Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com.Trojan.GenericKD.43567529.8582.1416

Overview

General Information

Sample Name:SecuriteInfo.com.Trojan.GenericKD.43567529.8582.1416 (renamed file extension from 1416 to exe)
Analysis ID:254287
MD5:73ffb9a03f890a4cee2c404f407da2e7
SHA1:abc88abee0b5bb20c68cbf6e8866eb87343748ad
SHA256:89960c6e0b1d193051322647448e48fe0c4a42fc103d2b19256c0e335da71189

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected HawkEye Rat
Malicious sample detected (through community Yara rule)
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Contains functionality to register a low level keyboard hook
Installs a global keyboard hook
Machine Learning detection for sample
Maps a DLL or memory area into another process
Sample uses process hollowing technique
Yara detected WebBrowserPassView password recovery tool
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Process Creation
Stores large binary data to the registry
Tries to load missing DLLs
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • SecuriteInfo.com.Trojan.GenericKD.43567529.8582.exe (PID: 6980 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.43567529.8582.exe' MD5: 73FFB9A03F890A4CEE2C404F407DA2E7)
    • RegAsm.exe (PID: 7008 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
      • WerFault.exe (PID: 6172 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7008 -s 2056 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
      • vbc.exe (PID: 6032 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
        • WerFault.exe (PID: 6052 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6032 -s 180 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
      • vbc.exe (PID: 5044 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
        • WerFault.exe (PID: 2296 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 176 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.1343790927.0000000003729000.00000004.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
    00000000.00000002.1280247714.00000000055D1000.00000004.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
    • 0x7b937:$key: HawkEyeKeylogger
    • 0x7dba1:$salt: 099u787978786
    • 0x7bf78:$string1: HawkEye_Keylogger
    • 0x7cdcb:$string1: HawkEye_Keylogger
    • 0x7db01:$string1: HawkEye_Keylogger
    • 0x7c361:$string2: holdermail.txt
    • 0x7c381:$string2: holdermail.txt
    • 0x7c2a3:$string3: wallet.dat
    • 0x7c2bb:$string3: wallet.dat
    • 0x7c2d1:$string3: wallet.dat
    • 0x7d6c5:$string4: Keylog Records
    • 0x7d9dd:$string4: Keylog Records
    • 0x7dbf9:$string5: do not script -->
    • 0x7b91f:$string6: \pidloc.txt
    • 0x7b9ad:$string7: BSPLIT
    • 0x7b9bd:$string7: BSPLIT
    00000000.00000002.1280247714.00000000055D1000.00000004.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
      00000000.00000002.1280247714.00000000055D1000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
        00000000.00000002.1280247714.00000000055D1000.00000004.00000001.sdmpHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
        • 0x7bfd0:$hawkstr1: HawkEye Keylogger
        • 0x7ce11:$hawkstr1: HawkEye Keylogger
        • 0x7d140:$hawkstr1: HawkEye Keylogger
        • 0x7d29b:$hawkstr1: HawkEye Keylogger
        • 0x7d3fe:$hawkstr1: HawkEye Keylogger
        • 0x7d69d:$hawkstr1: HawkEye Keylogger
        • 0x7bb5e:$hawkstr2: Dear HawkEye Customers!
        • 0x7d193:$hawkstr2: Dear HawkEye Customers!
        • 0x7d2ea:$hawkstr2: Dear HawkEye Customers!
        • 0x7d451:$hawkstr2: Dear HawkEye Customers!
        • 0x7bc7f:$hawkstr3: HawkEye Logger Details:
        Click to see the 20 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.SecuriteInfo.com.Trojan.GenericKD.43567529.8582.exe.5be0000.3.unpackRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
        • 0x7b917:$key: HawkEyeKeylogger
        • 0x7db81:$salt: 099u787978786
        • 0x7bf58:$string1: HawkEye_Keylogger
        • 0x7cdab:$string1: HawkEye_Keylogger
        • 0x7dae1:$string1: HawkEye_Keylogger
        • 0x7c341:$string2: holdermail.txt
        • 0x7c361:$string2: holdermail.txt
        • 0x7c283:$string3: wallet.dat
        • 0x7c29b:$string3: wallet.dat
        • 0x7c2b1:$string3: wallet.dat
        • 0x7d6a5:$string4: Keylog Records
        • 0x7d9bd:$string4: Keylog Records
        • 0x7dbd9:$string5: do not script -->
        • 0x7b8ff:$string6: \pidloc.txt
        • 0x7b98d:$string7: BSPLIT
        • 0x7b99d:$string7: BSPLIT
        0.2.SecuriteInfo.com.Trojan.GenericKD.43567529.8582.exe.5be0000.3.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
          0.2.SecuriteInfo.com.Trojan.GenericKD.43567529.8582.exe.5be0000.3.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
            0.2.SecuriteInfo.com.Trojan.GenericKD.43567529.8582.exe.5be0000.3.unpackHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
            • 0x7bfb0:$hawkstr1: HawkEye Keylogger
            • 0x7cdf1:$hawkstr1: HawkEye Keylogger
            • 0x7d120:$hawkstr1: HawkEye Keylogger
            • 0x7d27b:$hawkstr1: HawkEye Keylogger
            • 0x7d3de:$hawkstr1: HawkEye Keylogger
            • 0x7d67d:$hawkstr1: HawkEye Keylogger
            • 0x7bb3e:$hawkstr2: Dear HawkEye Customers!
            • 0x7d173:$hawkstr2: Dear HawkEye Customers!
            • 0x7d2ca:$hawkstr2: Dear HawkEye Customers!
            • 0x7d431:$hawkstr2: Dear HawkEye Customers!
            • 0x7bc5f:$hawkstr3: HawkEye Logger Details:
            1.2.RegAsm.exe.400000.0.unpackRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
            • 0x7b917:$key: HawkEyeKeylogger
            • 0x7db81:$salt: 099u787978786
            • 0x7bf58:$string1: HawkEye_Keylogger
            • 0x7cdab:$string1: HawkEye_Keylogger
            • 0x7dae1:$string1: HawkEye_Keylogger
            • 0x7c341:$string2: holdermail.txt
            • 0x7c361:$string2: holdermail.txt
            • 0x7c283:$string3: wallet.dat
            • 0x7c29b:$string3: wallet.dat
            • 0x7c2b1:$string3: wallet.dat
            • 0x7d6a5:$string4: Keylog Records
            • 0x7d9bd:$string4: Keylog Records
            • 0x7dbd9:$string5: do not script -->
            • 0x7b8ff:$string6: \pidloc.txt
            • 0x7b98d:$string7: BSPLIT
            • 0x7b99d:$string7: BSPLIT
            Click to see the 3 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: Suspicious Process CreationShow sources
            Source: Process startedAuthor: Florian Roth, Daniil Yugoslavskiy, oscd.community (update): Data: Command: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt', CommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt', CommandLine|base64offset|contains: ^, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, ParentCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentProcessId: 7008, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt', ProcessId: 6032

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Machine Learning detection for sampleShow sources
            Source: SecuriteInfo.com.Trojan.GenericKD.43567529.8582.exeJoe Sandbox ML: detected
            Source: SecuriteInfo.com.Trojan.GenericKD.43567529.8582.exe, 00000000.00000002.1280247714.00000000055D1000.00000004.00000001.sdmpBinary or memory string: autorun.inf
            Source: SecuriteInfo.com.Trojan.GenericKD.43567529.8582.exe, 00000000.00000002.1280247714.00000000055D1000.00000004.00000001.sdmpBinary or memory string: [autorun]
            Source: RegAsm.exe, 00000001.00000002.1337218056.0000000000402000.00000040.00000001.sdmpBinary or memory string: autorun.inf
            Source: RegAsm.exe, 00000001.00000002.1337218056.0000000000402000.00000040.00000001.sdmpBinary or memory string: [autorun]
            Source: WerFault.exe, 00000004.00000003.1319757484.0000000005900000.00000004.00000001.sdmpBinary or memory string: autorun.inf
            Source: WerFault.exe, 00000004.00000003.1319757484.0000000005900000.00000004.00000001.sdmpBinary or memory string: [autorun]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then call 04FBA6E8h1_2_074BCF08
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]1_2_074BCF08
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then call 04FBA6E8h1_2_074BCFF2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]1_2_074BCFF2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then call 04FBA6E8h1_2_074BC7A8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]1_2_074BC7A8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]1_2_074B26D9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]1_2_074BD5DC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]1_2_074BDDA5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]1_2_074BDCBB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]1_2_074B2BA1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]1_2_074B326B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]1_2_074BD2B7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]1_2_074B2835
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]1_2_075DFE8B
            Source: unknownDNS traffic detected: query: 226.177.13.0.in-addr.arpa replaycode: Name error (3)
            Source: SecuriteInfo.com.Trojan.GenericKD.43567529.8582.exe, 00000000.00000002.1280247714.00000000055D1000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.1337218056.0000000000402000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
            Source: SecuriteInfo.com.Trojan.GenericKD.43567529.8582.exe, 00000000.00000002.1280247714.00000000055D1000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.1337218056.0000000000402000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
            Source: unknownDNS traffic detected: queries for: 226.177.13.0.in-addr.arpa
            Source: SecuriteInfo.com.Trojan.GenericKD.43567529.8582.exe, 00000000.00000002.1280247714.00000000055D1000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.1337218056.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
            Source: WerFault.exe, 00000004.00000002.1333528754.00000000032D1000.00000004.00000020.sdmpString found in binary or memory: http://crl.microp
            Source: RegAsm.exe, 00000001.00000002.1347921351.0000000005AD0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: SecuriteInfo.com.Trojan.GenericKD.43567529.8582.exe, 00000000.00000002.1280247714.00000000055D1000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.1337218056.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
            Source: WerFault.exe, 00000004.00000003.1319147573.0000000005C00000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
            Source: WerFault.exe, 00000004.00000003.1319147573.0000000005C00000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
            Source: WerFault.exe, 00000004.00000003.1319147573.0000000005C00000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
            Source: WerFault.exe, 00000004.00000003.1319147573.0000000005C00000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
            Source: WerFault.exe, 00000004.00000003.1319147573.0000000005C00000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
            Source: WerFault.exe, 00000004.00000003.1319147573.0000000005C00000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
            Source: WerFault.exe, 00000004.00000003.1319147573.0000000005C00000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
            Source: RegAsm.exe, 00000001.00000002.1340229544.0000000002721000.00000004.00000001.sdmp, WerFault.exe, 00000004.00000003.1319147573.0000000005C00000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: WerFault.exe, 00000004.00000003.1319147573.0000000005C00000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
            Source: WerFault.exe, 00000004.00000003.1319147573.0000000005C00000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
            Source: WerFault.exe, 00000004.00000003.1319147573.0000000005C00000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
            Source: WerFault.exe, 00000004.00000003.1319147573.0000000005C00000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
            Source: WerFault.exe, 00000004.00000003.1319147573.0000000005C00000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
            Source: WerFault.exe, 00000004.00000003.1319147573.0000000005C00000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
            Source: WerFault.exe, 00000004.00000003.1319147573.0000000005C00000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
            Source: SecuriteInfo.com.Trojan.GenericKD.43567529.8582.exe, 00000000.00000002.1280247714.00000000055D1000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.1337218056.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 00000004.00000003.1319757484.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/-
            Source: RegAsm.exe, 00000001.00000002.1347921351.0000000005AD0000.00000002.00000001.sdmp, RegAsm.exe, 00000001.00000003.1286443874.0000000005972000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: RegAsm.exe, 00000001.00000003.1287266920.000000000596B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
            Source: RegAsm.exe, 00000001.00000003.1287266920.000000000596B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTC
            Source: RegAsm.exe, 00000001.00000003.1287266920.000000000596B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comh
            Source: RegAsm.exe, 00000001.00000003.1287266920.000000000596B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comht
            Source: RegAsm.exe, 00000001.00000002.1347921351.0000000005AD0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: RegAsm.exe, 00000001.00000003.1287266920.000000000596B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comn-uq
            Source: RegAsm.exe, 00000001.00000003.1287266920.000000000596B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como
            Source: RegAsm.exe, 00000001.00000003.1287266920.000000000596B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.
            Source: RegAsm.exe, 00000001.00000002.1347921351.0000000005AD0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: RegAsm.exe, 00000001.00000002.1347921351.0000000005AD0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: RegAsm.exe, 00000001.00000002.1347921351.0000000005AD0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: RegAsm.exe, 00000001.00000002.1347921351.0000000005AD0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: RegAsm.exe, 00000001.00000002.1347921351.0000000005AD0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: RegAsm.exe, 00000001.00000002.1347921351.0000000005AD0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: RegAsm.exe, 00000001.00000002.1347921351.0000000005AD0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: RegAsm.exe, 00000001.00000002.1347921351.0000000005AD0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: RegAsm.exe, 00000001.00000003.1289402414.000000000596C000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designerss
            Source: RegAsm.exe, 00000001.00000003.1289025769.000000000596B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersy
            Source: RegAsm.exe, 00000001.00000002.1347501292.0000000005960000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
            Source: RegAsm.exe, 00000001.00000002.1347501292.0000000005960000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comgrita
            Source: RegAsm.exe, 00000001.00000002.1347921351.0000000005AD0000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: RegAsm.exe, 00000001.00000003.1286076753.000000000599E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: RegAsm.exe, 00000001.00000002.1347921351.0000000005AD0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: RegAsm.exe, 00000001.00000002.1347921351.0000000005AD0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: RegAsm.exe, 00000001.00000003.1284937572.000000000599D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnt-p
            Source: RegAsm.exe, 00000001.00000002.1347921351.0000000005AD0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: RegAsm.exe, 00000001.00000002.1347921351.0000000005AD0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: RegAsm.exe, 00000001.00000002.1347921351.0000000005AD0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: RegAsm.exe, 00000001.00000002.1347921351.0000000005AD0000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: RegAsm.exe, 00000001.00000002.1343790927.0000000003729000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.1337218056.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
            Source: RegAsm.exe, 00000001.00000002.1347921351.0000000005AD0000.00000002.00000001.sdmp, RegAsm.exe, 00000001.00000003.1282129949.0000000005963000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: RegAsm.exe, 00000001.00000002.1347921351.0000000005AD0000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: RegAsm.exe, 00000001.00000002.1347921351.0000000005AD0000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: RegAsm.exe, 00000001.00000003.1284594186.000000000596E000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krimKim
            Source: RegAsm.exe, 00000001.00000002.1340229544.0000000002721000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
            Source: RegAsm.exe, 00000001.00000002.1347921351.0000000005AD0000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: RegAsm.exe, 00000001.00000002.1347921351.0000000005AD0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: RegAsm.exe, 00000001.00000002.1347921351.0000000005AD0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: RegAsm.exe, 00000001.00000002.1347921351.0000000005AD0000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Contains functionality to log keystrokes (.Net Source)Show sources
            Source: 0.2.SecuriteInfo.com.Trojan.GenericKD.43567529.8582.exe.5be0000.3.unpack, Form1.cs.Net Code: HookKeyboard
            Source: 1.2.RegAsm.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
            Contains functionality to register a low level keyboard hookShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_074B04E4 SetWindowsHookExA 0000000D,00000000,?,?1_2_074B04E4
            Installs a global keyboard hookShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 00000000.00000002.1280247714.00000000055D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000000.00000002.1280247714.00000000055D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 00000001.00000002.1337218056.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000001.00000002.1337218056.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.1280401723.0000000005BE2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000000.00000002.1280401723.0000000005BE2000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 00000001.00000002.1340229544.0000000002721000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 00000004.00000003.1319757484.0000000005900000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000004.00000003.1319757484.0000000005900000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.1278610153.0000000003ED5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000000.00000002.1278610153.0000000003ED5000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 0.2.SecuriteInfo.com.Trojan.GenericKD.43567529.8582.exe.5be0000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0.2.SecuriteInfo.com.Trojan.GenericKD.43567529.8582.exe.5be0000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.43567529.8582.exeCode function: 0_2_02EB00AD NtOpenSection,NtMapViewOfSection,0_2_02EB00AD
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.43567529.8582.exeCode function: 0_2_02EB1C09 CreateProcessW,NtQueryInformationProcess,NtReadVirtualMemory,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtWriteVirtualMemory,NtGetContextThread,NtSetContextThread,NtResumeThread,0_2_02EB1C09
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_075C2778 NtWriteVirtualMemory,1_2_075C2778
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_075C2618 NtResumeThread,1_2_075C2618
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_075C2830 NtSetContextThread,1_2_075C2830
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_075C2770 NtWriteVirtualMemory,1_2_075C2770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_075C2612 NtResumeThread,1_2_075C2612
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_075C2828 NtSetContextThread,1_2_075C2828
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_074BE4F01_2_074BE4F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_074B3BE81_2_074B3BE8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_074B2BA81_2_074B2BA8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_074BF2301_2_074BF230
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_074B22B81_2_074B22B8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_074B98C01_2_074B98C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_074BC7A81_2_074BC7A8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_074B3BD71_2_074B3BD7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_074B22A91_2_074B22A9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_075C1BF01_2_075C1BF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_075DB4E01_2_075DB4E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_075D00401_2_075D0040
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_075DEEC81_2_075DEEC8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_075DBDB01_2_075DBDB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_075DB1981_2_075DB198
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_075D00061_2_075D0006
            Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7008 -s 2056
            Source: SecuriteInfo.com.Trojan.GenericKD.43567529.8582.exe, 00000000.00000002.1280116270.0000000005440000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamebVwmUKDUzCzHhuks.river.exe4 vs SecuriteInfo.com.Trojan.GenericKD.43567529.8582.exe
            Source: SecuriteInfo.com.Trojan.GenericKD.43567529.8582.exe, 00000000.00000002.1280247714.00000000055D1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs SecuriteInfo.com.Trojan.GenericKD.43567529.8582.exe
            Source: SecuriteInfo.com.Trojan.GenericKD.43567529.8582.exe, 00000000.00000002.1280247714.00000000055D1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs SecuriteInfo.com.Trojan.GenericKD.43567529.8582.exe
            Source: SecuriteInfo.com.Trojan.GenericKD.43567529.8582.exe, 00000000.00000002.1280247714.00000000055D1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs SecuriteInfo.com.Trojan.GenericKD.43567529.8582.exe
            Source: SecuriteInfo.com.Trojan.GenericKD.43567529.8582.exe, 00000000.00000002.1280247714.00000000055D1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs SecuriteInfo.com.Trojan.GenericKD.43567529.8582.exe
            Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dllJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dllJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dllJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
            Source: 00000000.00000002.1280247714.00000000055D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 00000000.00000002.1280247714.00000000055D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 00000001.00000002.1337218056.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 00000001.00000002.1337218056.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 00000000.00000002.1280401723.0000000005BE2000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 00000000.00000002.1280401723.0000000005BE2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 00000001.00000002.1340229544.0000000002721000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 00000004.00000003.1319757484.0000000005900000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 00000004.00000003.1319757484.0000000005900000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 00000000.00000002.1278610153.0000000003ED5000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 00000000.00000002.1278610153.0000000003ED5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 0.2.SecuriteInfo.com.Trojan.GenericKD.43567529.8582.exe.5be0000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 0.2.SecuriteInfo.com.Trojan.GenericKD.43567529.8582.exe.5be0000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: SecuriteInfo.com.Trojan.GenericKD.43567529.8582.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: 0.2.SecuriteInfo.com.Trojan.GenericKD.43567529.8582.exe.5be0000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
            Source: 0.2.SecuriteInfo.com.Trojan.GenericKD.43567529.8582.exe.5be0000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
            Source: 0.2.SecuriteInfo.com.Trojan.GenericKD.43567529.8582.exe.5be0000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
            Source: 0.2.SecuriteInfo.com.Trojan.GenericKD.43567529.8582.exe.5be0000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
            Source: 1.2.RegAsm.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
            Source: 1.2.RegAsm.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
            Source: 1.2.RegAsm.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
            Source: 1.2.RegAsm.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
            Source: 0.2.SecuriteInfo.com.Trojan.GenericKD.43567529.8582.exe.5be0000.3.unpack, Form1.csBase64 encoded string: 'Ta2Jfga3JLt9/E73uK1VhbUkk6jqZCdloIN2u06AJMoTMeKiapqOoCfJFBjcj+Ok8ojK3Xa4zTJPtjgAWPgTDA==', 'qV6RbSlp+AMZw5SKvXWylN1rCuU8c5wmPAh3Hdmo0Ki+cXj7F0pWkNOaz5xvcV8/1lMVIeZ7DPLAHupVS+LnUQ==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
            Source: 1.2.RegAsm.exe.400000.0.unpack, Form1.csBase64 encoded string: 'Ta2Jfga3JLt9/E73uK1VhbUkk6jqZCdloIN2u06AJMoTMeKiapqOoCfJFBjcj+Ok8ojK3Xa4zTJPtjgAWPgTDA==', 'qV6RbSlp+AMZw5SKvXWylN1rCuU8c5wmPAh3Hdmo0Ki+cXj7F0pWkNOaz5xvcV8/1lMVIeZ7DPLAHupVS+LnUQ==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
            Source: SecuriteInfo.com.Trojan.GenericKD.43567529.8582.exeBinary or memory string: .VbP@
            Source: SecuriteInfo.com.Trojan.GenericKD.43567529.8582.exeBinary or memory string: 4.VbP@
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@10/15@1/1
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.43567529.8582.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Trojan.GenericKD.43567529.8582.exe.logJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6032
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5044
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7008
            Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERE115.tmpJump to behavior
            Source: SecuriteInfo.com.Trojan.GenericKD.43567529.8582.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.43567529.8582.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.43567529.8582.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: SecuriteInfo.com.Trojan.GenericKD.43567529.8582.exe, 00000000.00000002.1280247714.00000000055D1000.00000004.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
            Source: SecuriteInfo.com.Trojan.GenericKD.43567529.8582.exe, 00000000.00000002.1280247714.00000000055D1000.00000004.00000001.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
            Source: SecuriteInfo.com.Trojan.GenericKD.43567529.8582.exe, 00000000.00000002.1280247714.00000000055D1000.00000004.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
            Source: SecuriteInfo.com.Trojan.GenericKD.43567529.8582.exe, 00000000.00000002.1280247714.00000000055D1000.00000004.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
            Source: SecuriteInfo.com.Trojan.GenericKD.43567529.8582.exe, 00000000.00000002.1280247714.00000000055D1000.00000004.00000001.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
            Source: SecuriteInfo.com.Trojan.GenericKD.43567529.8582.exe, 00000000.00000002.1280247714.00000000055D1000.00000004.00000001.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
            Source: SecuriteInfo.com.Trojan.GenericKD.43567529.8582.exe, 00000000.00000002.1280247714.00000000055D1000.00000004.00000001.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
            Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.43567529.8582.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.43567529.8582.exe'
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7008 -s 2056
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
            Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6032 -s 180
            Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 176
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.43567529.8582.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: SecuriteInfo.com.Trojan.GenericKD.43567529.8582.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: SecuriteInfo.com.Trojan.GenericKD.43567529.8582.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: rsaenh.pdb source: WerFault.exe, 00000004.00000003.1320988865.000000000562B000.00000004.00000040.sdmp
            Source: Binary string: anagement.pdb source: WerFault.exe, 00000004.00000003.1321327850.0000000005651000.00000004.00000001.sdmp
            Source: Binary string: NapiNSP.pdb^I source: WerFault.exe, 00000004.00000003.1320988865.000000000562B000.00000004.00000040.sdmp
            Source: Binary string: System.ni.pdb% source: WerFault.exe, 00000004.00000003.1320988865.000000000562B000.00000004.00000040.sdmp
            Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 00000004.00000003.1319757484.0000000005900000.00000004.00000001.sdmp
            Source: Binary string: f:\binaries.x86ret\bin\i386\bbt\opt\bin\i386\vbc.pdb source: WerFault.exe, 0000000D.00000002.1366885286.0000000004CC0000.00000002.00000001.sdmp, WerFault.exe, 0000000E.00000002.1368348164.00000000054E0000.00000002.00000001.sdmp
            Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000004.00000003.1306340944.00000000032C2000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.1342027314.0000000002A1B000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.1348944710.0000000005321000.00000004.00000001.sdmp
            Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000004.00000003.1321549696.000000000562B000.00000004.00000040.sdmp
            Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000004.00000003.1321549696.000000000562B000.00000004.00000040.sdmp
            Source: Binary string: wbemcomn.pdb source: WerFault.exe, 00000004.00000003.1320988865.000000000562B000.00000004.00000040.sdmp
            Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000004.00000003.1320955534.0000000005622000.00000004.00000040.sdmp
            Source: Binary string: NapiNSP.pdb source: WerFault.exe, 00000004.00000003.1320988865.000000000562B000.00000004.00000040.sdmp
            Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000004.00000003.1321327850.0000000005651000.00000004.00000001.sdmp
            Source: Binary string: bcrypt.pdb_x& source: WerFault.exe, 00000004.00000003.1321549696.000000000562B000.00000004.00000040.sdmp
            Source: Binary string: ^ .pdb0 source: RegAsm.exe, 00000001.00000002.1353376681.000000000811A000.00000004.00000010.sdmp
            Source: Binary string: RegAsm.pdb source: WerFault.exe, 00000004.00000002.1332910631.0000000003140000.00000002.00000001.sdmp
            Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000004.00000003.1321586548.0000000005620000.00000004.00000040.sdmp
            Source: Binary string: onfiguration.pdb2 source: WerFault.exe, 00000004.00000003.1321327850.0000000005651000.00000004.00000001.sdmp
            Source: Binary string: wntdll.pdb source: WerFault.exe, 00000004.00000003.1306325681.00000000032B5000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.1346806072.0000000004BD1000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.1348944710.0000000005321000.00000004.00000001.sdmp
            Source: Binary string: winnsi.pdb source: WerFault.exe, 00000004.00000003.1320988865.000000000562B000.00000004.00000040.sdmp
            Source: Binary string: ml.pdb source: WerFault.exe, 00000004.00000003.1321327850.0000000005651000.00000004.00000001.sdmp
            Source: Binary string: clr.pdb source: WerFault.exe, 00000004.00000003.1320988865.000000000562B000.00000004.00000040.sdmp
            Source: Binary string: .ni.pdb source: WerFault.exe, 00000004.00000003.1321327850.0000000005651000.00000004.00000001.sdmp
            Source: Binary string: cryptsp.pdb source: WerFault.exe, 00000004.00000003.1320988865.000000000562B000.00000004.00000040.sdmp
            Source: Binary string: System.Windows.Forms.pdb" source: WerFault.exe, 00000004.00000003.1321460202.000000000566C000.00000004.00000001.sdmp
            Source: Binary string: advapi32.pdb source: WerFault.exe, 00000004.00000003.1321549696.000000000562B000.00000004.00000040.sdmp
            Source: Binary string: ility.pdb source: WerFault.exe, 00000004.00000003.1321327850.0000000005651000.00000004.00000001.sdmp
            Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000004.00000003.1321549696.000000000562B000.00000004.00000040.sdmp
            Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 00000004.00000003.1320988865.000000000562B000.00000004.00000040.sdmp
            Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 00000004.00000003.1321234194.000000000563E000.00000004.00000040.sdmp, WERE115.tmp.dmp.4.dr
            Source: Binary string: RegAsm.PDB source: RegAsm.exe, 00000001.00000002.1353376681.000000000811A000.00000004.00000010.sdmp
            Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 00000004.00000003.1320988865.000000000562B000.00000004.00000040.sdmp
            Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 00000004.00000003.1319757484.0000000005900000.00000004.00000001.sdmp
            Source: Binary string: mCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000D.00000002.1362652563.0000000002582000.00000004.00000010.sdmp, WerFault.exe, 0000000E.00000002.1363908730.0000000002DC2000.00000004.00000010.sdmp
            Source: Binary string: System.Core.pdbPE source: WERE115.tmp.dmp.4.dr
            Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000004.00000003.1309141936.00000000032C8000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.1346806072.0000000004BD1000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.1348944710.0000000005321000.00000004.00000001.sdmp
            Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000004.00000003.1321549696.000000000562B000.00000004.00000040.sdmp
            Source: Binary string: mpr.pdb source: WerFault.exe, 00000004.00000003.1320988865.000000000562B000.00000004.00000040.sdmp
            Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000004.00000003.1320988865.000000000562B000.00000004.00000040.sdmp, WERE115.tmp.dmp.4.dr
            Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: SecuriteInfo.com.Trojan.GenericKD.43567529.8582.exe, 00000000.00000002.1280247714.00000000055D1000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.1340536635.000000000275F000.00000004.00000001.sdmp
            Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: SecuriteInfo.com.Trojan.GenericKD.43567529.8582.exe, 00000000.00000002.1280247714.00000000055D1000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.1343790927.0000000003729000.00000004.00000001.sdmp
            Source: Binary string: Microsoft.VisualBasic.pdbl source: WERE115.tmp.dmp.4.dr
            Source: Binary string: RegAsm.pdb4 source: WerFault.exe, 00000004.00000002.1332910631.0000000003140000.00000002.00000001.sdmp
            Source: Binary string: System.Xml.pdbx source: WerFault.exe, 00000004.00000003.1319757484.0000000005900000.00000004.00000001.sdmp
            Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000004.00000003.1320988865.000000000562B000.00000004.00000040.sdmp
            Source: Binary string: mscoree.pdb source: WerFault.exe, 00000004.00000003.1321327850.0000000005651000.00000004.00000001.sdmp
            Source: Binary string: sfc.pdb! source: WerFault.exe, 00000004.00000003.1321168088.0000000005631000.00000004.00000040.sdmp
            Source: Binary string: m0C:\Windows\mscorlib.pdbpdblib.pdb source: RegAsm.exe, 00000001.00000002.1353376681.000000000811A000.00000004.00000010.sdmp
            Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000004.00000003.1320988865.000000000562B000.00000004.00000040.sdmp
            Source: Binary string: winspool.pdb source: WerFault.exe, 00000004.00000003.1321549696.000000000562B000.00000004.00000040.sdmp
            Source: Binary string: shell32.pdbk source: WerFault.exe, 00000004.00000003.1320955534.0000000005622000.00000004.00000040.sdmp
            Source: Binary string: System.Runtime.Remoting.pdbx source: WerFault.exe, 00000004.00000003.1319757484.0000000005900000.00000004.00000001.sdmp
            Source: Binary string: symbols\dll\mscorlib.pdb source: RegAsm.exe, 00000001.00000002.1353376681.000000000811A000.00000004.00000010.sdmp
            Source: Binary string: wUxTheme.pdbdI; source: WerFault.exe, 00000004.00000003.1320988865.000000000562B000.00000004.00000040.sdmp
            Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000004.00000003.1321549696.000000000562B000.00000004.00000040.sdmp
            Source: Binary string: winrnr.pdbpI' source: WerFault.exe, 00000004.00000003.1320988865.000000000562B000.00000004.00000040.sdmp
            Source: Binary string: nsi.pdb source: WerFault.exe, 00000004.00000003.1320988865.000000000562B000.00000004.00000040.sdmp
            Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000004.00000003.1320955534.0000000005622000.00000004.00000040.sdmp
            Source: Binary string: powrprof.pdb source: WerFault.exe, 00000004.00000003.1321549696.000000000562B000.00000004.00000040.sdmp
            Source: Binary string: msvcr120_clr0400.i386.pdb% source: WerFault.exe, 00000004.00000003.1320988865.000000000562B000.00000004.00000040.sdmp
            Source: Binary string: mscorlib.ni.pdbRSDS source: WERE115.tmp.dmp.4.dr
            Source: Binary string: cryptsp.pdb.N source: WerFault.exe, 00000004.00000003.1320988865.000000000562B000.00000004.00000040.sdmp
            Source: Binary string: System.Configuration.pdb source: WerFault.exe, 00000004.00000003.1319757484.0000000005900000.00000004.00000001.sdmp, WERE115.tmp.dmp.4.dr
            Source: Binary string: ole32.pdb source: WerFault.exe, 00000004.00000003.1321549696.000000000562B000.00000004.00000040.sdmp
            Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000004.00000003.1321327850.0000000005651000.00000004.00000001.sdmp
            Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 00000004.00000003.1319757484.0000000005900000.00000004.00000001.sdmp
            Source: Binary string: shlwapi.pdbUx, source: WerFault.exe, 00000004.00000003.1321549696.000000000562B000.00000004.00000040.sdmp
            Source: Binary string: mscorlib.pdb source: RegAsm.exe, 00000001.00000002.1353376681.000000000811A000.00000004.00000010.sdmp, WerFault.exe, 00000004.00000003.1319757484.0000000005900000.00000004.00000001.sdmp, WERE115.tmp.dmp.4.dr
            Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000004.00000003.1320988865.000000000562B000.00000004.00000040.sdmp
            Source: Binary string: DWrite.pdb source: WerFault.exe, 00000004.00000003.1320988865.000000000562B000.00000004.00000040.sdmp
            Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000004.00000003.1320955534.0000000005622000.00000004.00000040.sdmp
            Source: Binary string: combase.pdb source: WerFault.exe, 00000004.00000003.1321549696.000000000562B000.00000004.00000040.sdmp
            Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000004.00000003.1321586548.0000000005620000.00000004.00000040.sdmp
            Source: Binary string: System.Drawing.pdb source: WerFault.exe, 00000004.00000003.1319757484.0000000005900000.00000004.00000001.sdmp, WERE115.tmp.dmp.4.dr
            Source: Binary string: System.Management.pdb source: WerFault.exe, 00000004.00000003.1319757484.0000000005900000.00000004.00000001.sdmp, WERE115.tmp.dmp.4.dr
            Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000004.00000003.1306340944.00000000032C2000.00000004.00000001.sdmp
            Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WERE115.tmp.dmp.4.dr
            Source: Binary string: sfc.pdb source: WerFault.exe, 00000004.00000003.1320988865.000000000562B000.00000004.00000040.sdmp
            Source: Binary string: Accessibility.pdbx source: WerFault.exe, 00000004.00000003.1319757484.0000000005900000.00000004.00000001.sdmp
            Source: Binary string: apphelp.pdb source: WerFault.exe, 00000004.00000003.1321327850.0000000005651000.00000004.00000001.sdmp
            Source: Binary string: System.Xml.ni.pdbRSDS source: WERE115.tmp.dmp.4.dr
            Source: Binary string: wntdll.pdbk source: WerFault.exe, 0000000D.00000003.1346806072.0000000004BD1000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.1348944710.0000000005321000.00000004.00000001.sdmp
            Source: Binary string: wgdi32full.pdb" source: WerFault.exe, 00000004.00000003.1321327850.0000000005651000.00000004.00000001.sdmp
            Source: Binary string: rasadhlp.pdb source: WerFault.exe, 00000004.00000003.1320988865.000000000562B000.00000004.00000040.sdmp
            Source: Binary string: ml.ni.pdb source: WerFault.exe, 00000004.00000003.1321327850.0000000005651000.00000004.00000001.sdmp
            Source: Binary string: C:\Windows\mscorlib.pdb source: RegAsm.exe, 00000001.00000002.1353376681.000000000811A000.00000004.00000010.sdmp
            Source: Binary string: System.Core.ni.pdbRSDSD source: WERE115.tmp.dmp.4.dr
            Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000004.00000003.1320988865.000000000562B000.00000004.00000040.sdmp
            Source: Binary string: diasymreader.pdb_ source: WerFault.exe, 00000004.00000003.1321234194.000000000563E000.00000004.00000040.sdmp
            Source: Binary string: Accessibility.pdb source: WerFault.exe, 00000004.00000003.1319757484.0000000005900000.00000004.00000001.sdmp, WERE115.tmp.dmp.4.dr
            Source: Binary string: rawing.pdb source: WerFault.exe, 00000004.00000003.1321460202.000000000566C000.00000004.00000001.sdmp
            Source: Binary string: System.Management.pdbx source: WerFault.exe, 00000004.00000003.1319757484.0000000005900000.00000004.00000001.sdmp
            Source: Binary string: pnrpnsp.pdb source: WerFault.exe, 00000004.00000003.1320988865.000000000562B000.00000004.00000040.sdmp
            Source: Binary string: mscorlib.pdbx source: WerFault.exe, 00000004.00000003.1319757484.0000000005900000.00000004.00000001.sdmp
            Source: Binary string: System.Management.pdbs source: WERE115.tmp.dmp.4.dr
            Source: Binary string: msctf.pdbTI source: WerFault.exe, 00000004.00000003.1320988865.000000000562B000.00000004.00000040.sdmp
            Source: Binary string: shcore.pdb source: WerFault.exe, 00000004.00000003.1321586548.0000000005620000.00000004.00000040.sdmp
            Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 00000004.00000003.1320988865.000000000562B000.00000004.00000040.sdmp
            Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000004.00000003.1321327850.0000000005651000.00000004.00000001.sdmp
            Source: Binary string: fltLib.pdb source: WerFault.exe, 00000004.00000003.1321549696.000000000562B000.00000004.00000040.sdmp
            Source: Binary string: Accessibility.pdbP source: WERE115.tmp.dmp.4.dr
            Source: Binary string: f:\binaries.x86ret\bin\i386\bbt\opt\bin\i386\vbc.pdbpUNzUN source: WerFault.exe, 0000000D.00000002.1366885286.0000000004CC0000.00000002.00000001.sdmp, WerFault.exe, 0000000E.00000002.1368348164.00000000054E0000.00000002.00000001.sdmp
            Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 00000004.00000003.1320988865.000000000562B000.00000004.00000040.sdmp, WERE115.tmp.dmp.4.dr
            Source: Binary string: shell32.pdb source: WerFault.exe, 00000004.00000003.1320955534.0000000005622000.00000004.00000040.sdmp
            Source: Binary string: msvcp_win.pdbk source: WerFault.exe, 00000004.00000003.1320955534.0000000005622000.00000004.00000040.sdmp
            Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000004.00000003.1320955534.0000000005622000.00000004.00000040.sdmp
            Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000004.00000003.1320988865.000000000562B000.00000004.00000040.sdmp
            Source: Binary string: advapi32.pdbYx source: WerFault.exe, 00000004.00000003.1321549696.000000000562B000.00000004.00000040.sdmp
            Source: Binary string: wimm32.pdb source: WerFault.exe, 00000004.00000003.1321549696.000000000562B000.00000004.00000040.sdmp
            Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000004.00000003.1321327850.0000000005651000.00000004.00000001.sdmp
            Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 00000004.00000003.1319757484.0000000005900000.00000004.00000001.sdmp
            Source: Binary string: setupapi.pdb source: WerFault.exe, 00000004.00000003.1321549696.000000000562B000.00000004.00000040.sdmp
            Source: Binary string: nlaapi.pdb source: WerFault.exe, 00000004.00000003.1320988865.000000000562B000.00000004.00000040.sdmp
            Source: Binary string: diasymreader.pdb source: WerFault.exe, 00000004.00000003.1321234194.000000000563E000.00000004.00000040.sdmp
            Source: Binary string: rasadhlp.pdbvI- source: WerFault.exe, 00000004.00000003.1320988865.000000000562B000.00000004.00000040.sdmp
            Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000004.00000003.1320988865.000000000562B000.00000004.00000040.sdmp
            Source: Binary string: wmiutils.pdb source: WerFault.exe, 00000004.00000003.1320988865.000000000562B000.00000004.00000040.sdmp
            Source: Binary string: gdiplus.pdb source: WerFault.exe, 00000004.00000003.1320988865.000000000562B000.00000004.00000040.sdmp
            Source: Binary string: System.ni.pdbT3 source: WerFault.exe, 00000004.00000003.1319757484.0000000005900000.00000004.00000001.sdmp
            Source: Binary string: System.pdbx source: WerFault.exe, 00000004.00000003.1319757484.0000000005900000.00000004.00000001.sdmp
            Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000004.00000003.1306325681.00000000032B5000.00000004.00000001.sdmp
            Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: RegAsm.exe, 00000001.00000002.1353376681.000000000811A000.00000004.00000010.sdmp
            Source: Binary string: profapi.pdb source: WerFault.exe, 00000004.00000003.1321549696.000000000562B000.00000004.00000040.sdmp
            Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000004.00000003.1320988865.000000000562B000.00000004.00000040.sdmp
            Source: Binary string: cryptbase.pdbCx: source: WerFault.exe, 00000004.00000003.1321549696.000000000562B000.00000004.00000040.sdmp
            Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 00000004.00000003.1320988865.000000000562B000.00000004.00000040.sdmp, WERE115.tmp.dmp.4.dr
            Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000004.00000003.1321327850.0000000005651000.00000004.00000001.sdmp
            Source: Binary string: .pdb{ source: WerFault.exe, 00000004.00000003.1321327850.0000000005651000.00000004.00000001.sdmp
            Source: Binary string: sechost.pdb source: WerFault.exe, 00000004.00000003.1321549696.000000000562B000.00000004.00000040.sdmp
            Source: Binary string: DWrite.pdbXI source: WerFault.exe, 00000004.00000003.1320988865.000000000562B000.00000004.00000040.sdmp
            Source: Binary string: System.ni.pdbRSDS source: WERE115.tmp.dmp.4.dr
            Source: Binary string: dhcpcsvc.pdbzI! source: WerFault.exe, 00000004.00000003.1320988865.000000000562B000.00000004.00000040.sdmp
            Source: Binary string: clrjit.pdb source: WerFault.exe, 00000004.00000003.1320988865.000000000562B000.00000004.00000040.sdmp
            Source: Binary string: clrjit.pdb(N source: WerFault.exe, 00000004.00000003.1320988865.000000000562B000.00000004.00000040.sdmp
            Source: Binary string: wbemcomn.pdbLI source: WerFault.exe, 00000004.00000003.1320988865.000000000562B000.00000004.00000040.sdmp
            Source: Binary string: propsys.pdb source: WerFault.exe, 00000004.00000003.1321549696.000000000562B000.00000004.00000040.sdmp
            Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000004.00000003.1320955534.0000000005622000.00000004.00000040.sdmp
            Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 00000004.00000003.1320988865.000000000562B000.00000004.00000040.sdmp
            Source: Binary string: fastprox.pdb source: WerFault.exe, 00000004.00000003.1320988865.000000000562B000.00000004.00000040.sdmp
            Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 00000004.00000003.1320988865.000000000562B000.00000004.00000040.sdmp, WERE115.tmp.dmp.4.dr
            Source: Binary string: wbemsvc.pdb source: WerFault.exe, 00000004.00000003.1320988865.000000000562B000.00000004.00000040.sdmp
            Source: Binary string: winrnr.pdb source: WerFault.exe, 00000004.00000003.1320988865.000000000562B000.00000004.00000040.sdmp
            Source: Binary string: msctf.pdb source: WerFault.exe, 00000004.00000003.1320988865.000000000562B000.00000004.00000040.sdmp
            Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: SecuriteInfo.com.Trojan.GenericKD.43567529.8582.exe, 00000000.00000002.1280247714.00000000055D1000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.1337218056.0000000000402000.00000040.00000001.sdmp
            Source: Binary string: System.Runtime.Remoting.pdb source: WerFault.exe, 00000004.00000003.1319757484.0000000005900000.00000004.00000001.sdmp, WERE115.tmp.dmp.4.dr
            Source: Binary string: wmswsock.pdb source: WerFault.exe, 00000004.00000003.1320988865.000000000562B000.00000004.00000040.sdmp
            Source: Binary string: version.pdb source: WerFault.exe, 00000004.00000003.1321549696.000000000562B000.00000004.00000040.sdmp
            Source: Binary string: onfiguration.pdb source: WerFault.exe, 00000004.00000003.1321327850.0000000005651000.00000004.00000001.sdmp
            Source: Binary string: System.Xml.pdb source: WerFault.exe, 00000004.00000003.1319757484.0000000005900000.00000004.00000001.sdmp, WERE115.tmp.dmp.4.dr
            Source: Binary string: wbemprox.pdbBI source: WerFault.exe, 00000004.00000003.1320988865.000000000562B000.00000004.00000040.sdmp
            Source: Binary string: ore.ni.pdb source: WerFault.exe, 00000004.00000003.1321327850.0000000005651000.00000004.00000001.sdmp
            Source: Binary string: System.pdb source: WerFault.exe, 00000004.00000003.1319757484.0000000005900000.00000004.00000001.sdmp, WERE115.tmp.dmp.4.dr
            Source: Binary string: ore.pdb source: WerFault.exe, 00000004.00000003.1321327850.0000000005651000.00000004.00000001.sdmp
            Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000004.00000003.1321460202.000000000566C000.00000004.00000001.sdmp, WERE115.tmp.dmp.4.dr
            Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000004.00000003.1321586548.0000000005620000.00000004.00000040.sdmp
            Source: Binary string: psapi.pdb source: WerFault.exe, 00000004.00000003.1320988865.000000000562B000.00000004.00000040.sdmp
            Source: Binary string: WMINet_Utils.pdb source: WerFault.exe, 00000004.00000003.1320988865.000000000562B000.00000004.00000040.sdmp
            Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000004.00000003.1321549696.000000000562B000.00000004.00000040.sdmp
            Source: Binary string: System.Core.pdbx source: WerFault.exe, 00000004.00000003.1319757484.0000000005900000.00000004.00000001.sdmp
            Source: Binary string: mscoreei.pdb source: WerFault.exe, 00000004.00000003.1321549696.000000000562B000.00000004.00000040.sdmp
            Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000004.00000003.1309141936.00000000032C8000.00000004.00000001.sdmp
            Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000004.00000003.1321586548.0000000005620000.00000004.00000040.sdmp
            Source: Binary string: System.Drawing.pdbx source: WerFault.exe, 00000004.00000003.1319757484.0000000005900000.00000004.00000001.sdmp
            Source: Binary string: System.Core.pdb source: WerFault.exe, 00000004.00000003.1319757484.0000000005900000.00000004.00000001.sdmp, WERE115.tmp.dmp.4.dr
            Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000004.00000003.1321549696.000000000562B000.00000004.00000040.sdmp
            Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 00000004.00000003.1319757484.0000000005900000.00000004.00000001.sdmp
            Source: Binary string: wuser32.pdb source: WerFault.exe, 00000004.00000003.1321327850.0000000005651000.00000004.00000001.sdmp
            Source: Binary string: comctl32.pdb source: WerFault.exe, 00000004.00000003.1320988865.000000000562B000.00000004.00000040.sdmp
            Source: Binary string: untime.Remoting.pdb source: WerFault.exe, 00000004.00000003.1321327850.0000000005651000.00000004.00000001.sdmp
            Source: Binary string: wbemprox.pdb source: WerFault.exe, 00000004.00000003.1320988865.000000000562B000.00000004.00000040.sdmp
            Source: Binary string: System.ni.pdb source: WerFault.exe, 00000004.00000003.1321460202.000000000566C000.00000004.00000001.sdmp, WERE115.tmp.dmp.4.dr
            Source: Binary string: edputil.pdb source: WerFault.exe, 00000004.00000003.1320988865.000000000562B000.00000004.00000040.sdmp

            Data Obfuscation:

            barindex
            .NET source code contains potential unpackerShow sources
            Source: 0.2.SecuriteInfo.com.Trojan.GenericKD.43567529.8582.exe.5be0000.3.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 0.2.SecuriteInfo.com.Trojan.GenericKD.43567529.8582.exe.5be0000.3.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 0.2.SecuriteInfo.com.Trojan.GenericKD.43567529.8582.exe.5be0000.3.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 0.2.SecuriteInfo.com.Trojan.GenericKD.43567529.8582.exe.5be0000.3.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 1.2.RegAsm.exe.400000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 1.2.RegAsm.exe.400000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 1.2.RegAsm.exe.400000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 1.2.RegAsm.exe.400000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.43567529.8582.exeCode function: 0_2_00B575B3 push FFFFFF8Dh; retf 0_2_00B575B6
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.43567529.8582.exeCode function: 0_2_00B57945 push ecx; ret 0_2_00B57946
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_074B5A21 push esp; retf 1_2_074B5A22
            Source: initial sampleStatic PE information: section name: .text entropy: 7.26672241877

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Changes the view of files in windows explorer (hidden files and folders)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HiddenJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363} DeviceTicketJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.43567529.8582.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.43567529.8582.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.43567529.8582.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.43567529.8582.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.43567529.8582.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.43567529.8582.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.43567529.8582.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.43567529.8582.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.43567529.8582.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.43567529.8582.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.43567529.8582.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.43567529.8582.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.43567529.8582.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.43567529.8582.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.