Loading ...

Play interactive tourEdit tour

Analysis Report Versanddetails.exe

Overview

General Information

Sample Name:Versanddetails.exe
Analysis ID:253822
MD5:171c9a719c471c82e9fd6f07ccc3c049
SHA1:05d67dde84357b0e8e517579da0fe132130fe1da
SHA256:c57c1f05f4bf9400266a89738d1aa4fed4346f5a69995ed02b10911d0dce0ba1

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected HawkEye Rat
Malicious sample detected (through community Yara rule)
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Contains functionality to register a low level keyboard hook
Installs a global keyboard hook
Machine Learning detection for sample
Maps a DLL or memory area into another process
Sample uses process hollowing technique
Yara detected WebBrowserPassView password recovery tool
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Process Creation
Stores large binary data to the registry
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Versanddetails.exe (PID: 4840 cmdline: 'C:\Users\user\Desktop\Versanddetails.exe' MD5: 171C9A719C471C82E9FD6F07CCC3C049)
    • RegAsm.exe (PID: 6148 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
    • RegAsm.exe (PID: 4564 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
    • RegAsm.exe (PID: 672 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
      • WerFault.exe (PID: 5428 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 672 -s 2044 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
      • vbc.exe (PID: 7128 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
        • WerFault.exe (PID: 5684 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7128 -s 176 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
      • vbc.exe (PID: 7104 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
        • WerFault.exe (PID: 5816 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7104 -s 176 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.213110083.0000000004EDA000.00000004.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
  • 0x7b937:$key: HawkEyeKeylogger
  • 0x7dba1:$salt: 099u787978786
  • 0x7bf78:$string1: HawkEye_Keylogger
  • 0x7cdcb:$string1: HawkEye_Keylogger
  • 0x7db01:$string1: HawkEye_Keylogger
  • 0x7c361:$string2: holdermail.txt
  • 0x7c381:$string2: holdermail.txt
  • 0x7c2a3:$string3: wallet.dat
  • 0x7c2bb:$string3: wallet.dat
  • 0x7c2d1:$string3: wallet.dat
  • 0x7d6c5:$string4: Keylog Records
  • 0x7d9dd:$string4: Keylog Records
  • 0x7dbf9:$string5: do not script -->
  • 0x7b91f:$string6: \pidloc.txt
  • 0x7b9ad:$string7: BSPLIT
  • 0x7b9bd:$string7: BSPLIT
00000000.00000002.213110083.0000000004EDA000.00000004.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
    00000000.00000002.213110083.0000000004EDA000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
      00000000.00000002.213110083.0000000004EDA000.00000004.00000001.sdmpHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
      • 0x7bfd0:$hawkstr1: HawkEye Keylogger
      • 0x7ce11:$hawkstr1: HawkEye Keylogger
      • 0x7d140:$hawkstr1: HawkEye Keylogger
      • 0x7d29b:$hawkstr1: HawkEye Keylogger
      • 0x7d3fe:$hawkstr1: HawkEye Keylogger
      • 0x7d69d:$hawkstr1: HawkEye Keylogger
      • 0x7bb5e:$hawkstr2: Dear HawkEye Customers!
      • 0x7d193:$hawkstr2: Dear HawkEye Customers!
      • 0x7d2ea:$hawkstr2: Dear HawkEye Customers!
      • 0x7d451:$hawkstr2: Dear HawkEye Customers!
      • 0x7bc7f:$hawkstr3: HawkEye Logger Details:
      00000003.00000002.277570655.0000000003912000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
        Click to see the 20 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        3.2.RegAsm.exe.400000.0.unpackRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
        • 0x7b917:$key: HawkEyeKeylogger
        • 0x7db81:$salt: 099u787978786
        • 0x7bf58:$string1: HawkEye_Keylogger
        • 0x7cdab:$string1: HawkEye_Keylogger
        • 0x7dae1:$string1: HawkEye_Keylogger
        • 0x7c341:$string2: holdermail.txt
        • 0x7c361:$string2: holdermail.txt
        • 0x7c283:$string3: wallet.dat
        • 0x7c29b:$string3: wallet.dat
        • 0x7c2b1:$string3: wallet.dat
        • 0x7d6a5:$string4: Keylog Records
        • 0x7d9bd:$string4: Keylog Records
        • 0x7dbd9:$string5: do not script -->
        • 0x7b8ff:$string6: \pidloc.txt
        • 0x7b98d:$string7: BSPLIT
        • 0x7b99d:$string7: BSPLIT
        3.2.RegAsm.exe.400000.0.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
          3.2.RegAsm.exe.400000.0.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
            3.2.RegAsm.exe.400000.0.unpackHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
            • 0x7bfb0:$hawkstr1: HawkEye Keylogger
            • 0x7cdf1:$hawkstr1: HawkEye Keylogger
            • 0x7d120:$hawkstr1: HawkEye Keylogger
            • 0x7d27b:$hawkstr1: HawkEye Keylogger
            • 0x7d3de:$hawkstr1: HawkEye Keylogger
            • 0x7d67d:$hawkstr1: HawkEye Keylogger
            • 0x7bb3e:$hawkstr2: Dear HawkEye Customers!
            • 0x7d173:$hawkstr2: Dear HawkEye Customers!
            • 0x7d2ca:$hawkstr2: Dear HawkEye Customers!
            • 0x7d431:$hawkstr2: Dear HawkEye Customers!
            • 0x7bc5f:$hawkstr3: HawkEye Logger Details:
            0.2.Versanddetails.exe.54e0000.3.unpackRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
            • 0x7b917:$key: HawkEyeKeylogger
            • 0x7db81:$salt: 099u787978786
            • 0x7bf58:$string1: HawkEye_Keylogger
            • 0x7cdab:$string1: HawkEye_Keylogger
            • 0x7dae1:$string1: HawkEye_Keylogger
            • 0x7c341:$string2: holdermail.txt
            • 0x7c361:$string2: holdermail.txt
            • 0x7c283:$string3: wallet.dat
            • 0x7c29b:$string3: wallet.dat
            • 0x7c2b1:$string3: wallet.dat
            • 0x7d6a5:$string4: Keylog Records
            • 0x7d9bd:$string4: Keylog Records
            • 0x7dbd9:$string5: do not script -->
            • 0x7b8ff:$string6: \pidloc.txt
            • 0x7b98d:$string7: BSPLIT
            • 0x7b99d:$string7: BSPLIT
            Click to see the 3 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: Suspicious Process CreationShow sources
            Source: Process startedAuthor: Florian Roth, Daniil Yugoslavskiy, oscd.community (update): Data: Command: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt', CommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt', CommandLine|base64offset|contains: ^, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, ParentCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentProcessId: 672, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt', ProcessId: 7128

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Machine Learning detection for sampleShow sources
            Source: Versanddetails.exeJoe Sandbox ML: detected
            Source: Versanddetails.exe, 00000000.00000002.213110083.0000000004EDA000.00000004.00000001.sdmpBinary or memory string: autorun.inf
            Source: Versanddetails.exe, 00000000.00000002.213110083.0000000004EDA000.00000004.00000001.sdmpBinary or memory string: [autorun]
            Source: RegAsm.exe, 00000003.00000002.273233246.0000000000402000.00000040.00000001.sdmpBinary or memory string: autorun.inf
            Source: RegAsm.exe, 00000003.00000002.273233246.0000000000402000.00000040.00000001.sdmpBinary or memory string: [autorun]
            Source: WerFault.exe, 00000006.00000003.254220946.0000000004E60000.00000004.00000001.sdmpBinary or memory string: autorun.inf
            Source: WerFault.exe, 00000006.00000003.254220946.0000000004E60000.00000004.00000001.sdmpBinary or memory string: [autorun]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then call 04EEA6E8h3_2_075FC7B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]3_2_075FC7B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]3_2_075FD64D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]3_2_075F26D9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]3_2_075FCE84
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]3_2_075FD563
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then call 04EEA6E8h3_2_075F048D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]3_2_075F048D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]3_2_075FCB5F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]3_2_075F2BA1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]3_2_075F326B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]3_2_075F2835
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then call 04EEA6E8h3_2_075FC89A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]3_2_075FC89A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]3_2_077AFE8B
            Source: Versanddetails.exe, 00000000.00000002.213110083.0000000004EDA000.00000004.00000001.sdmp, RegAsm.exe, 00000003.00000002.277570655.0000000003912000.00000004.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
            Source: Versanddetails.exe, 00000000.00000002.213110083.0000000004EDA000.00000004.00000001.sdmp, RegAsm.exe, 00000003.00000002.277570655.0000000003912000.00000004.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
            Source: unknownDNS traffic detected: queries for: 101.37.7.0.in-addr.arpa
            Source: Versanddetails.exe, 00000000.00000002.213110083.0000000004EDA000.00000004.00000001.sdmp, RegAsm.exe, 00000003.00000002.277570655.0000000003912000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
            Source: WerFault.exe, 00000011.00000003.300260757.0000000000599000.00000004.00000001.sdmpString found in binary or memory: http://crl.microsoft
            Source: RegAsm.exe, 00000003.00000002.288395589.0000000006C62000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: Versanddetails.exe, 00000000.00000002.213110083.0000000004EDA000.00000004.00000001.sdmp, RegAsm.exe, 00000003.00000002.277570655.0000000003912000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
            Source: WerFault.exe, 00000006.00000003.253625261.0000000005160000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
            Source: WerFault.exe, 00000006.00000003.253625261.0000000005160000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
            Source: WerFault.exe, 00000006.00000003.253625261.0000000005160000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
            Source: WerFault.exe, 00000006.00000003.253625261.0000000005160000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
            Source: WerFault.exe, 00000006.00000003.253625261.0000000005160000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
            Source: WerFault.exe, 00000006.00000003.253625261.0000000005160000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
            Source: WerFault.exe, 00000006.00000003.253625261.0000000005160000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
            Source: RegAsm.exe, 00000003.00000002.274514566.00000000028A1000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.253625261.0000000005160000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: WerFault.exe, 00000006.00000003.253625261.0000000005160000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
            Source: WerFault.exe, 00000006.00000003.253625261.0000000005160000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
            Source: WerFault.exe, 00000006.00000003.253625261.0000000005160000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
            Source: WerFault.exe, 00000006.00000003.253625261.0000000005160000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
            Source: WerFault.exe, 00000006.00000003.253625261.0000000005160000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
            Source: WerFault.exe, 00000006.00000003.253625261.0000000005160000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
            Source: WerFault.exe, 00000006.00000003.253625261.0000000005160000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
            Source: Versanddetails.exe, 00000000.00000002.213110083.0000000004EDA000.00000004.00000001.sdmp, RegAsm.exe, 00000003.00000002.273233246.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 00000006.00000003.254220946.0000000004E60000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/-
            Source: RegAsm.exe, 00000003.00000002.288395589.0000000006C62000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: RegAsm.exe, 00000003.00000003.220521107.00000000059DF000.00000004.00000001.sdmp, RegAsm.exe, 00000003.00000003.219819094.00000000059D3000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
            Source: RegAsm.exe, 00000003.00000003.219089424.00000000059D3000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com%&
            Source: RegAsm.exe, 00000003.00000003.219089424.00000000059D3000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com1
            Source: RegAsm.exe, 00000003.00000002.288395589.0000000006C62000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: RegAsm.exe, 00000003.00000003.219089424.00000000059D3000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comrMGw
            Source: RegAsm.exe, 00000003.00000002.288395589.0000000006C62000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: RegAsm.exe, 00000003.00000002.288395589.0000000006C62000.00000004.00000001.sdmp, RegAsm.exe, 00000003.00000003.224179214.0000000005A05000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: RegAsm.exe, 00000003.00000003.222339971.0000000005A0D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
            Source: RegAsm.exe, 00000003.00000002.288395589.0000000006C62000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: RegAsm.exe, 00000003.00000002.288395589.0000000006C62000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: RegAsm.exe, 00000003.00000002.288395589.0000000006C62000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
            Source: RegAsm.exe, 00000003.00000003.222399647.0000000005A0D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers4
            Source: RegAsm.exe, 00000003.00000002.288395589.0000000006C62000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: RegAsm.exe, 00000003.00000003.222901792.0000000005A0D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers9
            Source: RegAsm.exe, 00000003.00000002.288395589.0000000006C62000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: RegAsm.exe, 00000003.00000002.288395589.0000000006C62000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: RegAsm.exe, 00000003.00000002.283615434.00000000059D0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comaj
            Source: RegAsm.exe, 00000003.00000002.283615434.00000000059D0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comgrita
            Source: RegAsm.exe, 00000003.00000003.222817092.00000000059D7000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comionk
            Source: RegAsm.exe, 00000003.00000002.283615434.00000000059D0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comt
            Source: RegAsm.exe, 00000003.00000002.288395589.0000000006C62000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: RegAsm.exe, 00000003.00000002.288395589.0000000006C62000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: RegAsm.exe, 00000003.00000002.288395589.0000000006C62000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: RegAsm.exe, 00000003.00000002.288395589.0000000006C62000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: RegAsm.exe, 00000003.00000002.288395589.0000000006C62000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: RegAsm.exe, 00000003.00000002.288395589.0000000006C62000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: RegAsm.exe, 00000003.00000002.288395589.0000000006C62000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: RegAsm.exe, 00000003.00000002.288395589.0000000006C62000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: RegAsm.exe, 00000003.00000003.220308168.00000000059D7000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Q
            Source: RegAsm.exe, 00000003.00000003.220191169.00000000059D7000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/R
            Source: RegAsm.exe, 00000003.00000003.220308168.00000000059D7000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Vers
            Source: RegAsm.exe, 00000003.00000003.220308168.00000000059D7000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
            Source: RegAsm.exe, 00000003.00000003.220308168.00000000059D7000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/i
            Source: RegAsm.exe, 00000003.00000003.220308168.00000000059D7000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/j
            Source: RegAsm.exe, 00000003.00000003.220191169.00000000059D7000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
            Source: RegAsm.exe, 00000003.00000003.220308168.00000000059D7000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/G
            Source: RegAsm.exe, 00000003.00000003.220308168.00000000059D7000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/N
            Source: RegAsm.exe, 00000003.00000003.220308168.00000000059D7000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/oitX
            Source: RegAsm.exe, 00000003.00000002.273233246.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
            Source: RegAsm.exe, 00000003.00000002.288395589.0000000006C62000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: RegAsm.exe, 00000003.00000002.288395589.0000000006C62000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: RegAsm.exe, 00000003.00000002.288395589.0000000006C62000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: RegAsm.exe, 00000003.00000002.274514566.00000000028A1000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
            Source: RegAsm.exe, 00000003.00000002.288395589.0000000006C62000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: RegAsm.exe, 00000003.00000002.288395589.0000000006C62000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: RegAsm.exe, 00000003.00000002.288395589.0000000006C62000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: RegAsm.exe, 00000003.00000002.288395589.0000000006C62000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Contains functionality to log keystrokes (.Net Source)Show sources
            Source: 0.2.Versanddetails.exe.54e0000.3.unpack, Form1.cs.Net Code: HookKeyboard
            Source: 3.2.RegAsm.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
            Contains functionality to register a low level keyboard hookShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_075F04E4 SetWindowsHookExA 0000000D,00000000,?,?3_2_075F04E4
            Installs a global keyboard hookShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 00000000.00000002.213110083.0000000004EDA000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000000.00000002.213110083.0000000004EDA000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 00000003.00000002.274514566.00000000028A1000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 00000003.00000002.273233246.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000003.00000002.273233246.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.213166475.00000000054E2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000000.00000002.213166475.00000000054E2000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 00000006.00000003.254220946.0000000004E60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000006.00000003.254220946.0000000004E60000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.212505269.0000000003835000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000000.00000002.212505269.0000000003835000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 0.2.Versanddetails.exe.54e0000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0.2.Versanddetails.exe.54e0000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: C:\Users\user\Desktop\Versanddetails.exeCode function: 0_2_028100AD NtOpenSection,NtMapViewOfSection,0_2_028100AD
            Source: C:\Users\user\Desktop\Versanddetails.exeCode function: 0_2_02811C09 CreateProcessW,NtQueryInformationProcess,NtReadVirtualMemory,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtTerminateProcess,NtUnmapViewOfSection,NtWriteVirtualMemory,NtGetContextThread,NtSetContextThread,NtResumeThread,0_2_02811C09
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_07792778 NtWriteVirtualMemory,3_2_07792778
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_07792830 NtSetContextThread,3_2_07792830
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_07792618 NtResumeThread,3_2_07792618
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_07792770 NtWriteVirtualMemory,3_2_07792770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_07792828 NtSetContextThread,3_2_07792828
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_07792613 NtResumeThread,3_2_07792613
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_075FBEF83_2_075FBEF8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_075FE4703_2_075FE470
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_075F3BE83_2_075F3BE8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_075F2BA83_2_075F2BA8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_075FF2383_2_075FF238
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_075F22B83_2_075F22B8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_075F98C03_2_075F98C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_075F048D3_2_075F048D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_075F3BD73_2_075F3BD7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_075F22A93_2_075F22A9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_07791BF03_2_07791BF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_077907983_2_07790798
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_077AB4E03_2_077AB4E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_077A00403_2_077A0040
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_077AEEC83_2_077AEEC8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_077ABDB03_2_077ABDB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_077AB1983_2_077AB198
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_077A00073_2_077A0007
            Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 672 -s 2044
            Source: Versanddetails.exe, 00000000.00000002.213110083.0000000004EDA000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs Versanddetails.exe
            Source: Versanddetails.exe, 00000000.00000002.213110083.0000000004EDA000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs Versanddetails.exe
            Source: Versanddetails.exe, 00000000.00000002.213110083.0000000004EDA000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs Versanddetails.exe
            Source: Versanddetails.exe, 00000000.00000002.213110083.0000000004EDA000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs Versanddetails.exe
            Source: Versanddetails.exe, 00000000.00000002.213042038.0000000004D00000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameEeGzDtcchHaGvpyx.river.exe4 vs Versanddetails.exe
            Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dllJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dllJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dllJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
            Source: 00000000.00000002.213110083.0000000004EDA000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 00000000.00000002.213110083.0000000004EDA000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 00000003.00000002.274514566.00000000028A1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 00000003.00000002.273233246.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 00000003.00000002.273233246.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 00000000.00000002.213166475.00000000054E2000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 00000000.00000002.213166475.00000000054E2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 00000006.00000003.254220946.0000000004E60000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 00000006.00000003.254220946.0000000004E60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 00000000.00000002.212505269.0000000003835000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 00000000.00000002.212505269.0000000003835000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 0.2.Versanddetails.exe.54e0000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 0.2.Versanddetails.exe.54e0000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: Versanddetails.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: 0.2.Versanddetails.exe.54e0000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
            Source: 0.2.Versanddetails.exe.54e0000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
            Source: 0.2.Versanddetails.exe.54e0000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
            Source: 0.2.Versanddetails.exe.54e0000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
            Source: 3.2.RegAsm.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
            Source: 3.2.RegAsm.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
            Source: 3.2.RegAsm.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
            Source: 3.2.RegAsm.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
            Source: 0.2.Versanddetails.exe.54e0000.3.unpack, Form1.csBase64 encoded string: 'Ta2Jfga3JLt9/E73uK1VhbUkk6jqZCdloIN2u06AJMoTMeKiapqOoCfJFBjcj+Ok8ojK3Xa4zTJPtjgAWPgTDA==', 'qV6RbSlp+AMZw5SKvXWylN1rCuU8c5wmPAh3Hdmo0Ki+cXj7F0pWkNOaz5xvcV8/1lMVIeZ7DPLAHupVS+LnUQ==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
            Source: 3.2.RegAsm.exe.400000.0.unpack, Form1.csBase64 encoded string: 'Ta2Jfga3JLt9/E73uK1VhbUkk6jqZCdloIN2u06AJMoTMeKiapqOoCfJFBjcj+Ok8ojK3Xa4zTJPtjgAWPgTDA==', 'qV6RbSlp+AMZw5SKvXWylN1rCuU8c5wmPAh3Hdmo0Ki+cXj7F0pWkNOaz5xvcV8/1lMVIeZ7DPLAHupVS+LnUQ==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
            Source: RegAsm.exe, 00000003.00000002.273876234.0000000000C5B000.00000004.00000020.sdmpBinary or memory string: ;.VBP
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@14/15@3/1
            Source: C:\Users\user\Desktop\Versanddetails.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Versanddetails.exe.logJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess672
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7128
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7104
            Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER11EC.tmpJump to behavior
            Source: Versanddetails.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\Versanddetails.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\Desktop\Versanddetails.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: Versanddetails.exe, 00000000.00000002.213110083.0000000004EDA000.00000004.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
            Source: Versanddetails.exe, 00000000.00000002.213110083.0000000004EDA000.00000004.00000001.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
            Source: Versanddetails.exe, 00000000.00000002.213110083.0000000004EDA000.00000004.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
            Source: Versanddetails.exe, 00000000.00000002.213110083.0000000004EDA000.00000004.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
            Source: Versanddetails.exe, 00000000.00000002.213110083.0000000004EDA000.00000004.00000001.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
            Source: Versanddetails.exe, 00000000.00000002.213110083.0000000004EDA000.00000004.00000001.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
            Source: Versanddetails.exe, 00000000.00000002.213110083.0000000004EDA000.00000004.00000001.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
            Source: unknownProcess created: C:\Users\user\Desktop\Versanddetails.exe 'C:\Users\user\Desktop\Versanddetails.exe'
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 672 -s 2044
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
            Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7128 -s 176
            Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7104 -s 176
            Source: C:\Users\user\Desktop\Versanddetails.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
            Source: C:\Users\user\Desktop\Versanddetails.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
            Source: C:\Users\user\Desktop\Versanddetails.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: Versanddetails.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: Versanddetails.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: rsaenh.pdb source: WerFault.exe, 00000006.00000003.255496779.0000000000B5B000.00000004.00000040.sdmp
            Source: Binary string: anagement.pdb source: WerFault.exe, 00000006.00000003.255654741.0000000004B61000.00000004.00000001.sdmp
            Source: Binary string: CLBCatQ.pdb* source: WerFault.exe, 00000006.00000003.255496779.0000000000B5B000.00000004.00000040.sdmp
            Source: Binary string: System.ni.pdb% source: WerFault.exe, 00000006.00000003.255496779.0000000000B5B000.00000004.00000040.sdmp
            Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 00000006.00000003.254220946.0000000004E60000.00000004.00000001.sdmp, WER11EC.tmp.dmp.6.dr
            Source: Binary string: f:\binaries.x86ret\bin\i386\bbt\opt\bin\i386\vbc.pdb source: WerFault.exe, 00000010.00000002.304964204.0000000004E40000.00000002.00000001.sdmp, WerFault.exe, 00000011.00000002.306297749.00000000048B0000.00000002.00000001.sdmp
            Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000006.00000003.241808842.0000000004684000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.278240129.0000000000B39000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.288833024.0000000004771000.00000004.00000001.sdmp
            Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000006.00000003.255813754.0000000000B5B000.00000004.00000040.sdmp
            Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000006.00000003.255813754.0000000000B5B000.00000004.00000040.sdmp
            Source: Binary string: wbemcomn.pdb source: WerFault.exe, 00000006.00000003.255496779.0000000000B5B000.00000004.00000040.sdmp
            Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000006.00000003.255480293.0000000000B52000.00000004.00000040.sdmp
            Source: Binary string: NapiNSP.pdb source: WerFault.exe, 00000006.00000003.255496779.0000000000B5B000.00000004.00000040.sdmp
            Source: Binary string: System.Xml.pdbp source: WER11EC.tmp.dmp.6.dr
            Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000006.00000003.255654741.0000000004B61000.00000004.00000001.sdmp
            Source: Binary string: RegAsm.pdb source: RegAsm.exe, 00000003.00000002.289457274.0000000007804000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000002.268460735.0000000000B70000.00000002.00000001.sdmp
            Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000006.00000003.255847088.0000000000B50000.00000004.00000040.sdmp
            Source: Binary string: wntdll.pdb source: WerFault.exe, 00000006.00000003.255654741.0000000004B61000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.278973826.0000000000B1F000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.288833024.0000000004771000.00000004.00000001.sdmp
            Source: Binary string: winrnr.pdbr source: WerFault.exe, 00000006.00000003.255496779.0000000000B5B000.00000004.00000040.sdmp
            Source: Binary string: winnsi.pdb source: WerFault.exe, 00000006.00000003.255496779.0000000000B5B000.00000004.00000040.sdmp
            Source: Binary string: ml.pdb source: WerFault.exe, 00000006.00000003.255654741.0000000004B61000.00000004.00000001.sdmp
            Source: Binary string: clr.pdb source: WerFault.exe, 00000006.00000003.255563110.0000000000B61000.00000004.00000040.sdmp
            Source: Binary string: .ni.pdb source: WerFault.exe, 00000006.00000003.255654741.0000000004B61000.00000004.00000001.sdmp
            Source: Binary string: cryptsp.pdb source: WerFault.exe, 00000006.00000003.255496779.0000000000B5B000.00000004.00000040.sdmp
            Source: Binary string: System.Windows.Forms.pdb" source: WerFault.exe, 00000006.00000003.255733647.0000000004B7C000.00000004.00000001.sdmp
            Source: Binary string: advapi32.pdb source: WerFault.exe, 00000006.00000003.255813754.0000000000B5B000.00000004.00000040.sdmp
            Source: Binary string: ility.pdb source: WerFault.exe, 00000006.00000003.255654741.0000000004B61000.00000004.00000001.sdmp
            Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000006.00000003.255813754.0000000000B5B000.00000004.00000040.sdmp
            Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 00000006.00000003.255496779.0000000000B5B000.00000004.00000040.sdmp
            Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 00000006.00000003.255587913.0000000000B6D000.00000004.00000040.sdmp, WER11EC.tmp.dmp.6.dr
            Source: Binary string: i0C:\Windows\mscorlib.pdbpdblib.pdb source: RegAsm.exe, 00000003.00000002.289986628.00000000081AA000.00000004.00000010.sdmp
            Source: Binary string: RegAsm.PDB source: RegAsm.exe, 00000003.00000002.289986628.00000000081AA000.00000004.00000010.sdmp
            Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 00000006.00000003.255496779.0000000000B5B000.00000004.00000040.sdmp
            Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 00000006.00000003.254220946.0000000004E60000.00000004.00000001.sdmp
            Source: Binary string: System.Core.pdb0 source: WER11EC.tmp.dmp.6.dr
            Source: Binary string: dwmapi.pdbV source: WerFault.exe, 00000006.00000003.255496779.0000000000B5B000.00000004.00000040.sdmp
            Source: Binary string: Microsoft.VisualBasic.pdbY source: WerFault.exe, 00000006.00000003.255587913.0000000000B6D000.00000004.00000040.sdmp
            Source: Binary string: ml.pdbe source: WerFault.exe, 00000006.00000003.255654741.0000000004B61000.00000004.00000001.sdmp
            Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000006.00000003.255654741.0000000004B61000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.278525895.0000000000B2B000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.288833024.0000000004771000.00000004.00000001.sdmp
            Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000006.00000003.255813754.0000000000B5B000.00000004.00000040.sdmp
            Source: Binary string: mpr.pdb source: WerFault.exe, 00000006.00000003.255563110.0000000000B61000.00000004.00000040.sdmp
            Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000006.00000003.255563110.0000000000B61000.00000004.00000040.sdmp, WER11EC.tmp.dmp.6.dr
            Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: Versanddetails.exe, 00000000.00000002.213110083.0000000004EDA000.00000004.00000001.sdmp, RegAsm.exe, 00000003.00000002.274514566.00000000028A1000.00000004.00000001.sdmp
            Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: Versanddetails.exe, 00000000.00000002.213110083.0000000004EDA000.00000004.00000001.sdmp, RegAsm.exe, 00000003.00000002.273233246.0000000000402000.00000040.00000001.sdmp
            Source: Binary string: RegAsm.pdb4 source: RegAsm.exe, 00000003.00000002.289457274.0000000007804000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000002.268460735.0000000000B70000.00000002.00000001.sdmp
            Source: Binary string: System.Xml.pdbx source: WerFault.exe, 00000006.00000003.254220946.0000000004E60000.00000004.00000001.sdmp
            Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000006.00000003.255496779.0000000000B5B000.00000004.00000040.sdmp
            Source: Binary string: mscoree.pdb source: WerFault.exe, 00000006.00000003.255654741.0000000004B61000.00000004.00000001.sdmp
            Source: Binary string: sfc.pdb! source: WerFault.exe, 00000006.00000003.255563110.0000000000B61000.00000004.00000040.sdmp
            Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000006.00000003.255496779.0000000000B5B000.00000004.00000040.sdmp
            Source: Binary string: System.Runtime.Remoting.pdb| source: WER11EC.tmp.dmp.6.dr
            Source: Binary string: winspool.pdb source: WerFault.exe, 00000006.00000003.255813754.0000000000B5B000.00000004.00000040.sdmp
            Source: Binary string: shell32.pdbk source: WerFault.exe, 00000006.00000003.255480293.0000000000B52000.00000004.00000040.sdmp
            Source: Binary string: System.Runtime.Remoting.pdbx source: WerFault.exe, 00000006.00000003.254220946.0000000004E60000.00000004.00000001.sdmp
            Source: Binary string: .pdb0 source: RegAsm.exe, 00000003.00000002.289986628.00000000081AA000.00000004.00000010.sdmp
            Source: Binary string: symbols\dll\mscorlib.pdb source: RegAsm.exe, 00000003.00000002.289986628.00000000081AA000.00000004.00000010.sdmp
            Source: Binary string: Kernel.Appcore.pdb_ source: WerFault.exe, 00000006.00000003.255847088.0000000000B50000.00000004.00000040.sdmp
            Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000006.00000003.255813754.0000000000B5B000.00000004.00000040.sdmp
            Source: Binary string: nsi.pdb source: WerFault.exe, 00000006.00000003.255496779.0000000000B5B000.00000004.00000040.sdmp
            Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000006.00000003.255480293.0000000000B52000.00000004.00000040.sdmp
            Source: Binary string: powrprof.pdb source: WerFault.exe, 00000006.00000003.255813754.0000000000B5B000.00000004.00000040.sdmp
            Source: Binary string: msvcr120_clr0400.i386.pdb% source: WerFault.exe, 00000006.00000003.255563110.0000000000B61000.00000004.00000040.sdmp
            Source: Binary string: mscorlib.ni.pdbRSDS source: WER11EC.tmp.dmp.6.dr
            Source: Binary string: System.Configuration.pdb source: WerFault.exe, 00000006.00000003.254220946.0000000004E60000.00000004.00000001.sdmp, WER11EC.tmp.dmp.6.dr
            Source: Binary string: ole32.pdb source: WerFault.exe, 00000006.00000003.255813754.0000000000B5B000.00000004.00000040.sdmp
            Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000006.00000003.255654741.0000000004B61000.00000004.00000001.sdmp
            Source: Binary string: System.pdbY source: WerFault.exe, 00000006.00000003.255611126.0000000004B7A000.00000004.00000001.sdmp
            Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 00000006.00000003.254220946.0000000004E60000.00000004.00000001.sdmp
            Source: Binary string: comctl32v582.pdb\ source: WerFault.exe, 00000006.00000003.255496779.0000000000B5B000.00000004.00000040.sdmp
            Source: Binary string: mscorlib.pdb source: RegAsm.exe, 00000003.00000002.289466652.000000000780A000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.254220946.0000000004E60000.00000004.00000001.sdmp, WER11EC.tmp.dmp.6.dr
            Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000006.00000003.255496779.0000000000B5B000.00000004.00000040.sdmp
            Source: Binary string: DWrite.pdb source: WerFault.exe, 00000006.00000003.255496779.0000000000B5B000.00000004.00000040.sdmp
            Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000006.00000003.255480293.0000000000B52000.00000004.00000040.sdmp
            Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000006.00000003.255847088.0000000000B50000.00000004.00000040.sdmp
            Source: Binary string: combase.pdb source: WerFault.exe, 00000006.00000003.255813754.0000000000B5B000.00000004.00000040.sdmp
            Source: Binary string: System.Drawing.pdb source: WerFault.exe, 00000006.00000003.255611126.0000000004B7A000.00000004.00000001.sdmp, WER11EC.tmp.dmp.6.dr
            Source: Binary string: System.Management.pdb source: WerFault.exe, 00000006.00000003.254220946.0000000004E60000.00000004.00000001.sdmp, WER11EC.tmp.dmp.6.dr
            Source: Binary string: System.ni.pdbY source: WerFault.exe, 00000006.00000003.255611126.0000000004B7A000.00000004.00000001.sdmp
            Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000010.00000003.278704006.0000000000B25000.00000004.00000001.sdmp
            Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER11EC.tmp.dmp.6.dr
            Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.PDB source: RegAsm.exe, 00000003.00000002.274077029.0000000000D28000.00000004.00000001.sdmp
            Source: Binary string: edputil.pdbt source: WerFault.exe, 00000006.00000003.255496779.0000000000B5B000.00000004.00000040.sdmp
            Source: Binary string: sfc.pdb source: WerFault.exe, 00000006.00000003.255563110.0000000000B61000.00000004.00000040.sdmp
            Source: Binary string: gdiplus.pdbj source: WerFault.exe, 00000006.00000003.255496779.0000000000B5B000.00000004.00000040.sdmp
            Source: Binary string: Accessibility.pdbx source: WerFault.exe, 00000006.00000003.254220946.0000000004E60000.00000004.00000001.sdmp
            Source: Binary string: apphelp.pdb source: WerFault.exe, 00000006.00000003.255654741.0000000004B61000.00000004.00000001.sdmp
            Source: Binary string: System.Xml.ni.pdbRSDS source: WER11EC.tmp.dmp.6.dr
            Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000010.00000003.285499941.0000000004D51000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.288833024.0000000004771000.00000004.00000001.sdmp
            Source: Binary string: wgdi32full.pdb" source: WerFault.exe, 00000006.00000003.255654741.0000000004B61000.00000004.00000001.sdmp
            Source: Binary string: rasadhlp.pdb source: WerFault.exe, 00000006.00000003.255496779.0000000000B5B000.00000004.00000040.sdmp
            Source: Binary string: ml.ni.pdb source: WerFault.exe, 00000006.00000003.255654741.0000000004B61000.00000004.00000001.sdmp
            Source: Binary string: cryptsp.pdbl source: WerFault.exe, 00000006.00000003.255496779.0000000000B5B000.00000004.00000040.sdmp
            Source: Binary string: C:\Windows\mscorlib.pdb source: RegAsm.exe, 00000003.00000002.289986628.00000000081AA000.00000004.00000010.sdmp
            Source: Binary string: sfc.pdb| source: WerFault.exe, 00000006.00000003.255553789.0000000000B5E000.00000004.00000040.sdmp
            Source: Binary string: rsaenh.pdb~ source: WerFault.exe, 00000006.00000003.255496779.0000000000B5B000.00000004.00000040.sdmp
            Source: Binary string: System.Core.ni.pdbRSDSD source: WER11EC.tmp.dmp.6.dr
            Source: Binary string: diasymreader.pdb_ source: WerFault.exe, 00000006.00000003.255587913.0000000000B6D000.00000004.00000040.sdmp
            Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000006.00000003.255496779.0000000000B5B000.00000004.00000040.sdmp
            Source: Binary string: Accessibility.pdb source: WerFault.exe, 00000006.00000003.254220946.0000000004E60000.00000004.00000001.sdmp, WER11EC.tmp.dmp.6.dr
            Source: Binary string: rawing.pdb source: WerFault.exe, 00000006.00000003.255733647.0000000004B7C000.00000004.00000001.sdmp
            Source: Binary string: System.Management.pdbx source: WerFault.exe, 00000006.00000003.254220946.0000000004E60000.00000004.00000001.sdmp
            Source: Binary string: pnrpnsp.pdb source: WerFault.exe, 00000006.00000003.255496779.0000000000B5B000.00000004.00000040.sdmp
            Source: Binary string: iCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000010.00000002.300045295.00000000005E2000.00000004.00000010.sdmp, WerFault.exe, 00000011.00000002.301212041.00000000000D2000.00000004.00000010.sdmp
            Source: Binary string: mscorlib.pdbx source: WerFault.exe, 00000006.00000003.254220946.0000000004E60000.00000004.00000001.sdmp
            Source: Binary string: shcore.pdb source: WerFault.exe, 00000006.00000003.255847088.0000000000B50000.00000004.00000040.sdmp
            Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 00000006.00000003.255496779.0000000000B5B000.00000004.00000040.sdmp
            Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000006.00000003.255654741.0000000004B61000.00000004.00000001.sdmp
            Source: Binary string: fltLib.pdb source: WerFault.exe, 00000006.00000003.255813754.0000000000B5B000.00000004.00000040.sdmp
            Source: Binary string: NapiNSP.pdb source: WerFault.exe, 00000006.00000003.255496779.0000000000B5B000.00000004.00000040.sdmp
            Source: Binary string: f:\binaries.x86ret\bin\i386\bbt\opt\bin\i386\vbc.pdbpUNzUN source: WerFault.exe, 00000010.00000002.304964204.0000000004E40000.00000002.00000001.sdmp, WerFault.exe, 00000011.00000002.306297749.00000000048B0000.00000002.00000001.sdmp
            Source: Binary string: shell32.pdb source: WerFault.exe, 00000006.00000003.255480293.0000000000B52000.00000004.00000040.sdmp
            Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 00000006.00000003.255496779.0000000000B5B000.00000004.00000040.sdmp, WER11EC.tmp.dmp.6.dr
            Source: Binary string: msvcp_win.pdbk source: WerFault.exe, 00000006.00000003.255480293.0000000000B52000.00000004.00000040.sdmp
            Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000006.00000003.255480293.0000000000B52000.00000004.00000040.sdmp
            Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000006.00000003.255496779.0000000000B5B000.00000004.00000040.sdmp
            Source: Binary string: wimm32.pdb source: WerFault.exe, 00000006.00000003.255813754.0000000000B5B000.00000004.00000040.sdmp
            Source: Binary string: clrjit.pdb` source: WerFault.exe, 00000006.00000003.255496779.0000000000B5B000.00000004.00000040.sdmp
            Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000006.00000003.255654741.0000000004B61000.00000004.00000001.sdmp
            Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 00000006.00000003.254220946.0000000004E60000.00000004.00000001.sdmp
            Source: Binary string: diasymreader.pdb source: WerFault.exe, 00000006.00000003.255587913.0000000000B6D000.00000004.00000040.sdmp
            Source: Binary string: setupapi.pdb source: WerFault.exe, 00000006.00000003.255813754.0000000000B5B000.00000004.00000040.sdmp
            Source: Binary string: nlaapi.pdb source: WerFault.exe, 00000006.00000003.255496779.0000000000B5B000.00000004.00000040.sdmp
            Source: Binary string: ore.pdb, source: WerFault.exe, 00000006.00000003.255654741.0000000004B61000.00000004.00000001.sdmp
            Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000006.00000003.255496779.0000000000B5B000.00000004.00000040.sdmp
            Source: Binary string: Accessibility.pdb dVk source: WER11EC.tmp.dmp.6.dr
            Source: Binary string: wmiutils.pdb source: WerFault.exe, 00000006.00000003.255496779.0000000000B5B000.00000004.00000040.sdmp
            Source: Binary string: gdiplus.pdb source: WerFault.exe, 00000006.00000003.255496779.0000000000B5B000.00000004.00000040.sdmp
            Source: Binary string: System.ni.pdbT3 source: WerFault.exe, 00000006.00000003.254220946.0000000004E60000.00000004.00000001.sdmp
            Source: Binary string: wmswsock.pdbX source: WerFault.exe, 00000006.00000003.255496779.0000000000B5B000.00000004.00000040.sdmp
            Source: Binary string: System.pdbx source: WerFault.exe, 00000006.00000003.254220946.0000000004E60000.00000004.00000001.sdmp
            Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000010.00000003.278973826.0000000000B1F000.00000004.00000001.sdmp
            Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: RegAsm.exe, 00000003.00000002.289986628.00000000081AA000.00000004.00000010.sdmp
            Source: Binary string: profapi.pdb source: WerFault.exe, 00000006.00000003.255813754.0000000000B5B000.00000004.00000040.sdmp
            Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000006.00000003.255496779.0000000000B5B000.00000004.00000040.sdmp
            Source: Binary string: wUxTheme.pdbB source: WerFault.exe, 00000006.00000003.255496779.0000000000B5B000.00000004.00000040.sdmp
            Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 00000006.00000003.255496779.0000000000B5B000.00000004.00000040.sdmp, WER11EC.tmp.dmp.6.dr
            Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000006.00000003.255654741.0000000004B61000.00000004.00000001.sdmp
            Source: Binary string: sechost.pdb source: WerFault.exe, 00000006.00000003.255813754.0000000000B5B000.00000004.00000040.sdmp
            Source: Binary string: WMINet_Utils.pdb\ source: WerFault.exe, 00000006.00000003.255496779.0000000000B5B000.00000004.00000040.sdmp
            Source: Binary string: System.ni.pdbRSDS source: WER11EC.tmp.dmp.6.dr
            Source: Binary string: clrjit.pdb source: WerFault.exe, 00000006.00000003.255496779.0000000000B5B000.00000004.00000040.sdmp
            Source: Binary string: System.Drawing.pdbY source: WerFault.exe, 00000006.00000003.255611126.0000000004B7A000.00000004.00000001.sdmp
            Source: Binary string: propsys.pdb source: WerFault.exe, 00000006.00000003.255813754.0000000000B5B000.00000004.00000040.sdmp
            Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000006.00000003.255480293.0000000000B52000.00000004.00000040.sdmp
            Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 00000006.00000003.255563110.0000000000B61000.00000004.00000040.sdmp
            Source: Binary string: fastprox.pdb source: WerFault.exe, 00000006.00000003.255496779.0000000000B5B000.00000004.00000040.sdmp
            Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 00000006.00000003.255496779.0000000000B5B000.00000004.00000040.sdmp, WER11EC.tmp.dmp.6.dr
            Source: Binary string: .pdbn source: WerFault.exe, 00000006.00000003.255654741.0000000004B61000.00000004.00000001.sdmp
            Source: Binary string: wbemsvc.pdb source: WerFault.exe, 00000006.00000003.255496779.0000000000B5B000.00000004.00000040.sdmp
            Source: Binary string: winrnr.pdb source: WerFault.exe, 00000006.00000003.255496779.0000000000B5B000.00000004.00000040.sdmp
            Source: Binary string: msctf.pdb source: WerFault.exe, 00000006.00000003.255496779.0000000000B5B000.00000004.00000040.sdmp
            Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: Versanddetails.exe, 00000000.00000002.213110083.0000000004EDA000.00000004.00000001.sdmp, RegAsm.exe, 00000003.00000002.277570655.0000000003912000.00000004.00000001.sdmp
            Source: Binary string: System.Runtime.Remoting.pdb source: WerFault.exe, 00000006.00000003.254220946.0000000004E60000.00000004.00000001.sdmp, WER11EC.tmp.dmp.6.dr
            Source: Binary string: wmswsock.pdb source: WerFault.exe, 00000006.00000003.255496779.0000000000B5B000.00000004.00000040.sdmp
            Source: Binary string: version.pdb source: WerFault.exe, 00000006.00000003.255813754.0000000000B5B000.00000004.00000040.sdmp
            Source: Binary string: onfiguration.pdb source: WerFault.exe, 00000006.00000003.255654741.0000000004B61000.00000004.00000001.sdmp
            Source: Binary string: System.Xml.pdb source: WerFault.exe, 00000006.00000003.254220946.0000000004E60000.00000004.00000001.sdmp, WER11EC.tmp.dmp.6.dr
            Source: Binary string: System.pdb source: WerFault.exe, 00000006.00000003.255611126.0000000004B7A000.00000004.00000001.sdmp, WER11EC.tmp.dmp.6.dr
            Source: Binary string: ore.ni.pdb source: WerFault.exe, 00000006.00000003.255654741.0000000004B61000.00000004.00000001.sdmp
            Source: Binary string: ore.pdb source: WerFault.exe, 00000006.00000003.255654741.0000000004B61000.00000004.00000001.sdmp
            Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000006.00000003.255733647.0000000004B7C000.00000004.00000001.sdmp, WER11EC.tmp.dmp.6.dr
            Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000006.00000003.255847088.0000000000B50000.00000004.00000040.sdmp
            Source: Binary string: System.Management.pdb\ source: WER11EC.tmp.dmp.6.dr
            Source: Binary string: psapi.pdb source: WerFault.exe, 00000006.00000003.255496779.0000000000B5B000.00000004.00000040.sdmp
            Source: Binary string: WMINet_Utils.pdb source: WerFault.exe, 00000006.00000003.255496779.0000000000B5B000.00000004.00000040.sdmp
            Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000006.00000003.255813754.0000000000B5B000.00000004.00000040.sdmp
            Source: Binary string: System.Core.pdbx source: WerFault.exe, 00000006.00000003.254220946.0000000004E60000.00000004.00000001.sdmp
            Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000006.00000003.255847088.0000000000B50000.00000004.00000040.sdmp
            Source: Binary string: mscoreei.pdb source: WerFault.exe, 00000006.00000003.255813754.0000000000B5B000.00000004.00000040.sdmp
            Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000010.00000003.278525895.0000000000B2B000.00000004.00000001.sdmp
            Source: Binary string: System.Drawing.pdbx source: WerFault.exe, 00000006.00000003.254220946.0000000004E60000.00000004.00000001.sdmp
            Source: Binary string: setupapi.pdbV source: WerFault.exe, 00000006.00000003.255496779.0000000000B5B000.00000004.00000040.sdmp
            Source: Binary string: System.Core.pdb source: WerFault.exe, 00000006.00000003.254220946.0000000004E60000.00000004.00000001.sdmp, WER11EC.tmp.dmp.6.dr
            Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000006.00000003.255813754.0000000000B5B000.00000004.00000040.sdmp
            Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 00000006.00000003.254220946.0000000004E60000.00000004.00000001.sdmp
            Source: Binary string: wuser32.pdb source: WerFault.exe, 00000006.00000003.255654741.0000000004B61000.00000004.00000001.sdmp
            Source: Binary string: comctl32.pdb source: WerFault.exe, 00000006.00000003.255496779.0000000000B5B000.00000004.00000040.sdmp
            Source: Binary string: untime.Remoting.pdb source: WerFault.exe, 00000006.00000003.255654741.0000000004B61000.00000004.00000001.sdmp
            Source: Binary string: ws2_32.pdbD source: WerFault.exe, 00000006.00000003.255496779.0000000000B5B000.00000004.00000040.sdmp
            Source: Binary string: wbemprox.pdb source: WerFault.exe, 00000006.00000003.255496779.0000000000B5B000.00000004.00000040.sdmp
            Source: Binary string: System.ni.pdb source: WerFault.exe, 00000006.00000003.255733647.0000000004B7C000.00000004.00000001.sdmp, WER11EC.tmp.dmp.6.dr
            Source: Binary string: edputil.pdb source: WerFault.exe, 00000006.00000003.255496779.0000000000B5B000.00000004.00000040.sdmp

            Data Obfuscation:

            barindex
            .NET source code contains potential unpackerShow sources
            Source: 0.2.Versanddetails.exe.54e0000.3.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 0.2.Versanddetails.exe.54e0000.3.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 0.2.Versanddetails.exe.54e0000.3.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 0.2.Versanddetails.exe.54e0000.3.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 3.2.RegAsm.exe.400000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 3.2.RegAsm.exe.400000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.R