Loading ...

Play interactive tourEdit tour

Analysis Report Versanddetails.exe

Overview

General Information

Sample Name:Versanddetails.exe
Analysis ID:255295
MD5:269a05d36d071c206dc87187d6136352
SHA1:85f8c093f487db02ebbbda53d0893be9bdbc0ace
SHA256:b774ad4c9780bdb6e4fec9dbd688f1ac6d0ee75e9771c64de99e1f5152e0b385

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected HawkEye Rat
Malicious sample detected (through community Yara rule)
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Installs a global keyboard hook
Machine Learning detection for sample
Maps a DLL or memory area into another process
Yara detected WebBrowserPassView password recovery tool
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores large binary data to the registry
Tries to load missing DLLs
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Versanddetails.exe (PID: 6880 cmdline: 'C:\Users\user\Desktop\Versanddetails.exe' MD5: 269A05D36D071C206DC87187D6136352)
    • RegAsm.exe (PID: 6908 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
      • WerFault.exe (PID: 7096 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6908 -s 2040 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1286251082.0000000004025000.00000004.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
  • 0x106667:$key: HawkEyeKeylogger
  • 0x1088d1:$salt: 099u787978786
  • 0x106ca8:$string1: HawkEye_Keylogger
  • 0x107afb:$string1: HawkEye_Keylogger
  • 0x108831:$string1: HawkEye_Keylogger
  • 0x107091:$string2: holdermail.txt
  • 0x1070b1:$string2: holdermail.txt
  • 0x106fd3:$string3: wallet.dat
  • 0x106feb:$string3: wallet.dat
  • 0x107001:$string3: wallet.dat
  • 0x1083f5:$string4: Keylog Records
  • 0x10870d:$string4: Keylog Records
  • 0x108929:$string5: do not script -->
  • 0x10664f:$string6: \pidloc.txt
  • 0x1066dd:$string7: BSPLIT
  • 0x1066ed:$string7: BSPLIT
00000000.00000002.1286251082.0000000004025000.00000004.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
    00000000.00000002.1286251082.0000000004025000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
      00000000.00000002.1286251082.0000000004025000.00000004.00000001.sdmpHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
      • 0x106d00:$hawkstr1: HawkEye Keylogger
      • 0x107b41:$hawkstr1: HawkEye Keylogger
      • 0x107e70:$hawkstr1: HawkEye Keylogger
      • 0x107fcb:$hawkstr1: HawkEye Keylogger
      • 0x10812e:$hawkstr1: HawkEye Keylogger
      • 0x1083cd:$hawkstr1: HawkEye Keylogger
      • 0x10688e:$hawkstr2: Dear HawkEye Customers!
      • 0x107ec3:$hawkstr2: Dear HawkEye Customers!
      • 0x10801a:$hawkstr2: Dear HawkEye Customers!
      • 0x108181:$hawkstr2: Dear HawkEye Customers!
      • 0x1069af:$hawkstr3: HawkEye Logger Details:
      00000004.00000003.1317266489.0000000005570000.00000004.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
      • 0x100f7:$key: HawkEyeKeylogger
      • 0x12361:$salt: 099u787978786
      • 0x10738:$string1: HawkEye_Keylogger
      • 0x1158b:$string1: HawkEye_Keylogger
      • 0x122c1:$string1: HawkEye_Keylogger
      • 0x10b21:$string2: holdermail.txt
      • 0x10b41:$string2: holdermail.txt
      • 0x10a63:$string3: wallet.dat
      • 0x10a7b:$string3: wallet.dat
      • 0x10a91:$string3: wallet.dat
      • 0x11e85:$string4: Keylog Records
      • 0x1219d:$string4: Keylog Records
      • 0x123b9:$string5: do not script -->
      • 0x100df:$string6: \pidloc.txt
      • 0x1016d:$string7: BSPLIT
      • 0x1017d:$string7: BSPLIT
      Click to see the 20 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.RegAsm.exe.400000.0.unpackRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
      • 0x7b917:$key: HawkEyeKeylogger
      • 0x7db81:$salt: 099u787978786
      • 0x7bf58:$string1: HawkEye_Keylogger
      • 0x7cdab:$string1: HawkEye_Keylogger
      • 0x7dae1:$string1: HawkEye_Keylogger
      • 0x7c341:$string2: holdermail.txt
      • 0x7c361:$string2: holdermail.txt
      • 0x7c283:$string3: wallet.dat
      • 0x7c29b:$string3: wallet.dat
      • 0x7c2b1:$string3: wallet.dat
      • 0x7d6a5:$string4: Keylog Records
      • 0x7d9bd:$string4: Keylog Records
      • 0x7dbd9:$string5: do not script -->
      • 0x7b8ff:$string6: \pidloc.txt
      • 0x7b98d:$string7: BSPLIT
      • 0x7b99d:$string7: BSPLIT
      1.2.RegAsm.exe.400000.0.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
        1.2.RegAsm.exe.400000.0.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
          1.2.RegAsm.exe.400000.0.unpackHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
          • 0x7bfb0:$hawkstr1: HawkEye Keylogger
          • 0x7cdf1:$hawkstr1: HawkEye Keylogger
          • 0x7d120:$hawkstr1: HawkEye Keylogger
          • 0x7d27b:$hawkstr1: HawkEye Keylogger
          • 0x7d3de:$hawkstr1: HawkEye Keylogger
          • 0x7d67d:$hawkstr1: HawkEye Keylogger
          • 0x7bb3e:$hawkstr2: Dear HawkEye Customers!
          • 0x7d173:$hawkstr2: Dear HawkEye Customers!
          • 0x7d2ca:$hawkstr2: Dear HawkEye Customers!
          • 0x7d431:$hawkstr2: Dear HawkEye Customers!
          • 0x7bc5f:$hawkstr3: HawkEye Logger Details:
          0.2.Versanddetails.exe.5d80000.3.unpackRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
          • 0x7b917:$key: HawkEyeKeylogger
          • 0x7db81:$salt: 099u787978786
          • 0x7bf58:$string1: HawkEye_Keylogger
          • 0x7cdab:$string1: HawkEye_Keylogger
          • 0x7dae1:$string1: HawkEye_Keylogger
          • 0x7c341:$string2: holdermail.txt
          • 0x7c361:$string2: holdermail.txt
          • 0x7c283:$string3: wallet.dat
          • 0x7c29b:$string3: wallet.dat
          • 0x7c2b1:$string3: wallet.dat
          • 0x7d6a5:$string4: Keylog Records
          • 0x7d9bd:$string4: Keylog Records
          • 0x7dbd9:$string5: do not script -->
          • 0x7b8ff:$string6: \pidloc.txt
          • 0x7b98d:$string7: BSPLIT
          • 0x7b99d:$string7: BSPLIT
          Click to see the 3 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Machine Learning detection for sampleShow sources
          Source: Versanddetails.exeJoe Sandbox ML: detected
          Source: Versanddetails.exe, 00000000.00000002.1286251082.0000000004025000.00000004.00000001.sdmpBinary or memory string: autorun.inf
          Source: Versanddetails.exe, 00000000.00000002.1286251082.0000000004025000.00000004.00000001.sdmpBinary or memory string: [autorun]
          Source: RegAsm.exe, 00000001.00000002.1332370118.0000000000402000.00000040.00000001.sdmpBinary or memory string: autorun.inf
          Source: RegAsm.exe, 00000001.00000002.1332370118.0000000000402000.00000040.00000001.sdmpBinary or memory string: [autorun]
          Source: WerFault.exe, 00000004.00000003.1317266489.0000000005570000.00000004.00000001.sdmpBinary or memory string: autorun.inf
          Source: WerFault.exe, 00000004.00000003.1317266489.0000000005570000.00000004.00000001.sdmpBinary or memory string: [autorun]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 04DEA630h1_2_04DEA559
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 04DEA630h1_2_04DEA568
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]1_2_04DE9EF5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]1_2_04DE9A2D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]1_2_04DE2B75
          Source: unknownDNS traffic detected: query: 45.97.11.0.in-addr.arpa replaycode: Name error (3)
          Source: Versanddetails.exe, 00000000.00000002.1286251082.0000000004025000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.1335404930.0000000003822000.00000004.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
          Source: Versanddetails.exe, 00000000.00000002.1286251082.0000000004025000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.1335404930.0000000003822000.00000004.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
          Source: unknownDNS traffic detected: queries for: 45.97.11.0.in-addr.arpa
          Source: Versanddetails.exe, 00000000.00000002.1286251082.0000000004025000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.1335404930.0000000003822000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
          Source: RegAsm.exe, 00000001.00000003.1289628616.0000000005A94000.00000004.00000001.sdmpString found in binary or memory: http://en.w
          Source: RegAsm.exe, 00000001.00000002.1340131155.0000000005B80000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: Versanddetails.exe, 00000000.00000002.1286251082.0000000004025000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.1335404930.0000000003822000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
          Source: WerFault.exe, 00000004.00000003.1315341412.0000000005870000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
          Source: WerFault.exe, 00000004.00000003.1315341412.0000000005870000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
          Source: WerFault.exe, 00000004.00000003.1315341412.0000000005870000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
          Source: WerFault.exe, 00000004.00000003.1315341412.0000000005870000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
          Source: WerFault.exe, 00000004.00000003.1315341412.0000000005870000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
          Source: WerFault.exe, 00000004.00000003.1315341412.0000000005870000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
          Source: WerFault.exe, 00000004.00000003.1315341412.0000000005870000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
          Source: RegAsm.exe, 00000001.00000002.1333299725.00000000027B1000.00000004.00000001.sdmp, WerFault.exe, 00000004.00000003.1315341412.0000000005870000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: WerFault.exe, 00000004.00000003.1315341412.0000000005870000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
          Source: WerFault.exe, 00000004.00000003.1315341412.0000000005870000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
          Source: WerFault.exe, 00000004.00000003.1315341412.0000000005870000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
          Source: WerFault.exe, 00000004.00000003.1315341412.0000000005870000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
          Source: WerFault.exe, 00000004.00000003.1315341412.0000000005870000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
          Source: WerFault.exe, 00000004.00000003.1315341412.0000000005870000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
          Source: WerFault.exe, 00000004.00000003.1315341412.0000000005870000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
          Source: Versanddetails.exe, 00000000.00000002.1286251082.0000000004025000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.1332370118.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 00000004.00000003.1317266489.0000000005570000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/-
          Source: RegAsm.exe, 00000001.00000003.1291931552.0000000005AA8000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.1340131155.0000000005B80000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: RegAsm.exe, 00000001.00000003.1292810007.0000000005A97000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
          Source: RegAsm.exe, 00000001.00000003.1292314043.0000000005A97000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
          Source: RegAsm.exe, 00000001.00000002.1340131155.0000000005B80000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: RegAsm.exe, 00000001.00000002.1340131155.0000000005B80000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: RegAsm.exe, 00000001.00000002.1340131155.0000000005B80000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: RegAsm.exe, 00000001.00000002.1340131155.0000000005B80000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: RegAsm.exe, 00000001.00000002.1340131155.0000000005B80000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: RegAsm.exe, 00000001.00000002.1340131155.0000000005B80000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: RegAsm.exe, 00000001.00000002.1340131155.0000000005B80000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: RegAsm.exe, 00000001.00000002.1340131155.0000000005B80000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: RegAsm.exe, 00000001.00000002.1340131155.0000000005B80000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: RegAsm.exe, 00000001.00000002.1339575201.0000000005A90000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com=
          Source: RegAsm.exe, 00000001.00000002.1339575201.0000000005A90000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comaH
          Source: RegAsm.exe, 00000001.00000002.1339575201.0000000005A90000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comttva
          Source: RegAsm.exe, 00000001.00000003.1290205208.0000000005AC5000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: RegAsm.exe, 00000001.00000003.1290147575.0000000005AAB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comicbP
          Source: RegAsm.exe, 00000001.00000002.1340131155.0000000005B80000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: RegAsm.exe, 00000001.00000002.1340131155.0000000005B80000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: RegAsm.exe, 00000001.00000002.1340131155.0000000005B80000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: RegAsm.exe, 00000001.00000003.1291502735.0000000005AA5000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnE
          Source: RegAsm.exe, 00000001.00000003.1291502735.0000000005AA5000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnIK
          Source: RegAsm.exe, 00000001.00000002.1340131155.0000000005B80000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: RegAsm.exe, 00000001.00000002.1340131155.0000000005B80000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: RegAsm.exe, 00000001.00000002.1340131155.0000000005B80000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: RegAsm.exe, 00000001.00000002.1340131155.0000000005B80000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: RegAsm.exe, 00000001.00000002.1335172998.00000000037B9000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.1335404930.0000000003822000.00000004.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
          Source: RegAsm.exe, 00000001.00000002.1340131155.0000000005B80000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: RegAsm.exe, 00000001.00000002.1340131155.0000000005B80000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: RegAsm.exe, 00000001.00000002.1340131155.0000000005B80000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: RegAsm.exe, 00000001.00000002.1333299725.00000000027B1000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
          Source: RegAsm.exe, 00000001.00000002.1340131155.0000000005B80000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: RegAsm.exe, 00000001.00000003.1291081699.0000000005AAB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comcomYP
          Source: RegAsm.exe, 00000001.00000002.1340131155.0000000005B80000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: RegAsm.exe, 00000001.00000002.1340131155.0000000005B80000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: RegAsm.exe, 00000001.00000002.1340131155.0000000005B80000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

          Key, Mouse, Clipboard, Microphone and Screen Capturing:

          barindex
          Contains functionality to log keystrokes (.Net Source)Show sources
          Source: 0.2.Versanddetails.exe.5d80000.3.unpack, Form1.cs.Net Code: HookKeyboard
          Source: 1.2.RegAsm.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
          Installs a global keyboard hookShow sources
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000000.00000002.1286251082.0000000004025000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000000.00000002.1286251082.0000000004025000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000003.1317266489.0000000005570000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000004.00000003.1317266489.0000000005570000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.1287117026.0000000005775000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000000.00000002.1287117026.0000000005775000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.1287213943.0000000005D82000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000000.00000002.1287213943.0000000005D82000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.1333299725.00000000027B1000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.1332370118.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000001.00000002.1332370118.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.Versanddetails.exe.5d80000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0.2.Versanddetails.exe.5d80000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\Versanddetails.exeCode function: 0_2_05761C09 CreateProcessW,NtQueryInformationProcess,NtReadVirtualMemory,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtWriteVirtualMemory,NtGetContextThread,NtSetContextThread,NtResumeThread,0_2_05761C09
          Source: C:\Users\user\Desktop\Versanddetails.exeCode function: 0_2_057600AD NtOpenSection,NtMapViewOfSection,0_2_057600AD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0275B29C1_2_0275B29C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0275B2901_2_0275B290
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_027599D01_2_027599D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0275DFD01_2_0275DFD0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_04DEF9341_2_04DEF934
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_04DFBA601_2_04DFBA60
          Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6908 -s 2040
          Source: Versanddetails.exe, 00000000.00000002.1286251082.0000000004025000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameamHpAzCZcVgJzFYP.river.exe4 vs Versanddetails.exe
          Source: Versanddetails.exe, 00000000.00000002.1286251082.0000000004025000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs Versanddetails.exe
          Source: Versanddetails.exe, 00000000.00000002.1286251082.0000000004025000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs Versanddetails.exe
          Source: Versanddetails.exe, 00000000.00000002.1286251082.0000000004025000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs Versanddetails.exe
          Source: Versanddetails.exe, 00000000.00000002.1286251082.0000000004025000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs Versanddetails.exe
          Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dllJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
          Source: 00000000.00000002.1286251082.0000000004025000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 00000000.00000002.1286251082.0000000004025000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000003.1317266489.0000000005570000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 00000004.00000003.1317266489.0000000005570000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.1287117026.0000000005775000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 00000000.00000002.1287117026.0000000005775000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.1287213943.0000000005D82000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 00000000.00000002.1287213943.0000000005D82000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.1333299725.00000000027B1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.1332370118.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 00000001.00000002.1332370118.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.Versanddetails.exe.5d80000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 0.2.Versanddetails.exe.5d80000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: Versanddetails.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: 0.2.Versanddetails.exe.5d80000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
          Source: 0.2.Versanddetails.exe.5d80000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
          Source: 0.2.Versanddetails.exe.5d80000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
          Source: 0.2.Versanddetails.exe.5d80000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
          Source: 1.2.RegAsm.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
          Source: 1.2.RegAsm.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
          Source: 1.2.RegAsm.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
          Source: 1.2.RegAsm.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
          Source: 0.2.Versanddetails.exe.5d80000.3.unpack, Form1.csBase64 encoded string: 'Ta2Jfga3JLt9/E73uK1VhbUkk6jqZCdloIN2u06AJMoTMeKiapqOoCfJFBjcj+Ok8ojK3Xa4zTJPtjgAWPgTDA==', 'qV6RbSlp+AMZw5SKvXWylN1rCuU8c5wmPAh3Hdmo0Ki+cXj7F0pWkNOaz5xvcV8/1lMVIeZ7DPLAHupVS+LnUQ==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
          Source: 1.2.RegAsm.exe.400000.0.unpack, Form1.csBase64 encoded string: 'Ta2Jfga3JLt9/E73uK1VhbUkk6jqZCdloIN2u06AJMoTMeKiapqOoCfJFBjcj+Ok8ojK3Xa4zTJPtjgAWPgTDA==', 'qV6RbSlp+AMZw5SKvXWylN1rCuU8c5wmPAh3Hdmo0Ki+cXj7F0pWkNOaz5xvcV8/1lMVIeZ7DPLAHupVS+LnUQ==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
          Source: RegAsm.exe, 00000001.00000003.1291202100.0000000005AC5000.00000004.00000001.sdmpBinary or memory string: un Gothic is a trademark of the Microsoft group of companies.slnt
          Source: classification engineClassification label: mal96.troj.spyw.evad.winEXE@4/7@1/1
          Source: C:\Users\user\Desktop\Versanddetails.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Versanddetails.exe.logJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6908
          Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER4E7A.tmpJump to behavior
          Source: Versanddetails.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Versanddetails.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\Versanddetails.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Versanddetails.exe, 00000000.00000002.1286251082.0000000004025000.00000004.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
          Source: Versanddetails.exe, 00000000.00000002.1286251082.0000000004025000.00000004.00000001.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
          Source: Versanddetails.exe, 00000000.00000002.1286251082.0000000004025000.00000004.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
          Source: Versanddetails.exe, 00000000.00000002.1286251082.0000000004025000.00000004.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
          Source: Versanddetails.exe, 00000000.00000002.1286251082.0000000004025000.00000004.00000001.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
          Source: Versanddetails.exe, 00000000.00000002.1286251082.0000000004025000.00000004.00000001.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
          Source: Versanddetails.exe, 00000000.00000002.1286251082.0000000004025000.00000004.00000001.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
          Source: unknownProcess created: C:\Users\user\Desktop\Versanddetails.exe 'C:\Users\user\Desktop\Versanddetails.exe'
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6908 -s 2040
          Source: C:\Users\user\Desktop\Versanddetails.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: Versanddetails.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: Versanddetails.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: setupapi.pdbf source: WerFault.exe, 00000004.00000003.1323457501.000000000546B000.00000004.00000040.sdmp
          Source: Binary string: rsaenh.pdb source: WerFault.exe, 00000004.00000003.1323417521.0000000005475000.00000004.00000040.sdmp
          Source: Binary string: anagement.pdb source: WerFault.exe, 00000004.00000003.1323397487.00000000052C9000.00000004.00000001.sdmp
          Source: Binary string: System.ni.pdb% source: WerFault.exe, 00000004.00000003.1323417521.0000000005475000.00000004.00000040.sdmp
          Source: Binary string: cryptbase.pdbV source: WerFault.exe, 00000004.00000003.1323457501.000000000546B000.00000004.00000040.sdmp
          Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 00000004.00000003.1317266489.0000000005570000.00000004.00000001.sdmp
          Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000004.00000003.1323355518.00000000052B1000.00000004.00000001.sdmp
          Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000004.00000003.1323457501.000000000546B000.00000004.00000040.sdmp
          Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000004.00000003.1323457501.000000000546B000.00000004.00000040.sdmp
          Source: Binary string: wbemcomn.pdb source: WerFault.exe, 00000004.00000003.1323417521.0000000005475000.00000004.00000040.sdmp
          Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000004.00000003.1323256536.0000000005462000.00000004.00000040.sdmp
          Source: Binary string: NapiNSP.pdb source: WerFault.exe, 00000004.00000003.1323417521.0000000005475000.00000004.00000040.sdmp
          Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000004.00000003.1323355518.00000000052B1000.00000004.00000001.sdmp
          Source: Binary string: RegAsm.pdb source: WerFault.exe, 00000004.00000002.1334495426.0000000002EF0000.00000002.00000001.sdmp
          Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000004.00000003.1323574860.0000000005460000.00000004.00000040.sdmp
          Source: Binary string: ore.ni.pdb" source: WerFault.exe, 00000004.00000003.1323397487.00000000052C9000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdb source: WerFault.exe, 00000004.00000003.1323355518.00000000052B1000.00000004.00000001.sdmp
          Source: Binary string: winnsi.pdb source: WerFault.exe, 00000004.00000003.1323417521.0000000005475000.00000004.00000040.sdmp
          Source: Binary string: .ni.pdb source: WerFault.exe, 00000004.00000003.1323397487.00000000052C9000.00000004.00000001.sdmp
          Source: Binary string: clr.pdb source: WerFault.exe, 00000004.00000003.1323410853.0000000005471000.00000004.00000040.sdmp
          Source: Binary string: cryptsp.pdb source: WerFault.exe, 00000004.00000003.1323417521.0000000005475000.00000004.00000040.sdmp
          Source: Binary string: System.Windows.Forms.pdb" source: WerFault.exe, 00000004.00000003.1323378795.00000000052B2000.00000004.00000001.sdmp
          Source: Binary string: advapi32.pdb source: WerFault.exe, 00000004.00000003.1323457501.000000000546B000.00000004.00000040.sdmp
          Source: Binary string: ility.pdb source: WerFault.exe, 00000004.00000003.1323397487.00000000052C9000.00000004.00000001.sdmp
          Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000004.00000003.1323457501.000000000546B000.00000004.00000040.sdmp
          Source: Binary string: System.Configuration.ni.pdb" source: WerFault.exe, 00000004.00000003.1323397487.00000000052C9000.00000004.00000001.sdmp
          Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 00000004.00000003.1323417521.0000000005475000.00000004.00000040.sdmp
          Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 00000004.00000003.1323427475.000000000547E000.00000004.00000040.sdmp, WER4E7A.tmp.dmp.4.dr
          Source: Binary string: RegAsm.PDB source: RegAsm.exe, 00000001.00000002.1341494627.000000000815A000.00000004.00000010.sdmp
          Source: Binary string: System.pdb@x source: WER4E7A.tmp.dmp.4.dr
          Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 00000004.00000003.1323417521.0000000005475000.00000004.00000040.sdmp
          Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 00000004.00000003.1317266489.0000000005570000.00000004.00000001.sdmp
          Source: Binary string: mCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000004.00000002.1333300039.00000000007D2000.00000004.00000010.sdmp
          Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000004.00000003.1323355518.00000000052B1000.00000004.00000001.sdmp
          Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000004.00000003.1323457501.000000000546B000.00000004.00000040.sdmp
          Source: Binary string: mpr.pdb source: WerFault.exe, 00000004.00000003.1323410853.0000000005471000.00000004.00000040.sdmp
          Source: Binary string: fltLib.pdbH source: WerFault.exe, 00000004.00000003.1323457501.000000000546B000.00000004.00000040.sdmp
          Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000004.00000003.1317266489.0000000005570000.00000004.00000001.sdmp, WER4E7A.tmp.dmp.4.dr
          Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: Versanddetails.exe, 00000000.00000002.1286251082.0000000004025000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.1333299725.00000000027B1000.00000004.00000001.sdmp
          Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: Versanddetails.exe, 00000000.00000002.1286251082.0000000004025000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.1335172998.00000000037B9000.00000004.00000001.sdmp
          Source: Binary string: System.Xml.pdbx source: WerFault.exe, 00000004.00000003.1317266489.0000000005570000.00000004.00000001.sdmp
          Source: Binary string: RegAsm.pdb4 source: WerFault.exe, 00000004.00000002.1334495426.0000000002EF0000.00000002.00000001.sdmp
          Source: Binary string: Microsoft.VisualBasic.pdb4";c source: WerFault.exe, 00000004.00000003.1323325824.000000000547E000.00000004.00000001.sdmp
          Source: Binary string: dwmapi.pdbE source: WerFault.exe, 00000004.00000003.1323417521.0000000005475000.00000004.00000040.sdmp
          Source: Binary string: System.Core.pdb$ source: WerFault.exe, 00000004.00000003.1323397487.00000000052C9000.00000004.00000001.sdmp
          Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000004.00000003.1323417521.0000000005475000.00000004.00000040.sdmp
          Source: Binary string: System.Management.pdb4";c source: WerFault.exe, 00000004.00000003.1323367900.00000000052C9000.00000004.00000001.sdmp
          Source: Binary string: mscoree.pdb source: WerFault.exe, 00000004.00000003.1323355518.00000000052B1000.00000004.00000001.sdmp
          Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000004.00000003.1323457501.000000000546B000.00000004.00000040.sdmp
          Source: Binary string: sfc.pdb! source: WerFault.exe, 00000004.00000003.1323410853.0000000005471000.00000004.00000040.sdmp
          Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000004.00000003.1323417521.0000000005475000.00000004.00000040.sdmp
          Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbX source: RegAsm.exe, 00000001.00000002.1341356084.00000000076F9000.00000004.00000001.sdmp
          Source: Binary string: System.ni.pdb4";c source: WerFault.exe, 00000004.00000003.1323355518.00000000052B1000.00000004.00000001.sdmp
          Source: Binary string: winspool.pdb source: WerFault.exe, 00000004.00000003.1323457501.000000000546B000.00000004.00000040.sdmp
          Source: Binary string: version.pdbB source: WerFault.exe, 00000004.00000003.1323457501.000000000546B000.00000004.00000040.sdmp
          Source: Binary string: cryptsp.pdb/ source: WerFault.exe, 00000004.00000003.1323417521.0000000005475000.00000004.00000040.sdmp
          Source: Binary string: System.Runtime.Remoting.pdbx source: WerFault.exe, 00000004.00000003.1317266489.0000000005570000.00000004.00000001.sdmp
          Source: Binary string: shell32.pdbk source: WerFault.exe, 00000004.00000003.1323256536.0000000005462000.00000004.00000040.sdmp
          Source: Binary string: symbols\dll\mscorlib.pdb source: RegAsm.exe, 00000001.00000002.1341494627.000000000815A000.00000004.00000010.sdmp
          Source: Binary string: .pdb0 source: RegAsm.exe, 00000001.00000002.1341494627.000000000815A000.00000004.00000010.sdmp
          Source: Binary string: edputil.pdbm source: WerFault.exe, 00000004.00000003.1323417521.0000000005475000.00000004.00000040.sdmp
          Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000004.00000003.1323457501.000000000546B000.00000004.00000040.sdmp
          Source: Binary string: iphlpapi.pdb~ source: WerFault.exe, 00000004.00000003.1323457501.000000000546B000.00000004.00000040.sdmp
          Source: Binary string: mscorlib.ni.pdb4";c source: WerFault.exe, 00000004.00000003.1323367900.00000000052C9000.00000004.00000001.sdmp
          Source: Binary string: wimm32.pdbD source: WerFault.exe, 00000004.00000003.1323457501.000000000546B000.00000004.00000040.sdmp
          Source: Binary string: ole32.pdbo22!J source: WerFault.exe, 00000004.00000003.1323457501.000000000546B000.00000004.00000040.sdmp
          Source: Binary string: nsi.pdb source: WerFault.exe, 00000004.00000003.1323417521.0000000005475000.00000004.00000040.sdmp
          Source: Binary string: WMINet_Utils.pdb1*3f source: WerFault.exe, 00000004.00000003.1323417521.0000000005475000.00000004.00000040.sdmp
          Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000004.00000003.1323256536.0000000005462000.00000004.00000040.sdmp
          Source: Binary string: powrprof.pdb source: WerFault.exe, 00000004.00000003.1323457501.000000000546B000.00000004.00000040.sdmp
          Source: Binary string: msvcr120_clr0400.i386.pdb% source: WerFault.exe, 00000004.00000003.1323410853.0000000005471000.00000004.00000040.sdmp
          Source: Binary string: ole32.pdb;*:eJ source: WerFault.exe, 00000004.00000003.1323274208.000000000546B000.00000004.00000040.sdmp
          Source: Binary string: mscorlib.ni.pdbRSDS source: WER4E7A.tmp.dmp.4.dr
          Source: Binary string: mscorlib.pdb0 source: WER4E7A.tmp.dmp.4.dr
          Source: Binary string: System.Configuration.pdb source: WerFault.exe, 00000004.00000003.1317266489.0000000005570000.00000004.00000001.sdmp, WER4E7A.tmp.dmp.4.dr
          Source: Binary string: ole32.pdb source: WerFault.exe, 00000004.00000003.1323457501.000000000546B000.00000004.00000040.sdmp
          Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000004.00000003.1323355518.00000000052B1000.00000004.00000001.sdmp
          Source: Binary string: System.Runtime.Remoting.pdb4";c source: WerFault.exe, 00000004.00000003.1323367900.00000000052C9000.00000004.00000001.sdmp
          Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 00000004.00000003.1317266489.0000000005570000.00000004.00000001.sdmp
          Source: Binary string: mscorlib.pdb source: RegAsm.exe, 00000001.00000003.1304291727.0000000007700000.00000004.00000001.sdmp, WerFault.exe, 00000004.00000003.1317266489.0000000005570000.00000004.00000001.sdmp, WER4E7A.tmp.dmp.4.dr
          Source: Binary string: Kernel.Appcore.pdb2";e source: WerFault.exe, 00000004.00000003.1323574860.0000000005460000.00000004.00000040.sdmp
          Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000004.00000003.1323417521.0000000005475000.00000004.00000040.sdmp
          Source: Binary string: DWrite.pdb source: WerFault.exe, 00000004.00000003.1323417521.0000000005475000.00000004.00000040.sdmp
          Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000004.00000003.1323256536.0000000005462000.00000004.00000040.sdmp
          Source: Binary string: propsys.pdbp source: WerFault.exe, 00000004.00000003.1323457501.000000000546B000.00000004.00000040.sdmp
          Source: Binary string: combase.pdb source: WerFault.exe, 00000004.00000003.1323457501.000000000546B000.00000004.00000040.sdmp
          Source: Binary string: System.Drawing.pdb source: WerFault.exe, 00000004.00000003.1317266489.0000000005570000.00000004.00000001.sdmp, WER4E7A.tmp.dmp.4.dr
          Source: Binary string: System.Management.pdb source: WerFault.exe, 00000004.00000003.1317266489.0000000005570000.00000004.00000001.sdmp, WER4E7A.tmp.dmp.4.dr
          Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000004.00000003.1323574860.0000000005460000.00000004.00000040.sdmp
          Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER4E7A.tmp.dmp.4.dr
          Source: Binary string: rasadhlp.pdbC source: WerFault.exe, 00000004.00000003.1323417521.0000000005475000.00000004.00000040.sdmp
          Source: Binary string: sfc.pdb source: WerFault.exe, 00000004.00000003.1323410853.0000000005471000.00000004.00000040.sdmp
          Source: Binary string: Accessibility.pdbx source: WerFault.exe, 00000004.00000003.1317266489.0000000005570000.00000004.00000001.sdmp
          Source: Binary string: apphelp.pdb source: WerFault.exe, 00000004.00000003.1323355518.00000000052B1000.00000004.00000001.sdmp
          Source: Binary string: System.Xml.ni.pdbRSDS source: WER4E7A.tmp.dmp.4.dr
          Source: Binary string: rasadhlp.pdb source: WerFault.exe, 00000004.00000003.1323417521.0000000005475000.00000004.00000040.sdmp
          Source: Binary string: ml.ni.pdb source: WerFault.exe, 00000004.00000003.1323397487.00000000052C9000.00000004.00000001.sdmp
          Source: Binary string: C:\Windows\mscorlib.pdb source: RegAsm.exe, 00000001.00000002.1341494627.000000000815A000.00000004.00000010.sdmp
          Source: Binary string: System.Core.ni.pdbRSDSD source: WER4E7A.tmp.dmp.4.dr
          Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000004.00000003.1323417521.0000000005475000.00000004.00000040.sdmp
          Source: Binary string: diasymreader.pdb_ source: WerFault.exe, 00000004.00000003.1323427475.000000000547E000.00000004.00000040.sdmp
          Source: Binary string: Accessibility.pdb source: WerFault.exe, 00000004.00000003.1317266489.0000000005570000.00000004.00000001.sdmp, WER4E7A.tmp.dmp.4.dr
          Source: Binary string: System.Management.pdbx source: WerFault.exe, 00000004.00000003.1317266489.0000000005570000.00000004.00000001.sdmp
          Source: Binary string: rawing.pdb source: WerFault.exe, 00000004.00000003.1323397487.00000000052C9000.00000004.00000001.sdmp
          Source: Binary string: ml.ni.pdb" source: WerFault.exe, 00000004.00000003.1323397487.00000000052C9000.00000004.00000001.sdmp
          Source: Binary string: combase.pdb4 source: WerFault.exe, 00000004.00000003.1323457501.000000000546B000.00000004.00000040.sdmp
          Source: Binary string: wbemprox.pdb] source: WerFault.exe, 00000004.00000003.1323417521.0000000005475000.00000004.00000040.sdmp
          Source: Binary string: pnrpnsp.pdb source: WerFault.exe, 00000004.00000003.1323417521.0000000005475000.00000004.00000040.sdmp
          Source: Binary string: comctl32v582.pdb1*3fP source: WerFault.exe, 00000004.00000003.1323417521.0000000005475000.00000004.00000040.sdmp
          Source: Binary string: mscorlib.pdbx source: WerFault.exe, 00000004.00000003.1317266489.0000000005570000.00000004.00000001.sdmp
          Source: Binary string: shlwapi.pdb2 source: WerFault.exe, 00000004.00000003.1323457501.000000000546B000.00000004.00000040.sdmp
          Source: Binary string: System.Management.pdbq source: WER4E7A.tmp.dmp.4.dr
          Source: Binary string: shcore.pdb source: WerFault.exe, 00000004.00000003.1323574860.0000000005460000.00000004.00000040.sdmp
          Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 00000004.00000003.1323417521.0000000005475000.00000004.00000040.sdmp
          Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000004.00000003.1323355518.00000000052B1000.00000004.00000001.sdmp
          Source: Binary string: fltLib.pdb source: WerFault.exe, 00000004.00000003.1323457501.000000000546B000.00000004.00000040.sdmp
          Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 00000004.00000003.1323417521.0000000005475000.00000004.00000040.sdmp, WER4E7A.tmp.dmp.4.dr
          Source: Binary string: shell32.pdb source: WerFault.exe, 00000004.00000003.1323256536.0000000005462000.00000004.00000040.sdmp
          Source: Binary string: msvcp_win.pdbk source: WerFault.exe, 00000004.00000003.1323256536.0000000005462000.00000004.00000040.sdmp
          Source: Binary string: Accessibility.pdb4";c source: WerFault.exe, 00000004.00000003.1323367900.00000000052C9000.00000004.00000001.sdmp
          Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000004.00000003.1323256536.0000000005462000.00000004.00000040.sdmp
          Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000004.00000003.1323417521.0000000005475000.00000004.00000040.sdmp
          Source: Binary string: wimm32.pdb source: WerFault.exe, 00000004.00000003.1323457501.000000000546B000.00000004.00000040.sdmp
          Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000004.00000003.1323355518.00000000052B1000.00000004.00000001.sdmp
          Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 00000004.00000003.1317266489.0000000005570000.00000004.00000001.sdmp
          Source: Binary string: diasymreader.pdb source: WerFault.exe, 00000004.00000003.1323427475.000000000547E000.00000004.00000040.sdmp
          Source: Binary string: setupapi.pdb source: WerFault.exe, 00000004.00000003.1323457501.000000000546B000.00000004.00000040.sdmp
          Source: Binary string: nlaapi.pdb source: WerFault.exe, 00000004.00000003.1323417521.0000000005475000.00000004.00000040.sdmp
          Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000004.00000003.1323417521.0000000005475000.00000004.00000040.sdmp
          Source: Binary string: wmiutils.pdb source: WerFault.exe, 00000004.00000003.1323417521.0000000005475000.00000004.00000040.sdmp
          Source: Binary string: gdiplus.pdb source: WerFault.exe, 00000004.00000003.1323417521.0000000005475000.00000004.00000040.sdmp
          Source: Binary string: winnsi.pdb9 source: WerFault.exe, 00000004.00000003.1323417521.0000000005475000.00000004.00000040.sdmp
          Source: Binary string: System.ni.pdbT3 source: WerFault.exe, 00000004.00000003.1317266489.0000000005570000.00000004.00000001.sdmp
          Source: Binary string: wUxTheme.pdb[ source: WerFault.exe, 00000004.00000003.1323417521.0000000005475000.00000004.00000040.sdmp
          Source: Binary string: System.pdbx source: WerFault.exe, 00000004.00000003.1317266489.0000000005570000.00000004.00000001.sdmp
          Source: Binary string: dhcpcsvc6.pdb! source: WerFault.exe, 00000004.00000003.1323417521.0000000005475000.00000004.00000040.sdmp
          Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: RegAsm.exe, 00000001.00000002.1341494627.000000000815A000.00000004.00000010.sdmp
          Source: Binary string: profapi.pdb source: WerFault.exe, 00000004.00000003.1323457501.000000000546B000.00000004.00000040.sdmp
          Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000004.00000003.1323417521.0000000005475000.00000004.00000040.sdmp
          Source: Binary string: Microsoft.VisualBasic.pdb< source: WER4E7A.tmp.dmp.4.dr
          Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 00000004.00000003.1323417521.0000000005475000.00000004.00000040.sdmp, WER4E7A.tmp.dmp.4.dr
          Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000004.00000003.1323355518.00000000052B1000.00000004.00000001.sdmp
          Source: Binary string: sechost.pdb source: WerFault.exe, 00000004.00000003.1323457501.000000000546B000.00000004.00000040.sdmp
          Source: Binary string: System.ni.pdbRSDS source: WER4E7A.tmp.dmp.4.dr
          Source: Binary string: mscoreei.pdb. source: WerFault.exe, 00000004.00000003.1323457501.000000000546B000.00000004.00000040.sdmp
          Source: Binary string: clrjit.pdb source: WerFault.exe, 00000004.00000003.1323417521.0000000005475000.00000004.00000040.sdmp
          Source: Binary string: propsys.pdb source: WerFault.exe, 00000004.00000003.1323457501.000000000546B000.00000004.00000040.sdmp
          Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000004.00000003.1323256536.0000000005462000.00000004.00000040.sdmp
          Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 00000004.00000003.1323410853.0000000005471000.00000004.00000040.sdmp
          Source: Binary string: (Pqp0C:\Windows\mscorlib.pdbpdblib.pdb source: RegAsm.exe, 00000001.00000002.1341494627.000000000815A000.00000004.00000010.sdmp
          Source: Binary string: fastprox.pdb source: WerFault.exe, 00000004.00000003.1323417521.0000000005475000.00000004.00000040.sdmp
          Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 00000004.00000003.1323417521.0000000005475000.00000004.00000040.sdmp, WER4E7A.tmp.dmp.4.dr
          Source: Binary string: bcrypt.pdb\ source: WerFault.exe, 00000004.00000003.1323457501.000000000546B000.00000004.00000040.sdmp
          Source: Binary string: wbemsvc.pdb source: WerFault.exe, 00000004.00000003.1323417521.0000000005475000.00000004.00000040.sdmp
          Source: Binary string: winrnr.pdb source: WerFault.exe, 00000004.00000003.1323417521.0000000005475000.00000004.00000040.sdmp
          Source: Binary string: wmiutils.pdb5 source: WerFault.exe, 00000004.00000003.1323417521.0000000005475000.00000004.00000040.sdmp
          Source: Binary string: CLBCatQ.pdbW source: WerFault.exe, 00000004.00000003.1323417521.0000000005475000.00000004.00000040.sdmp
          Source: Binary string: msctf.pdb source: WerFault.exe, 00000004.00000003.1323417521.0000000005475000.00000004.00000040.sdmp
          Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: Versanddetails.exe, 00000000.00000002.1286251082.0000000004025000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.1335404930.0000000003822000.00000004.00000001.sdmp
          Source: Binary string: System.Runtime.Remoting.pdb source: WerFault.exe, 00000004.00000003.1317266489.0000000005570000.00000004.00000001.sdmp, WER4E7A.tmp.dmp.4.dr
          Source: Binary string: wmswsock.pdb source: WerFault.exe, 00000004.00000003.1323417521.0000000005475000.00000004.00000040.sdmp
          Source: Binary string: version.pdb source: WerFault.exe, 00000004.00000003.1323457501.000000000546B000.00000004.00000040.sdmp
          Source: Binary string: .pdbg source: RegAsm.exe, 00000001.00000002.1341494627.000000000815A000.00000004.00000010.sdmp
          Source: Binary string: System.Xml.pdb source: WerFault.exe, 00000004.00000003.1317266489.0000000005570000.00000004.00000001.sdmp, WER4E7A.tmp.dmp.4.dr
          Source: Binary string: System.pdb source: WerFault.exe, 00000004.00000003.1317266489.0000000005570000.00000004.00000001.sdmp, WER4E7A.tmp.dmp.4.dr
          Source: Binary string: ore.ni.pdb source: WerFault.exe, 00000004.00000003.1323397487.00000000052C9000.00000004.00000001.sdmp
          Source: Binary string: oleaut32.pdbl source: WerFault.exe, 00000004.00000003.1323457501.000000000546B000.00000004.00000040.sdmp
          Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000004.00000003.1317266489.0000000005570000.00000004.00000001.sdmp, WER4E7A.tmp.dmp.4.dr
          Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000004.00000003.1323574860.0000000005460000.00000004.00000040.sdmp
          Source: Binary string: powrprof.pdbj source: WerFault.exe, 00000004.00000003.1323457501.000000000546B000.00000004.00000040.sdmp
          Source: Binary string: psapi.pdb source: WerFault.exe, 00000004.00000003.1323417521.0000000005475000.00000004.00000040.sdmp
          Source: Binary string: WMINet_Utils.pdb source: WerFault.exe, 00000004.00000003.1323417521.0000000005475000.00000004.00000040.sdmp
          Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000004.00000003.1323457501.000000000546B000.00000004.00000040.sdmp
          Source: Binary string: System.Core.pdbx source: WerFault.exe, 00000004.00000003.1317266489.0000000005570000.00000004.00000001.sdmp
          Source: Binary string: rawing.pdb" source: WerFault.exe, 00000004.00000003.1323397487.00000000052C9000.00000004.00000001.sdmp
          Source: Binary string: mscoreei.pdb source: WerFault.exe, 00000004.00000003.1323457501.000000000546B000.00000004.00000040.sdmp
          Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000004.00000003.1323574860.0000000005460000.00000004.00000040.sdmp
          Source: Binary string: System.Drawing.pdbx source: WerFault.exe, 00000004.00000003.1317266489.0000000005570000.00000004.00000001.sdmp
          Source: Binary string: winspool.pdbZ source: WerFault.exe, 00000004.00000003.1323457501.000000000546B000.00000004.00000040.sdmp
          Source: Binary string: System.Core.pdb source: WerFault.exe, 00000004.00000003.1317266489.0000000005570000.00000004.00000001.sdmp, WER4E7A.tmp.dmp.4.dr
          Source: Binary string: wbemcomn.pdbI source: WerFault.exe, 00000004.00000003.1323417521.0000000005475000.00000004.00000040.sdmp
          Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000004.00000003.1323457501.000000000546B000.00000004.00000040.sdmp
          Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 00000004.00000003.1317266489.0000000005570000.00000004.00000001.sdmp
          Source: Binary string: wuser32.pdb source: WerFault.exe, 00000004.00000003.1323355518.00000000052B1000.00000004.00000001.sdmp
          Source: Binary string: comctl32.pdb source: WerFault.exe, 00000004.00000003.1323417521.0000000005475000.00000004.00000040.sdmp
          Source: Binary string: untime.Remoting.pdb source: WerFault.exe, 00000004.00000003.1323397487.00000000052C9000.00000004.00000001.sdmp
          Source: Binary string: wbemprox.pdb source: WerFault.exe, 00000004.00000003.1323417521.0000000005475000.00000004.00000040.sdmp
          Source: Binary string: System.ni.pdb source: WerFault.exe, 00000004.00000003.1323417521.0000000005475000.00000004.00000040.sdmp, WER4E7A.tmp.dmp.4.dr
          Source: Binary string: edputil.pdb source: WerFault.exe, 00000004.00000003.1323417521.0000000005475000.00000004.00000040.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: 0.2.Versanddetails.exe.5d80000.3.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.2.Versanddetails.exe.5d80000.3.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.2.Versanddetails.exe.5d80000.3.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.2.Versanddetails.exe.5d80000.3.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 1.2.RegAsm.exe.400000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 1.2.RegAsm.exe.400000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 1.2.RegAsm.exe.400000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 1.2.RegAsm.exe.400000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\Desktop\Versanddetails.exeCode function: 0_2_00CD5A9D push ebp; iretd 0_2_00CD5A9E
          Source: C:\Users\user\Desktop\Versanddetails.exeCode function: 0_2_00CD7BFF push esi; iretd 0_2_00CD7C2E
          Source: C:\Users\user\Desktop\Versanddetails.exeCode function: 0_2_00CD6B39 push edi; retf 0_2_00CD6B62
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0275E672 push esp; ret 1_2_0275E679
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_04DEAC12 pushfd ; ret 1_2_04DEAC21
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_04DECE3F push ecx; ret 1_2_04DECE95
          Source: initial sampleStatic PE information: section name: .text entropy: 7.23306297514

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Changes the view of files in windows explorer (hidden files and folders)Show sources
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HiddenJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363} DeviceTicketJump to behavior
          Source: C:\Users\user\Desktop\Versanddetails.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Versanddetails.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Versanddetails.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Versanddetails.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Versanddetails.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Versanddetails.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Versanddetails.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Versanddetails.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Versanddetails.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Versanddetails.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Versanddetails.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Versanddetails.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Versanddetails.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Versanddetails.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior