049618.0000000004D43000.00000004.00000001.sdmp
                Source: Binary string: wimm32.pdb source: WerFault.exe, 00000005.00000003.847210240.0000000004D3B000.00000004.00000040.sdmp
                Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000005.00000003.847403251.0000000004D60000.00000004.00000001.sdmp
                Source: Binary string: setupapi.pdb source: WerFault.exe, 00000005.00000003.847210240.0000000004D3B000.00000004.00000040.sdmp
                Source: Binary string: nlaapi.pdb source: WerFault.exe, 00000005.00000003.847049618.0000000004D43000.00000004.00000001.sdmp
                Source: Binary string: gdiplus.pdb source: WerFault.exe, 00000005.00000003.847049618.0000000004D43000.00000004.00000001.sdmp
                Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000005.00000003.847049618.0000000004D43000.00000004.00000001.sdmp
                Source: Binary string: profapi.pdb source: WerFault.exe, 00000005.00000003.847210240.0000000004D3B000.00000004.00000040.sdmp
                Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 00000005.00000003.847049618.0000000004D43000.00000004.00000001.sdmp, WER4221.tmp.dmp.5.dr
                Source: Binary string: WLDP.pdb source: WerFault.exe, 00000005.00000003.847049618.0000000004D43000.00000004.00000001.sdmp
                Source: Binary string: anagement.ni.pdb source: WerFault.exe, 00000005.00000003.847285549.0000000004D4B000.00000004.00000001.sdmp
                Source: Binary string: System.ni.pdbRSDS source: WER4221.tmp.dmp.5.dr
                Source: Binary string: clrjit.pdb source: WerFault.exe, 00000005.00000003.847049618.0000000004D43000.00000004.00000001.sdmp
                Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000005.00000003.847425309.0000000004D38000.00000004.00000040.sdmp
                Source: Binary string: mscorlib.pdbBTM\TM NTM_CorDllMainmscoree.dll source: RegAsm.exe, 00000002.00000002.919967117.00000000079EF000.00000004.00000001.sdmp
                Source: Binary string: System.Runtime.Remoting.pdb source: WerFault.exe, 00000005.00000003.847049618.0000000004D43000.00000004.00000001.sdmp, WER4221.tmp.dmp.5.dr
                Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: SecuriteInfo.com.Trojan.Inject3.45252.31790.exe, 00000000.00000002.784538064.0000000005752000.00000004.00000001.sdmp, RegAsm.exe, 00000002.00000002.907160437.0000000003CF7000.00000004.00000001.sdmp, vbc.exe
                Source: Binary string: wmswsock.pdb source: WerFault.exe, 00000005.00000003.847049618.0000000004D43000.00000004.00000001.sdmp
                Source: Binary string: version.pdb source: WerFault.exe, 00000005.00000003.847210240.0000000004D3B000.00000004.00000040.sdmp
                Source: Binary string: wintrust.pdb source: WerFault.exe, 00000005.00000003.847049618.0000000004D43000.00000004.00000001.sdmp
                Source: Binary string: ws2_32.pdbpm source: WerFault.exe, 00000005.00000003.847049618.0000000004D43000.00000004.00000001.sdmp
                Source: Binary string: System.pdb source: WerFault.exe, 00000005.00000003.847049618.0000000004D43000.00000004.00000001.sdmp, WER4221.tmp.dmp.5.dr
                Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000005.00000003.847487014.0000000004D30000.00000004.00000040.sdmp
                Source: Binary string: psapi.pdb source: WerFault.exe, 00000005.00000003.847049618.0000000004D43000.00000004.00000001.sdmp
                Source: Binary string: WMINet_Utils.pdb source: WerFault.exe, 00000005.00000003.847049618.0000000004D43000.00000004.00000001.sdmp
                Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000005.00000003.847210240.0000000004D3B000.00000004.00000040.sdmp
                Source: Binary string: System.Core.pdbx source: WerFault.exe, 00000005.00000003.844549361.0000000004CD0000.00000004.00000001.sdmp
                Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000005.00000003.824602343.0000000000A56000.00000004.00000001.sdmp
                Source: Binary string: mscoreei.pdb source: WerFault.exe, 00000005.00000003.847210240.0000000004D3B000.00000004.00000040.sdmp
                Source: Binary string: System.Drawing.pdbx source: WerFault.exe, 00000005.00000003.844549361.0000000004CD0000.00000004.00000001.sdmp
                Source: Binary string: System.Core.pdb source: WerFault.exe, 00000005.00000003.847049618.0000000004D43000.00000004.00000001.sdmp, WER4221.tmp.dmp.5.dr
                Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000005.00000003.847210240.0000000004D3B000.00000004.00000040.sdmp
                Source: Binary string: comctl32.pdb source: WerFault.exe, 00000005.00000003.847049618.0000000004D43000.00000004.00000001.sdmp
                Source: Binary string: untime.Remoting.pdb source: WerFault.exe, 00000005.00000003.847285549.0000000004D4B000.00000004.00000001.sdmp
                Source: Binary string: wbemprox.pdb source: WerFault.exe, 00000005.00000003.847049618.0000000004D43000.00000004.00000001.sdmp
                Source: Binary string: System.Core.pdbk source: WerFault.exe, 00000005.00000003.847049618.0000000004D43000.00000004.00000001.sdmp
                Source: Binary string: edputil.pdb source: WerFault.exe, 00000005.00000003.847049618.0000000004D43000.00000004.00000001.sdmp
                Source: Binary string: crypt32.pdb source: WerFault.exe, 00000005.00000003.847049618.0000000004D43000.00000004.00000001.sdmp

                Data Obfuscation:

                barindex
                .NET source code contains potential unpackerShow sources
                Source: 0.2.SecuriteInfo.com.Trojan.Inject3.45252.31790.exe.5d60000.3.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 0.2.SecuriteInfo.com.Trojan.Inject3.45252.31790.exe.5d60000.3.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 0.2.SecuriteInfo.com.Trojan.Inject3.45252.31790.exe.5d60000.3.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 0.2.SecuriteInfo.com.Trojan.Inject3.45252.31790.exe.5d60000.3.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 2.2.RegAsm.exe.400000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 2.2.RegAsm.exe.400000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 2.2.RegAsm.exe.400000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 2.2.RegAsm.exe.400000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_004422C7 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,13_2_004422C7
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject3.45252.31790.exeCode function: 0_2_016D1548 pushfd ; iretd 0_2_016D1549
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_02B1E673 push esp; ret 2_2_02B1E679
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_079B8210 push edi; retn 000Ch2_2_079B8232
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_079BC195 push esp; retf 2_2_079BC196
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00442871 push ecx; ret 13_2_00442881
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00442A90 push eax; ret 13_2_00442AA4
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00442A90 push eax; ret 13_2_00442ACC
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00446E54 push eax; ret 13_2_00446E61
                Source: initial sampleStatic PE information: section name: .text entropy: 6.94576765251

                Hooking and other Techniques for Hiding and Protection:

                barindex
                Changes the view of files in windows explorer (hidden files and folders)Show sources
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HiddenJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00441975 memset,wcscpy,memset,wcscpy,wcscat,wcscpy,wcscat,wcscpy,wcscat,GetModuleHandleW,LoadLibraryExW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,13_2_00441975
                Source: C:\Windows\SysWOW64\WerFault.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363} DeviceTicketJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject3.45252.31790.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject3.45252.31790.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject3.45252.31790.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject3.45252.31790.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject3.45252.31790.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject3.45252.31790.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject3.45252.31790.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject3.45252.31790.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject3.45252.31790.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject3.45252.31790.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject3.45252.31790.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject3.45252.31790.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject3.45252.31790.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject3.45252.31790.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,FindCloseChangeNotification,_wcsicmp,FindCloseChangeNotification,FreeLibrary,13_2_00408836
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject3.45252.31790.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 300000Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject3.45252.31790.exe TID: 5284Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5280Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5396Thread sleep time: -120000s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5400Thread sleep time: -140000s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 824Thread sleep time: -300000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeFile opened: PhysicalDrive0Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,13_2_00408441
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,13_2_00407E0E
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_004161B0 memset,GetSystemInfo,13_2_004161B0
                Source: WerFault.exe, 00000005.00000002.888388832.0000000004EC0000.00000002.00000001.sdmp, WerFault.exe, 0000000F.00000002.926070830.0000000005880000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                Source: WerFault.exe, 00000005.00000002.879716549.00000000048C8000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                Source: WerFault.exe, 00000005.00000002.888388832.0000000004EC0000.00000002.00000001.sdmp, WerFault.exe, 0000000F.00000002.926070830.0000000005880000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                Source: WerFault.exe, 00000005.00000002.888388832.0000000004EC0000.00000002.00000001.sdmp, WerFault.exe, 0000000F.00000002.926070830.0000000005880000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                Source: WerFault.exe, 00000005.00000002.888388832.0000000004EC0000.00000002.00000001.sdmp, WerFault.exe, 0000000F.00000002.926070830.0000000005880000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_079BC530 LdrInitializeThunk,2_2_079BC530
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,FindCloseChangeNotification,_wcsicmp,FindCloseChangeNotification,FreeLibrary,13_2_00408836
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_004422C7 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,13_2_004422C7
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject3.45252.31790.exeCode function: 0_2_017500AD mov ecx, dword ptr fs:[00000030h]0_2_017500AD
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject3.45252.31790.exeCode function: 0_2_017500AD mov eax, dword ptr fs:[00000030h]0_2_017500AD
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject3.45252.31790.exeCode function: 0_2_017501CB mov eax, dword ptr fs:[00000030h]0_2_017501CB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject3.45252.31790.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion:

                barindex
                .NET source code references suspicious native API functionsShow sources
                Source: 0.2.SecuriteInfo.com.Trojan.Inject3.45252.31790.exe.5d60000.3.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                Source: 0.2.SecuriteInfo.com.Trojan.Inject3.45252.31790.exe.5d60000.3.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                Source: 2.2.RegAsm.exe.400000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                Source: 2.2.RegAsm.exe.400000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                Maps a DLL or memory area into another processShow sources
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject3.45252.31790.exeSection loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and writeJump to behavior
                Sample uses process hollowing techniqueShow sources
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 4Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject3.45252.31790.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject3.45252.31790.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject3.45252.31790.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject3.45252.31790.exe VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume infor