Loading ...

Play interactive tourEdit tour

Analysis Report Zahlung.exe

Overview

General Information

Sample Name:Zahlung.exe
Analysis ID:253586
MD5:b1384c2616904ea8ad15c429a5a13c68
SHA1:af749d5cb38564115b0858b3be38de686e98cc18
SHA256:b69edb31667b041c81590e2eca6f768ff10aded76936192b517789dd1556e1be

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected HawkEye Rat
Malicious sample detected (through community Yara rule)
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Installs a global keyboard hook
Machine Learning detection for sample
Maps a DLL or memory area into another process
Sample uses process hollowing technique
Yara detected WebBrowserPassView password recovery tool
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Process Creation
Stores large binary data to the registry
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Zahlung.exe (PID: 6948 cmdline: 'C:\Users\user\Desktop\Zahlung.exe' MD5: B1384C2616904EA8AD15C429A5A13C68)
    • RegAsm.exe (PID: 6976 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
    • RegAsm.exe (PID: 6984 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
      • WerFault.exe (PID: 4884 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6984 -s 2060 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
      • vbc.exe (PID: 4952 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
        • WerFault.exe (PID: 5192 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 176 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
      • vbc.exe (PID: 5108 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
        • WerFault.exe (PID: 3000 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 176 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.1354152953.0000000003DC2000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
    00000002.00000002.1346192854.0000000000402000.00000040.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
    • 0x7b717:$key: HawkEyeKeylogger
    • 0x7d981:$salt: 099u787978786
    • 0x7bd58:$string1: HawkEye_Keylogger
    • 0x7cbab:$string1: HawkEye_Keylogger
    • 0x7d8e1:$string1: HawkEye_Keylogger
    • 0x7c141:$string2: holdermail.txt
    • 0x7c161:$string2: holdermail.txt
    • 0x7c083:$string3: wallet.dat
    • 0x7c09b:$string3: wallet.dat
    • 0x7c0b1:$string3: wallet.dat
    • 0x7d4a5:$string4: Keylog Records
    • 0x7d7bd:$string4: Keylog Records
    • 0x7d9d9:$string5: do not script -->
    • 0x7b6ff:$string6: \pidloc.txt
    • 0x7b78d:$string7: BSPLIT
    • 0x7b79d:$string7: BSPLIT
    00000002.00000002.1346192854.0000000000402000.00000040.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
      00000002.00000002.1346192854.0000000000402000.00000040.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
        00000002.00000002.1346192854.0000000000402000.00000040.00000001.sdmpHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
        • 0x7bdb0:$hawkstr1: HawkEye Keylogger
        • 0x7cbf1:$hawkstr1: HawkEye Keylogger
        • 0x7cf20:$hawkstr1: HawkEye Keylogger
        • 0x7d07b:$hawkstr1: HawkEye Keylogger
        • 0x7d1de:$hawkstr1: HawkEye Keylogger
        • 0x7d47d:$hawkstr1: HawkEye Keylogger
        • 0x7b93e:$hawkstr2: Dear HawkEye Customers!
        • 0x7cf73:$hawkstr2: Dear HawkEye Customers!
        • 0x7d0ca:$hawkstr2: Dear HawkEye Customers!
        • 0x7d231:$hawkstr2: Dear HawkEye Customers!
        • 0x7ba5f:$hawkstr3: HawkEye Logger Details:
        Click to see the 20 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.2.RegAsm.exe.400000.0.unpackRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
        • 0x7b917:$key: HawkEyeKeylogger
        • 0x7db81:$salt: 099u787978786
        • 0x7bf58:$string1: HawkEye_Keylogger
        • 0x7cdab:$string1: HawkEye_Keylogger
        • 0x7dae1:$string1: HawkEye_Keylogger
        • 0x7c341:$string2: holdermail.txt
        • 0x7c361:$string2: holdermail.txt
        • 0x7c283:$string3: wallet.dat
        • 0x7c29b:$string3: wallet.dat
        • 0x7c2b1:$string3: wallet.dat
        • 0x7d6a5:$string4: Keylog Records
        • 0x7d9bd:$string4: Keylog Records
        • 0x7dbd9:$string5: do not script -->
        • 0x7b8ff:$string6: \pidloc.txt
        • 0x7b98d:$string7: BSPLIT
        • 0x7b99d:$string7: BSPLIT
        2.2.RegAsm.exe.400000.0.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
          2.2.RegAsm.exe.400000.0.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
            2.2.RegAsm.exe.400000.0.unpackHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
            • 0x7bfb0:$hawkstr1: HawkEye Keylogger
            • 0x7cdf1:$hawkstr1: HawkEye Keylogger
            • 0x7d120:$hawkstr1: HawkEye Keylogger
            • 0x7d27b:$hawkstr1: HawkEye Keylogger
            • 0x7d3de:$hawkstr1: HawkEye Keylogger
            • 0x7d67d:$hawkstr1: HawkEye Keylogger
            • 0x7bb3e:$hawkstr2: Dear HawkEye Customers!
            • 0x7d173:$hawkstr2: Dear HawkEye Customers!
            • 0x7d2ca:$hawkstr2: Dear HawkEye Customers!
            • 0x7d431:$hawkstr2: Dear HawkEye Customers!
            • 0x7bc5f:$hawkstr3: HawkEye Logger Details:
            0.2.Zahlung.exe.5310000.3.unpackRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
            • 0x7b917:$key: HawkEyeKeylogger
            • 0x7db81:$salt: 099u787978786
            • 0x7bf58:$string1: HawkEye_Keylogger
            • 0x7cdab:$string1: HawkEye_Keylogger
            • 0x7dae1:$string1: HawkEye_Keylogger
            • 0x7c341:$string2: holdermail.txt
            • 0x7c361:$string2: holdermail.txt
            • 0x7c283:$string3: wallet.dat
            • 0x7c29b:$string3: wallet.dat
            • 0x7c2b1:$string3: wallet.dat
            • 0x7d6a5:$string4: Keylog Records
            • 0x7d9bd:$string4: Keylog Records
            • 0x7dbd9:$string5: do not script -->
            • 0x7b8ff:$string6: \pidloc.txt
            • 0x7b98d:$string7: BSPLIT
            • 0x7b99d:$string7: BSPLIT
            Click to see the 3 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: Suspicious Process CreationShow sources
            Source: Process startedAuthor: Florian Roth, Daniil Yugoslavskiy, oscd.community (update): Data: Command: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt', CommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt', CommandLine|base64offset|contains: ^, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, ParentCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentProcessId: 6984, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt', ProcessId: 4952

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Machine Learning detection for sampleShow sources
            Source: Zahlung.exeJoe Sandbox ML: detected
            Source: Zahlung.exe, 00000000.00000002.1281665738.0000000005312000.00000040.00000001.sdmpBinary or memory string: autorun.inf
            Source: Zahlung.exe, 00000000.00000002.1281665738.0000000005312000.00000040.00000001.sdmpBinary or memory string: [autorun]
            Source: RegAsm.exe, 00000002.00000002.1346192854.0000000000402000.00000040.00000001.sdmpBinary or memory string: autorun.inf
            Source: RegAsm.exe, 00000002.00000002.1346192854.0000000000402000.00000040.00000001.sdmpBinary or memory string: [autorun]
            Source: WerFault.exe, 00000006.00000003.1328390582.0000000005AE0000.00000004.00000001.sdmpBinary or memory string: autorun.inf
            Source: WerFault.exe, 00000006.00000003.1328390582.0000000005AE0000.00000004.00000001.sdmpBinary or memory string: [autorun]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 0516A630h2_2_0516A559
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 0516A630h2_2_0516A568
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]2_2_05169EF5
            Source: Zahlung.exe, 00000000.00000002.1281665738.0000000005312000.00000040.00000001.sdmp, RegAsm.exe, 00000002.00000002.1354152953.0000000003DC2000.00000004.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
            Source: Zahlung.exe, 00000000.00000002.1281665738.0000000005312000.00000040.00000001.sdmp, RegAsm.exe, 00000002.00000002.1354152953.0000000003DC2000.00000004.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
            Source: unknownDNS traffic detected: queries for: 55.235.10.0.in-addr.arpa
            Source: Zahlung.exe, 00000000.00000002.1281665738.0000000005312000.00000040.00000001.sdmp, RegAsm.exe, 00000002.00000002.1354152953.0000000003DC2000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
            Source: RegAsm.exe, 00000002.00000002.1358842913.0000000006F92000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: Zahlung.exe, 00000000.00000002.1281665738.0000000005312000.00000040.00000001.sdmp, RegAsm.exe, 00000002.00000002.1354152953.0000000003DC2000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
            Source: WerFault.exe, 00000006.00000003.1327717408.0000000005DE0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
            Source: WerFault.exe, 00000006.00000003.1327717408.0000000005DE0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
            Source: WerFault.exe, 00000006.00000003.1327717408.0000000005DE0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
            Source: WerFault.exe, 00000006.00000003.1327717408.0000000005DE0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
            Source: WerFault.exe, 00000006.00000003.1327717408.0000000005DE0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
            Source: WerFault.exe, 00000006.00000003.1327717408.0000000005DE0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
            Source: WerFault.exe, 00000006.00000003.1327717408.0000000005DE0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
            Source: RegAsm.exe, 00000002.00000002.1349856918.0000000002D51000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.1327717408.0000000005DE0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: WerFault.exe, 00000006.00000003.1327717408.0000000005DE0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
            Source: WerFault.exe, 00000006.00000003.1327717408.0000000005DE0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
            Source: WerFault.exe, 00000006.00000003.1327717408.0000000005DE0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
            Source: WerFault.exe, 00000006.00000003.1327717408.0000000005DE0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
            Source: WerFault.exe, 00000006.00000003.1327717408.0000000005DE0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
            Source: WerFault.exe, 00000006.00000003.1327717408.0000000005DE0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
            Source: WerFault.exe, 00000006.00000003.1327717408.0000000005DE0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
            Source: Zahlung.exe, 00000000.00000002.1281665738.0000000005312000.00000040.00000001.sdmp, RegAsm.exe, 00000002.00000002.1346192854.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 00000006.00000003.1328390582.0000000005AE0000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/-
            Source: RegAsm.exe, 00000002.00000002.1358842913.0000000006F92000.00000004.00000001.sdmp, RegAsm.exe, 00000002.00000003.1289270395.0000000005D92000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: RegAsm.exe, 00000002.00000003.1292746421.0000000005D8B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
            Source: RegAsm.exe, 00000002.00000003.1292746421.0000000005D8B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com(
            Source: RegAsm.exe, 00000002.00000003.1292746421.0000000005D8B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comC
            Source: RegAsm.exe, 00000002.00000003.1292746421.0000000005D8B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comK
            Source: RegAsm.exe, 00000002.00000003.1292746421.0000000005D8B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTC
            Source: RegAsm.exe, 00000002.00000003.1292746421.0000000005D8B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTCv
            Source: RegAsm.exe, 00000002.00000003.1292746421.0000000005D8B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTe1
            Source: RegAsm.exe, 00000002.00000003.1292746421.0000000005D8B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comUI
            Source: RegAsm.exe, 00000002.00000002.1358842913.0000000006F92000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: RegAsm.exe, 00000002.00000003.1292746421.0000000005D8B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como
            Source: RegAsm.exe, 00000002.00000003.1292746421.0000000005D8B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.
            Source: RegAsm.exe, 00000002.00000002.1358842913.0000000006F92000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: RegAsm.exe, 00000002.00000002.1358842913.0000000006F92000.00000004.00000001.sdmp, RegAsm.exe, 00000002.00000003.1295378417.0000000005D8B000.00000004.00000001.sdmp, RegAsm.exe, 00000002.00000003.1295756190.0000000005D8C000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: RegAsm.exe, 00000002.00000002.1358842913.0000000006F92000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: RegAsm.exe, 00000002.00000002.1358842913.0000000006F92000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: RegAsm.exe, 00000002.00000002.1358842913.0000000006F92000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: RegAsm.exe, 00000002.00000002.1358842913.0000000006F92000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: RegAsm.exe, 00000002.00000003.1295378417.0000000005D8B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers=
            Source: RegAsm.exe, 00000002.00000002.1358842913.0000000006F92000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: RegAsm.exe, 00000002.00000002.1358842913.0000000006F92000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: RegAsm.exe, 00000002.00000003.1295756190.0000000005D8C000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designerst
            Source: RegAsm.exe, 00000002.00000002.1355360631.0000000005D80000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
            Source: RegAsm.exe, 00000002.00000002.1355360631.0000000005D80000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comic6
            Source: RegAsm.exe, 00000002.00000002.1358842913.0000000006F92000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: RegAsm.exe, 00000002.00000002.1358842913.0000000006F92000.00000004.00000001.sdmp, RegAsm.exe, 00000002.00000003.1287968956.0000000005DBD000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: RegAsm.exe, 00000002.00000003.1288680649.0000000005DBD000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
            Source: RegAsm.exe, 00000002.00000002.1358842913.0000000006F92000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: RegAsm.exe, 00000002.00000002.1358842913.0000000006F92000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: RegAsm.exe, 00000002.00000003.1287968956.0000000005DBD000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnC
            Source: RegAsm.exe, 00000002.00000003.1287555819.0000000005D89000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnb-n
            Source: RegAsm.exe, 00000002.00000003.1287968956.0000000005DBD000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnh-t
            Source: RegAsm.exe, 00000002.00000003.1288680649.0000000005DBD000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cns-e
            Source: RegAsm.exe, 00000002.00000002.1358842913.0000000006F92000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: RegAsm.exe, 00000002.00000002.1358842913.0000000006F92000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: RegAsm.exe, 00000002.00000002.1358842913.0000000006F92000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: RegAsm.exe, 00000002.00000002.1358842913.0000000006F92000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: RegAsm.exe, 00000002.00000002.1346192854.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
            Source: RegAsm.exe, 00000002.00000002.1358842913.0000000006F92000.00000004.00000001.sdmp, RegAsm.exe, 00000002.00000003.1283785794.0000000005D83000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: RegAsm.exe, 00000002.00000003.1283785794.0000000005D83000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comJ
            Source: RegAsm.exe, 00000002.00000003.1283785794.0000000005D83000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comd
            Source: RegAsm.exe, 00000002.00000002.1358842913.0000000006F92000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: RegAsm.exe, 00000002.00000002.1358842913.0000000006F92000.00000004.00000001.sdmp, RegAsm.exe, 00000002.00000003.1287144585.0000000005D8E000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: RegAsm.exe, 00000002.00000003.1287144585.0000000005D8E000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krI
            Source: RegAsm.exe, 00000002.00000003.1287144585.0000000005D8E000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krTFv
            Source: RegAsm.exe, 00000002.00000002.1349856918.0000000002D51000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
            Source: RegAsm.exe, 00000002.00000002.1358842913.0000000006F92000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: RegAsm.exe, 00000002.00000002.1358842913.0000000006F92000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: RegAsm.exe, 00000002.00000002.1358842913.0000000006F92000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: RegAsm.exe, 00000002.00000002.1358842913.0000000006F92000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Contains functionality to log keystrokes (.Net Source)Show sources
            Source: 0.2.Zahlung.exe.5310000.3.unpack, Form1.cs.Net Code: HookKeyboard
            Source: 2.2.RegAsm.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
            Installs a global keyboard hookShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 00000002.00000002.1346192854.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000002.00000002.1346192854.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.1281665738.0000000005312000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000000.00000002.1281665738.0000000005312000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 00000006.00000003.1328390582.0000000005AE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000006.00000003.1328390582.0000000005AE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.1280170965.00000000036A5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000000.00000002.1280170965.00000000036A5000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 00000002.00000002.1349856918.0000000002D51000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.1281504268.0000000004D09000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000000.00000002.1281504268.0000000004D09000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 0.2.Zahlung.exe.5310000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0.2.Zahlung.exe.5310000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: C:\Users\user\Desktop\Zahlung.exeCode function: 0_2_02581C09 CreateProcessW,NtQueryInformationProcess,NtReadVirtualMemory,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtTerminateProcess,NtUnmapViewOfSection,NtWriteVirtualMemory,NtGetContextThread,NtSetContextThread,NtResumeThread,0_2_02581C09
            Source: C:\Users\user\Desktop\Zahlung.exeCode function: 0_2_025800AD NtOpenSection,NtMapViewOfSection,0_2_025800AD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0106B29C2_2_0106B29C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0106C3102_2_0106C310
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0106B2902_2_0106B290
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_010699D02_2_010699D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0106DFD02_2_0106DFD0
            Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6984 -s 2060
            Source: Zahlung.exe, 00000000.00000002.1281192530.0000000004AE0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameypKKpytMKPzQjOcm.river.exe4 vs Zahlung.exe
            Source: Zahlung.exe, 00000000.00000002.1281665738.0000000005312000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs Zahlung.exe
            Source: Zahlung.exe, 00000000.00000002.1281665738.0000000005312000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs Zahlung.exe
            Source: Zahlung.exe, 00000000.00000002.1281665738.0000000005312000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs Zahlung.exe
            Source: Zahlung.exe, 00000000.00000002.1282192629.0000000005392000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs Zahlung.exe
            Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dllJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dllJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dllJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
            Source: 00000002.00000002.1346192854.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 00000002.00000002.1346192854.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 00000000.00000002.1281665738.0000000005312000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 00000000.00000002.1281665738.0000000005312000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 00000006.00000003.1328390582.0000000005AE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 00000006.00000003.1328390582.0000000005AE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 00000000.00000002.1280170965.00000000036A5000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 00000000.00000002.1280170965.00000000036A5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 00000002.00000002.1349856918.0000000002D51000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 00000000.00000002.1281504268.0000000004D09000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 00000000.00000002.1281504268.0000000004D09000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 0.2.Zahlung.exe.5310000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 0.2.Zahlung.exe.5310000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: Zahlung.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: 0.2.Zahlung.exe.5310000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
            Source: 0.2.Zahlung.exe.5310000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
            Source: 0.2.Zahlung.exe.5310000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
            Source: 0.2.Zahlung.exe.5310000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
            Source: 2.2.RegAsm.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
            Source: 2.2.RegAsm.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
            Source: 2.2.RegAsm.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
            Source: 2.2.RegAsm.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
            Source: 0.2.Zahlung.exe.5310000.3.unpack, Form1.csBase64 encoded string: 'Ta2Jfga3JLt9/E73uK1VhbUkk6jqZCdloIN2u06AJMoTMeKiapqOoCfJFBjcj+Ok8ojK3Xa4zTJPtjgAWPgTDA==', 'qV6RbSlp+AMZw5SKvXWylN1rCuU8c5wmPAh3Hdmo0Ki+cXj7F0pWkNOaz5xvcV8/1lMVIeZ7DPLAHupVS+LnUQ==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
            Source: 2.2.RegAsm.exe.400000.0.unpack, Form1.csBase64 encoded string: 'Ta2Jfga3JLt9/E73uK1VhbUkk6jqZCdloIN2u06AJMoTMeKiapqOoCfJFBjcj+Ok8ojK3Xa4zTJPtjgAWPgTDA==', 'qV6RbSlp+AMZw5SKvXWylN1rCuU8c5wmPAh3Hdmo0Ki+cXj7F0pWkNOaz5xvcV8/1lMVIeZ7DPLAHupVS+LnUQ==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@12/15@2/1
            Source: C:\Users\user\Desktop\Zahlung.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Zahlung.exe.logJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6984
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4952
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5108
            Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER86ED.tmpJump to behavior
            Source: Zahlung.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\Zahlung.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\Desktop\Zahlung.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: Zahlung.exe, 00000000.00000002.1281665738.0000000005312000.00000040.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
            Source: Zahlung.exe, 00000000.00000002.1281665738.0000000005312000.00000040.00000001.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
            Source: Zahlung.exe, 00000000.00000002.1281665738.0000000005312000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
            Source: Zahlung.exe, 00000000.00000002.1281665738.0000000005312000.00000040.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
            Source: Zahlung.exe, 00000000.00000002.1281665738.0000000005312000.00000040.00000001.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
            Source: Zahlung.exe, 00000000.00000002.1281665738.0000000005312000.00000040.00000001.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
            Source: Zahlung.exe, 00000000.00000002.1281665738.0000000005312000.00000040.00000001.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
            Source: unknownProcess created: C:\Users\user\Desktop\Zahlung.exe 'C:\Users\user\Desktop\Zahlung.exe'
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6984 -s 2060
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
            Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 176
            Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 176
            Source: C:\Users\user\Desktop\Zahlung.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
            Source: C:\Users\user\Desktop\Zahlung.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: Zahlung.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: Zahlung.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: wbemcomn.pdb; source: WerFault.exe, 00000006.00000003.1330787639.00000000059E5000.00000004.00000040.sdmp
            Source: Binary string: rsaenh.pdb source: WerFault.exe, 00000006.00000003.1330787639.00000000059E5000.00000004.00000040.sdmp
            Source: Binary string: anagement.pdb source: WerFault.exe, 00000006.00000003.1330844749.0000000005801000.00000004.00000001.sdmp
            Source: Binary string: System.ni.pdb% source: WerFault.exe, 00000006.00000003.1330787639.00000000059E5000.00000004.00000040.sdmp
            Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 00000006.00000003.1328390582.0000000005AE0000.00000004.00000001.sdmp
            Source: Binary string: f:\binaries.x86ret\bin\i386\bbt\opt\bin\i386\vbc.pdb source: WerFault.exe, 0000000E.00000002.1380347940.0000000005350000.00000002.00000001.sdmp, WerFault.exe, 0000000F.00000002.1380581741.0000000005390000.00000002.00000001.sdmp
            Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000006.00000003.1330844749.0000000005801000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.1361054917.0000000005261000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.1361633499.00000000052A1000.00000004.00000001.sdmp
            Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000006.00000003.1330731178.00000000059DB000.00000004.00000040.sdmp
            Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000006.00000003.1330731178.00000000059DB000.00000004.00000040.sdmp
            Source: Binary string: wbemcomn.pdb source: WerFault.exe, 00000006.00000003.1330787639.00000000059E5000.00000004.00000040.sdmp
            Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000006.00000003.1330719687.00000000059D2000.00000004.00000040.sdmp
            Source: Binary string: NapiNSP.pdb source: WerFault.exe, 00000006.00000003.1330787639.00000000059E5000.00000004.00000040.sdmp
            Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000006.00000003.1330844749.0000000005801000.00000004.00000001.sdmp
            Source: Binary string: RegAsm.pdb source: RegAsm.exe, 00000002.00000002.1359913544.000000000799B000.00000004.00000001.sdmp
            Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000006.00000003.1331068188.00000000059D0000.00000004.00000040.sdmp
            Source: Binary string: wntdll.pdb source: WerFault.exe, 00000006.00000003.1330844749.0000000005801000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.1361054917.0000000005261000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.1361633499.00000000052A1000.00000004.00000001.sdmp
            Source: Binary string: ore.ni.pdb" source: WerFault.exe, 00000006.00000003.1330844749.0000000005801000.00000004.00000001.sdmp
            Source: Binary string: System.Xml.pdb] source: WerFault.exe, 00000006.00000003.1330844749.0000000005801000.00000004.00000001.sdmp
            Source: Binary string: pnrpnsp.pdbm source: WerFault.exe, 00000006.00000003.1330787639.00000000059E5000.00000004.00000040.sdmp
            Source: Binary string: winnsi.pdb source: WerFault.exe, 00000006.00000003.1330787639.00000000059E5000.00000004.00000040.sdmp
            Source: Binary string: clr.pdb source: WerFault.exe, 00000006.00000003.1330780037.00000000059E1000.00000004.00000040.sdmp
            Source: Binary string: .ni.pdb source: WerFault.exe, 00000006.00000003.1330844749.0000000005801000.00000004.00000001.sdmp
            Source: Binary string: cryptsp.pdb source: WerFault.exe, 00000006.00000003.1330787639.00000000059E5000.00000004.00000040.sdmp
            Source: Binary string: System.Windows.Forms.pdb" source: WerFault.exe, 00000006.00000003.1330882778.000000000581C000.00000004.00000001.sdmp
            Source: Binary string: advapi32.pdb source: WerFault.exe, 00000006.00000003.1330731178.00000000059DB000.00000004.00000040.sdmp
            Source: Binary string: ility.pdb source: WerFault.exe, 00000006.00000003.1330844749.0000000005801000.00000004.00000001.sdmp
            Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000006.00000003.1330731178.00000000059DB000.00000004.00000040.sdmp
            Source: Binary string: System.Configuration.ni.pdb" source: WerFault.exe, 00000006.00000003.1330844749.0000000005801000.00000004.00000001.sdmp
            Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 00000006.00000003.1330787639.00000000059E5000.00000004.00000040.sdmp
            Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 00000006.00000003.1330745435.00000000059EE000.00000004.00000040.sdmp, WER86ED.tmp.dmp.6.dr
            Source: Binary string: RegAsm.PDB source: RegAsm.exe, 00000002.00000002.1360349818.000000000852A000.00000004.00000010.sdmp
            Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 00000006.00000003.1330787639.00000000059E5000.00000004.00000040.sdmp
            Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 00000006.00000003.1328390582.0000000005AE0000.00000004.00000001.sdmp
            Source: Binary string: mCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000E.00000002.1372158224.0000000000BE2000.00000004.00000010.sdmp, WerFault.exe, 0000000F.00000002.1372804351.0000000000E32000.00000004.00000010.sdmp
            Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000006.00000003.1330844749.0000000005801000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.1361054917.0000000005261000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.1361633499.00000000052A1000.00000004.00000001.sdmp
            Source: Binary string: mpr.pdb source: WerFault.exe, 00000006.00000003.1330780037.00000000059E1000.00000004.00000040.sdmp
            Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000006.00000003.1330731178.00000000059DB000.00000004.00000040.sdmp
            Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000006.00000003.1330780037.00000000059E1000.00000004.00000040.sdmp, WER86ED.tmp.dmp.6.dr
            Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: Zahlung.exe, 00000000.00000002.1281665738.0000000005312000.00000040.00000001.sdmp, RegAsm.exe, 00000002.00000002.1359652535.0000000007570000.00000004.00000001.sdmp
            Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: Zahlung.exe, 00000000.00000002.1281665738.0000000005312000.00000040.00000001.sdmp, RegAsm.exe, 00000002.00000002.1346192854.0000000000402000.00000040.00000001.sdmp
            Source: Binary string: RegAsm.pdb4 source: RegAsm.exe, 00000002.00000002.1359913544.000000000799B000.00000004.00000001.sdmp
            Source: Binary string: System.Xml.pdbx source: WerFault.exe, 00000006.00000003.1328390582.0000000005AE0000.00000004.00000001.sdmp
            Source: Binary string: fltLib.pdb@ source: WerFault.exe, 00000006.00000003.1330731178.00000000059DB000.00000004.00000040.sdmp
            Source: Binary string: ws2_32.pdby source: WerFault.exe, 00000006.00000003.1330787639.00000000059E5000.00000004.00000040.sdmp
            Source: Binary string: dhcpcsvc.pdb/ source: WerFault.exe, 00000006.00000003.1330787639.00000000059E5000.00000004.00000040.sdmp
            Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000006.00000003.1330787639.00000000059E5000.00000004.00000040.sdmp
            Source: Binary string: msctf.pdb] source: WerFault.exe, 00000006.00000003.1330787639.00000000059E5000.00000004.00000040.sdmp
            Source: Binary string: dwmapi.pdbO source: WerFault.exe, 00000006.00000003.1330787639.00000000059E5000.00000004.00000040.sdmp
            Source: Binary string: mscoree.pdb source: WerFault.exe, 00000006.00000003.1330844749.0000000005801000.00000004.00000001.sdmp
            Source: Binary string: sfc.pdb! source: WerFault.exe, 00000006.00000003.1330780037.00000000059E1000.00000004.00000040.sdmp
            Source: Binary string: m0C:\Windows\mscorlib.pdbpdblib.pdb source: RegAsm.exe, 00000002.00000002.1360349818.000000000852A000.00000004.00000010.sdmp
            Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000006.00000003.1330787639.00000000059E5000.00000004.00000040.sdmp
            Source: Binary string: winspool.pdb source: WerFault.exe, 00000006.00000003.1330731178.00000000059DB000.00000004.00000040.sdmp
            Source: Binary string: shlwapi.pdbj source: WerFault.exe, 00000006.00000003.1330731178.00000000059DB000.00000004.00000040.sdmp
            Source: Binary string: shell32.pdbk source: WerFault.exe, 00000006.00000003.1330719687.00000000059D2000.00000004.00000040.sdmp
            Source: Binary string: System.Runtime.Remoting.pdbx source: WerFault.exe, 00000006.00000003.1328390582.0000000005AE0000.00000004.00000001.sdmp
            Source: Binary string: symbols\dll\mscorlib.pdb source: RegAsm.exe, 00000002.00000002.1360349818.000000000852A000.00000004.00000010.sdmp
            Source: Binary string: .pdb0 source: RegAsm.exe, 00000002.00000002.1360349818.000000000852A000.00000004.00000010.sdmp
            Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000006.00000003.1330731178.00000000059DB000.00000004.00000040.sdmp
            Source: Binary string: nsi.pdb source: WerFault.exe, 00000006.00000003.1330787639.00000000059E5000.00000004.00000040.sdmp
            Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000006.00000003.1330719687.00000000059D2000.00000004.00000040.sdmp
            Source: Binary string: msvcr120_clr0400.i386.pdb% source: WerFault.exe, 00000006.00000003.1330780037.00000000059E1000.00000004.00000040.sdmp
            Source: Binary string: powrprof.pdb source: WerFault.exe, 00000006.00000003.1330731178.00000000059DB000.00000004.00000040.sdmp
            Source: Binary string: mscorlib.ni.pdbRSDS source: WER86ED.tmp.dmp.6.dr
            Source: Binary string: System.Configuration.pdb+ source: WerFault.exe, 00000006.00000003.1330844749.0000000005801000.00000004.00000001.sdmp
            Source: Binary string: System.Configuration.pdb source: WerFault.exe, 00000006.00000003.1330844749.0000000005801000.00000004.00000001.sdmp, WER86ED.tmp.dmp.6.dr
            Source: Binary string: ole32.pdb source: WerFault.exe, 00000006.00000003.1330731178.00000000059DB000.00000004.00000040.sdmp
            Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000006.00000003.1330844749.0000000005801000.00000004.00000001.sdmp
            Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 00000006.00000003.1328390582.0000000005AE0000.00000004.00000001.sdmp
            Source: Binary string: comctl32.pdb= source: WerFault.exe, 00000006.00000003.1330787639.00000000059E5000.00000004.00000040.sdmp
            Source: Binary string: propsys.pdbx source: WerFault.exe, 00000006.00000003.1330731178.00000000059DB000.00000004.00000040.sdmp
            Source: Binary string: mscorlib.pdb source: RegAsm.exe, 00000002.00000002.1359913544.000000000799B000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.1328390582.0000000005AE0000.00000004.00000001.sdmp, WER86ED.tmp.dmp.6.dr
            Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000006.00000003.1330787639.00000000059E5000.00000004.00000040.sdmp
            Source: Binary string: DWrite.pdb source: WerFault.exe, 00000006.00000003.1330787639.00000000059E5000.00000004.00000040.sdmp
            Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000006.00000003.1330719687.00000000059D2000.00000004.00000040.sdmp
            Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000006.00000003.1331068188.00000000059D0000.00000004.00000040.sdmp
            Source: Binary string: combase.pdb source: WerFault.exe, 00000006.00000003.1330731178.00000000059DB000.00000004.00000040.sdmp
            Source: Binary string: System.Drawing.pdb source: WerFault.exe, 00000006.00000003.1330817567.000000000581A000.00000004.00000001.sdmp, WER86ED.tmp.dmp.6.dr
            Source: Binary string: System.Management.pdb source: WerFault.exe, 00000006.00000003.1328390582.0000000005AE0000.00000004.00000001.sdmp, WER86ED.tmp.dmp.6.dr
            Source: Binary string: advapi32.pdbV source: WerFault.exe, 00000006.00000003.1330731178.00000000059DB000.00000004.00000040.sdmp
            Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER86ED.tmp.dmp.6.dr
            Source: Binary string: sfc.pdb source: WerFault.exe, 00000006.00000003.1330780037.00000000059E1000.00000004.00000040.sdmp
            Source: Binary string: Accessibility.pdbx source: WerFault.exe, 00000006.00000003.1328390582.0000000005AE0000.00000004.00000001.sdmp
            Source: Binary string: apphelp.pdb source: WerFault.exe, 00000006.00000003.1330844749.0000000005801000.00000004.00000001.sdmp
            Source: Binary string: System.Drawing.pdb`o source: WER86ED.tmp.dmp.6.dr
            Source: Binary string: System.Xml.ni.pdbRSDS source: WER86ED.tmp.dmp.6.dr
            Source: Binary string: profapi.pdb\ source: WerFault.exe, 00000006.00000003.1330731178.00000000059DB000.00000004.00000040.sdmp
            Source: Binary string: wntdll.pdbk source: WerFault.exe, 0000000E.00000003.1361054917.0000000005261000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.1361633499.00000000052A1000.00000004.00000001.sdmp
            Source: Binary string: wgdi32full.pdb" source: WerFault.exe, 00000006.00000003.1330844749.0000000005801000.00000004.00000001.sdmp
            Source: Binary string: rasadhlp.pdb source: WerFault.exe, 00000006.00000003.1330787639.00000000059E5000.00000004.00000040.sdmp
            Source: Binary string: C:\Windows\mscorlib.pdb source: RegAsm.exe, 00000002.00000002.1360349818.000000000852A000.00000004.00000010.sdmp
            Source: Binary string: cryptsp.pdbk source: WerFault.exe, 00000006.00000003.1330787639.00000000059E5000.00000004.00000040.sdmp
            Source: Binary string: System.Core.ni.pdbRSDSD source: WER86ED.tmp.dmp.6.dr
            Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000006.00000003.1330787639.00000000059E5000.00000004.00000040.sdmp
            Source: Binary string: diasymreader.pdb_ source: WerFault.exe, 00000006.00000003.1330745435.00000000059EE000.00000004.00000040.sdmp
            Source: Binary string: Accessibility.pdb source: WerFault.exe, 00000006.00000003.1328390582.0000000005AE0000.00000004.00000001.sdmp, WER86ED.tmp.dmp.6.dr
            Source: Binary string: rsaenh.pdbs source: WerFault.exe, 00000006.00000003.1330787639.00000000059E5000.00000004.00000040.sdmp
            Source: Binary string: rawing.pdb source: WerFault.exe, 00000006.00000003.1330882778.000000000581C000.00000004.00000001.sdmp
            Source: Binary string: System.Management.pdbx source: WerFault.exe, 00000006.00000003.1328390582.0000000005AE0000.00000004.00000001.sdmp
            Source: Binary string: pnrpnsp.pdb source: WerFault.exe, 00000006.00000003.1330787639.00000000059E5000.00000004.00000040.sdmp
            Source: Binary string: sechost.pdbN source: WerFault.exe, 00000006.00000003.1330731178.00000000059DB000.00000004.00000040.sdmp
            Source: Binary string: mscorlib.pdbx source: WerFault.exe, 00000006.00000003.1328390582.0000000005AE0000.00000004.00000001.sdmp
            Source: Binary string: wmswsock.pdbg source: WerFault.exe, 00000006.00000003.1330787639.00000000059E5000.00000004.00000040.sdmp
            Source: Binary string: shcore.pdb source: WerFault.exe, 00000006.00000003.1331068188.00000000059D0000.00000004.00000040.sdmp
            Source: Binary string: clrjit.pdbu source: WerFault.exe, 00000006.00000003.1330787639.00000000059E5000.00000004.00000040.sdmp
            Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 00000006.00000003.1330787639.00000000059E5000.00000004.00000040.sdmp
            Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000006.00000003.1330844749.0000000005801000.00000004.00000001.sdmp
            Source: Binary string: fltLib.pdb source: WerFault.exe, 00000006.00000003.1330731178.00000000059DB000.00000004.00000040.sdmp
            Source: Binary string: f:\binaries.x86ret\bin\i386\bbt\opt\bin\i386\vbc.pdbpUNzUN source: WerFault.exe, 0000000E.00000002.1380347940.0000000005350000.00000002.00000001.sdmp, WerFault.exe, 0000000F.00000002.1380581741.0000000005390000.00000002.00000001.sdmp
            Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 00000006.00000003.1330787639.00000000059E5000.00000004.00000040.sdmp, WER86ED.tmp.dmp.6.dr
            Source: Binary string: shell32.pdb source: WerFault.exe, 00000006.00000003.1330719687.00000000059D2000.00000004.00000040.sdmp
            Source: Binary string: msvcp_win.pdbk source: WerFault.exe, 00000006.00000003.1330719687.00000000059D2000.00000004.00000040.sdmp
            Source: Binary string: winnsi.pdb7 source: WerFault.exe, 00000006.00000003.1330787639.00000000059E5000.00000004.00000040.sdmp
            Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000006.00000003.1330719687.00000000059D2000.00000004.00000040.sdmp
            Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000006.00000003.1330787639.00000000059E5000.00000004.00000040.sdmp
            Source: Binary string: mscorlib.pdb\ source: WER86ED.tmp.dmp.6.dr
            Source: Binary string: wimm32.pdb source: WerFault.exe, 00000006.00000003.1330731178.00000000059DB000.00000004.00000040.sdmp
            Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000006.00000003.1330844749.0000000005801000.00000004.00000001.sdmp
            Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 00000006.00000003.1328390582.0000000005AE0000.00000004.00000001.sdmp
            Source: Binary string: diasymreader.pdb source: WerFault.exe, 00000006.00000003.1330745435.00000000059EE000.00000004.00000040.sdmp
            Source: Binary string: nlaapi.pdb source: WerFault.exe, 00000006.00000003.1330787639.00000000059E5000.00000004.00000040.sdmp
            Source: Binary string: setupapi.pdb source: WerFault.exe, 00000006.00000003.1330731178.00000000059DB000.00000004.00000040.sdmp
            Source: Binary string: ility.pdb" source: WerFault.exe, 00000006.00000003.1330844749.0000000005801000.00000004.00000001.sdmp
            Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000006.00000003.1330787639.00000000059E5000.00000004.00000040.sdmp
            Source: Binary string: wmiutils.pdb source: WerFault.exe, 00000006.00000003.1330787639.00000000059E5000.00000004.00000040.sdmp
            Source: Binary string: gdiplus.pdb source: WerFault.exe, 00000006.00000003.1330787639.00000000059E5000.00000004.00000040.sdmp
            Source: Binary string: wmiutils.pdbW source: WerFault.exe, 00000006.00000003.1330787639.00000000059E5000.00000004.00000040.sdmp
            Source: Binary string: System.ni.pdbT3 source: WerFault.exe, 00000006.00000003.1328390582.0000000005AE0000.00000004.00000001.sdmp
            Source: Binary string: iphlpapi.pdbr source: WerFault.exe, 00000006.00000003.1330731178.00000000059DB000.00000004.00000040.sdmp
            Source: Binary string: System.pdbx source: WerFault.exe, 00000006.00000003.1328390582.0000000005AE0000.00000004.00000001.sdmp
            Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: RegAsm.exe, 00000002.00000002.1360349818.000000000852A000.00000004.00000010.sdmp
            Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000006.00000003.1330787639.00000000059E5000.00000004.00000040.sdmp
            Source: Binary string: profapi.pdb source: WerFault.exe, 00000006.00000003.1330731178.00000000059DB000.00000004.00000040.sdmp
            Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 00000006.00000003.1330787639.00000000059E5000.00000004.00000040.sdmp, WER86ED.tmp.dmp.6.dr
            Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000006.00000003.1330844749.0000000005801000.00000004.00000001.sdmp
            Source: Binary string: oleaut32.pdbZ source: WerFault.exe, 00000006.00000003.1330731178.00000000059DB000.00000004.00000040.sdmp
            Source: Binary string: sechost.pdb source: WerFault.exe, 00000006.00000003.1330731178.00000000059DB000.00000004.00000040.sdmp
            Source: Binary string: System.ni.pdbRSDS source: WER86ED.tmp.dmp.6.dr
            Source: Binary string: clrjit.pdb source: WerFault.exe, 00000006.00000003.1330787639.00000000059E5000.00000004.00000040.sdmp
            Source: Binary string: propsys.pdb source: WerFault.exe, 00000006.00000003.1330731178.00000000059DB000.00000004.00000040.sdmp
            Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000006.00000003.1330719687.00000000059D2000.00000004.00000040.sdmp
            Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 00000006.00000003.1330780037.00000000059E1000.00000004.00000040.sdmp
            Source: Binary string: fastprox.pdb source: WerFault.exe, 00000006.00000003.1330787639.00000000059E5000.00000004.00000040.sdmp
            Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 00000006.00000003.1330787639.00000000059E5000.00000004.00000040.sdmp, WER86ED.tmp.dmp.6.dr
            Source: Binary string: wbemsvc.pdb source: WerFault.exe, 00000006.00000003.1330787639.00000000059E5000.00000004.00000040.sdmp
            Source: Binary string: powrprof.pdbt source: WerFault.exe, 00000006.00000003.1330731178.00000000059DB000.00000004.00000040.sdmp
            Source: Binary string: winrnr.pdb source: WerFault.exe, 00000006.00000003.1330787639.00000000059E5000.00000004.00000040.sdmp
            Source: Binary string: msctf.pdb source: WerFault.exe, 00000006.00000003.1330787639.00000000059E5000.00000004.00000040.sdmp
            Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: Zahlung.exe, 00000000.00000002.1281665738.0000000005312000.00000040.00000001.sdmp, RegAsm.exe, 00000002.00000002.1354152953.0000000003DC2000.00000004.00000001.sdmp
            Source: Binary string: System.Runtime.Remoting.pdb source: WerFault.exe, 00000006.00000003.1330844749.0000000005801000.00000004.00000001.sdmp, WER86ED.tmp.dmp.6.dr
            Source: Binary string: wmswsock.pdb source: WerFault.exe, 00000006.00000003.1330787639.00000000059E5000.00000004.00000040.sdmp
            Source: Binary string: version.pdb source: WerFault.exe, 00000006.00000003.1330731178.00000000059DB000.00000004.00000040.sdmp
            Source: Binary string: System.Xml.pdb source: WerFault.exe, 00000006.00000003.1330844749.0000000005801000.00000004.00000001.sdmp, WER86ED.tmp.dmp.6.dr
            Source: Binary string: ore.ni.pdb source: WerFault.exe, 00000006.00000003.1330844749.0000000005801000.00000004.00000001.sdmp
            Source: Binary string: System.pdb source: WerFault.exe, 00000006.00000003.1330817567.000000000581A000.00000004.00000001.sdmp, WER86ED.tmp.dmp.6.dr
            Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000006.00000003.1330882778.000000000581C000.00000004.00000001.sdmp, WER86ED.tmp.dmp.6.dr
            Source: Binary string: wUxTheme.pdb! source: WerFault.exe, 00000006.00000003.1330787639.00000000059E5000.00000004.00000040.sdmp
            Source: Binary string: bcrypt.pdbl source: WerFault.exe, 00000006.00000003.1330731178.00000000059DB000.00000004.00000040.sdmp
            Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000006.00000003.1331068188.00000000059D0000.00000004.00000040.sdmp
            Source: Binary string: winspool.pdbf source: WerFault.exe, 00000006.00000003.1330731178.00000000059DB000.00000004.00000040.sdmp
            Source: Binary string: psapi.pdb source: WerFault.exe, 00000006.00000003.1330787639.00000000059E5000.00000004.00000040.sdmp
            Source: Binary string: WMINet_Utils.pdb source: WerFault.exe, 00000006.00000003.1330787639.00000000059E5000.00000004.00000040.sdmp
            Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000006.00000003.1330731178.00000000059DB000.00000004.00000040.sdmp
            Source: Binary string: System.Core.pdbx source: WerFault.exe, 00000006.00000003.1328390582.0000000005AE0000.00000004.00000001.sdmp
            Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000006.00000003.1331068188.00000000059D0000.00000004.00000040.sdmp
            Source: Binary string: mscoreei.pdb source: WerFault.exe, 00000006.00000003.1330731178.00000000059DB000.00000004.00000040.sdmp
            Source: Binary string: System.Drawing.pdbx source: WerFault.exe, 00000006.00000003.1328390582.0000000005AE0000.00000004.00000001.sdmp
            Source: Binary string: System.Core.pdb source: WerFault.exe, 00000006.00000003.1330844749.0000000005801000.00000004.00000001.sdmp, WER86ED.tmp.dmp.6.dr
            Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000006.00000003.1330731178.00000000059DB000.00000004.00000040.sdmp
            Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 00000006.00000003.1328390582.0000000005AE0000.00000004.00000001.sdmp
            Source: Binary string: wuser32.pdb source: WerFault.exe, 00000006.00000003.1330844749.0000000005801000.00000004.00000001.sdmp
            Source: Binary string: comctl32.pdb source: WerFault.exe, 00000006.00000003.1330787639.00000000059E5000.00000004.00000040.sdmp
            Source: Binary string: wbemprox.pdb source: WerFault.exe, 00000006.00000003.1330787639.00000000059E5000.00000004.00000040.sdmp
            Source: Binary string: System.Xml.ni.pdb" source: WerFault.exe, 00000006.00000003.1330844749.0000000005801000.00000004.00000001.sdmp
            Source: Binary string: System.ni.pdb source: WerFault.exe, 00000006.00000003.1330882778.000000000581C000.00000004.00000001.sdmp, WER86ED.tmp.dmp.6.dr
            Source: Binary string: edputil.pdb source: WerFault.exe, 00000006.00000003.1330787639.00000000059E5000.00000004.00000040.sdmp

            Data Obfuscation:

            barindex
            .NET source code contains potential unpackerShow sources
            Source: 0.2.Zahlung.exe.5310000.3.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 0.2.Zahlung.exe.5310000.3.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 0.2.Zahlung.exe.5310000.3.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 0.2.Zahlung.exe.5310000.3.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 2.2.RegAsm.exe.400000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 2.2.RegAsm.exe.400000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 2.2.RegAsm.exe.400000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 2.2.RegAsm.exe.400000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: C:\Users\user\Desktop\Zahlung.exeCode function: 0_2_00256B5D push ebp; iretd 0_2_00256B5E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0516AC12 pushfd ; ret 2_2_0516AC21
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0516FC02 push E801005Eh; ret 2_2_0516FC09
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_051649E2 push 000000C3h; ret 2_2_05164A7A
            Source: initial sampleStatic PE information: section name: .text entropy: 7.20394992193

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Changes the view of files in windows explorer (hidden files and folders)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HiddenJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363} DeviceTicketJump to behavior
            Source: C:\Users\user\Desktop\Zahlung.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zahlung.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zahlung.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zahlung.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zahlung.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zahlung.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zahlung.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zahlung.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zahlung.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zahlung.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zahlung.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zahlung.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zahlung.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zahlung.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: