Loading ...

Play interactive tourEdit tour

Analysis Report order.exe

Overview

General Information

Sample Name:order.exe
Analysis ID:260587
MD5:b0ce010716323d34b03daa2f592cb81d
SHA1:e78001665ca3104eb1f454253a848695c6416d87
SHA256:ff84f400d92cb8c48598d1be818b9611a5342cb3b41535cbad619393be384898

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected HawkEye Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Maps a DLL or memory area into another process
Sample uses process hollowing technique
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Process Creation
Stores large binary data to the registry
Tries to load missing DLLs
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • order.exe (PID: 6800 cmdline: 'C:\Users\user\Desktop\order.exe' MD5: B0CE010716323D34B03DAA2F592CB81D)
    • RegAsm.exe (PID: 6828 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
    • RegAsm.exe (PID: 6836 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
      • WerFault.exe (PID: 7024 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6836 -s 2044 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
      • vbc.exe (PID: 6280 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
        • WerFault.exe (PID: 128 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6280 -s 184 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
      • vbc.exe (PID: 6272 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
        • WerFault.exe (PID: 5592 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6272 -s 176 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["mailpv", "WebBrowserPassView"], "Version": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.1337005530.0000000004191000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
    00000002.00000002.1332275980.0000000000402000.00000040.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
    • 0x7b717:$key: HawkEyeKeylogger
    • 0x7d981:$salt: 099u787978786
    • 0x7bd58:$string1: HawkEye_Keylogger
    • 0x7cbab:$string1: HawkEye_Keylogger
    • 0x7d8e1:$string1: HawkEye_Keylogger
    • 0x7c141:$string2: holdermail.txt
    • 0x7c161:$string2: holdermail.txt
    • 0x7c083:$string3: wallet.dat
    • 0x7c09b:$string3: wallet.dat
    • 0x7c0b1:$string3: wallet.dat
    • 0x7d4a5:$string4: Keylog Records
    • 0x7d7bd:$string4: Keylog Records
    • 0x7d9d9:$string5: do not script -->
    • 0x7b6ff:$string6: \pidloc.txt
    • 0x7b78d:$string7: BSPLIT
    • 0x7b79d:$string7: BSPLIT
    00000002.00000002.1332275980.0000000000402000.00000040.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
      00000002.00000002.1332275980.0000000000402000.00000040.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
        00000002.00000002.1332275980.0000000000402000.00000040.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
          Click to see the 29 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          2.2.RegAsm.exe.400000.0.unpackRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
          • 0x7b917:$key: HawkEyeKeylogger
          • 0x7db81:$salt: 099u787978786
          • 0x7bf58:$string1: HawkEye_Keylogger
          • 0x7cdab:$string1: HawkEye_Keylogger
          • 0x7dae1:$string1: HawkEye_Keylogger
          • 0x7c341:$string2: holdermail.txt
          • 0x7c361:$string2: holdermail.txt
          • 0x7c283:$string3: wallet.dat
          • 0x7c29b:$string3: wallet.dat
          • 0x7c2b1:$string3: wallet.dat
          • 0x7d6a5:$string4: Keylog Records
          • 0x7d9bd:$string4: Keylog Records
          • 0x7dbd9:$string5: do not script -->
          • 0x7b8ff:$string6: \pidloc.txt
          • 0x7b98d:$string7: BSPLIT
          • 0x7b99d:$string7: BSPLIT
          2.2.RegAsm.exe.400000.0.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
            2.2.RegAsm.exe.400000.0.unpackJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
              2.2.RegAsm.exe.400000.0.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                2.2.RegAsm.exe.400000.0.unpackHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
                • 0x7bfb0:$hawkstr1: HawkEye Keylogger
                • 0x7cdf1:$hawkstr1: HawkEye Keylogger
                • 0x7d120:$hawkstr1: HawkEye Keylogger
                • 0x7d27b:$hawkstr1: HawkEye Keylogger
                • 0x7d3de:$hawkstr1: HawkEye Keylogger
                • 0x7d67d:$hawkstr1: HawkEye Keylogger
                • 0x7bb3e:$hawkstr2: Dear HawkEye Customers!
                • 0x7d173:$hawkstr2: Dear HawkEye Customers!
                • 0x7d2ca:$hawkstr2: Dear HawkEye Customers!
                • 0x7d431:$hawkstr2: Dear HawkEye Customers!
                • 0x7bc5f:$hawkstr3: HawkEye Logger Details:
                Click to see the 5 entries

                Sigma Overview

                System Summary:

                barindex
                Sigma detected: Suspicious Process CreationShow sources
                Source: Process startedAuthor: Florian Roth, Daniil Yugoslavskiy, oscd.community (update): Data: Command: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt', CommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt', CommandLine|base64offset|contains: ^, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, ParentCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentProcessId: 6836, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt', ProcessId: 6280

                Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Found malware configurationShow sources
                Source: WerFault.exe.7024.5.memstrMalware Configuration Extractor: HawkEye {"Modules": ["mailpv", "WebBrowserPassView"], "Version": ""}
                Machine Learning detection for sampleShow sources
                Source: order.exeJoe Sandbox ML: detected
                Source: order.exe, 00000000.00000002.1276103609.00000000039C5000.00000004.00000001.sdmpBinary or memory string: autorun.inf
                Source: order.exe, 00000000.00000002.1276103609.00000000039C5000.00000004.00000001.sdmpBinary or memory string: [autorun]
                Source: RegAsm.exe, 00000002.00000002.1332275980.0000000000402000.00000040.00000001.sdmpBinary or memory string: autorun.inf
                Source: RegAsm.exe, 00000002.00000002.1332275980.0000000000402000.00000040.00000001.sdmpBinary or memory string: [autorun]
                Source: WerFault.exe, 00000005.00000003.1316812905.00000000058A0000.00000004.00000001.sdmpBinary or memory string: autorun.inf
                Source: WerFault.exe, 00000005.00000003.1316812905.00000000058A0000.00000004.00000001.sdmpBinary or memory string: [autorun]
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]2_2_0788FE8B
                Source: unknownDNS traffic detected: query: 41.140.13.0.in-addr.arpa replaycode: Name error (3)
                Source: order.exe, 00000000.00000002.1276103609.00000000039C5000.00000004.00000001.sdmp, RegAsm.exe, 00000002.00000002.1337005530.0000000004191000.00000004.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                Source: order.exe, 00000000.00000002.1276103609.00000000039C5000.00000004.00000001.sdmp, RegAsm.exe, 00000002.00000002.1337005530.0000000004191000.00000004.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                Source: unknownDNS traffic detected: queries for: 41.140.13.0.in-addr.arpa
                Source: order.exe, 00000000.00000002.1276103609.00000000039C5000.00000004.00000001.sdmp, RegAsm.exe, 00000002.00000002.1337005530.0000000004191000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
                Source: WerFault.exe, 0000000D.00000003.1356265310.0000000003245000.00000004.00000001.sdmpString found in binary or memory: http://crl.microsoft7
                Source: RegAsm.exe, 00000002.00000002.1341370109.0000000006310000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                Source: order.exe, 00000000.00000002.1276103609.00000000039C5000.00000004.00000001.sdmp, RegAsm.exe, 00000002.00000002.1337005530.0000000004191000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                Source: WerFault.exe, 00000005.00000003.1315842499.0000000005BA0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
                Source: WerFault.exe, 00000005.00000003.1315842499.0000000005BA0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
                Source: WerFault.exe, 00000005.00000003.1315842499.0000000005BA0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
                Source: WerFault.exe, 00000005.00000003.1315842499.0000000005BA0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
                Source: WerFault.exe, 00000005.00000003.1315842499.0000000005BA0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
                Source: WerFault.exe, 00000005.00000003.1315842499.0000000005BA0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
                Source: WerFault.exe, 00000005.00000003.1315842499.0000000005BA0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
                Source: RegAsm.exe, 00000002.00000002.1334926363.0000000003121000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.1315842499.0000000005BA0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: WerFault.exe, 00000005.00000003.1315842499.0000000005BA0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
                Source: WerFault.exe, 00000005.00000003.1315842499.0000000005BA0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
                Source: WerFault.exe, 00000005.00000003.1315842499.0000000005BA0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
                Source: WerFault.exe, 00000005.00000003.1315842499.0000000005BA0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
                Source: WerFault.exe, 00000005.00000003.1315842499.0000000005BA0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
                Source: WerFault.exe, 00000005.00000003.1315842499.0000000005BA0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
                Source: WerFault.exe, 00000005.00000003.1315842499.0000000005BA0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
                Source: order.exe, 00000000.00000002.1276103609.00000000039C5000.00000004.00000001.sdmp, RegAsm.exe, 00000002.00000002.1332275980.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 00000005.00000003.1316812905.00000000058A0000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/-
                Source: RegAsm.exe, 00000002.00000003.1283357681.0000000006232000.00000004.00000001.sdmp, RegAsm.exe, 00000002.00000002.1341370109.0000000006310000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: RegAsm.exe, 00000002.00000003.1284690249.000000000622B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                Source: RegAsm.exe, 00000002.00000003.1284690249.000000000622B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com$
                Source: RegAsm.exe, 00000002.00000003.1284690249.000000000622B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com-r/
                Source: RegAsm.exe, 00000002.00000003.1284690249.000000000622B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comH
                Source: RegAsm.exe, 00000002.00000002.1341370109.0000000006310000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: RegAsm.exe, 00000002.00000003.1284690249.000000000622B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.5
                Source: RegAsm.exe, 00000002.00000003.1284690249.000000000622B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comq
                Source: RegAsm.exe, 00000002.00000002.1341235028.0000000006220000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: RegAsm.exe, 00000002.00000002.1341370109.0000000006310000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: RegAsm.exe, 00000002.00000002.1341370109.0000000006310000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: RegAsm.exe, 00000002.00000002.1341370109.0000000006310000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: RegAsm.exe, 00000002.00000002.1341370109.0000000006310000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                Source: RegAsm.exe, 00000002.00000002.1341370109.0000000006310000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: RegAsm.exe, 00000002.00000002.1341370109.0000000006310000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: RegAsm.exe, 00000002.00000002.1341370109.0000000006310000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: RegAsm.exe, 00000002.00000003.1286574528.000000000622C000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersP
                Source: RegAsm.exe, 00000002.00000002.1341235028.0000000006220000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcom
                Source: RegAsm.exe, 00000002.00000002.1341235028.0000000006220000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comr5V
                Source: RegAsm.exe, 00000002.00000002.1341370109.0000000006310000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                Source: RegAsm.exe, 00000002.00000003.1282992868.000000000625E000.00000004.00000001.sdmp, RegAsm.exe, 00000002.00000003.1282230479.000000000625D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: RegAsm.exe, 00000002.00000003.1282020121.000000000625D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn%
                Source: RegAsm.exe, 00000002.00000003.1282992868.000000000625E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/#
                Source: RegAsm.exe, 00000002.00000002.1341370109.0000000006310000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: RegAsm.exe, 00000002.00000002.1341370109.0000000006310000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: RegAsm.exe, 00000002.00000003.1282230479.000000000625D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnh-tq
                Source: RegAsm.exe, 00000002.00000002.1341370109.0000000006310000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: RegAsm.exe, 00000002.00000002.1341370109.0000000006310000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: RegAsm.exe, 00000002.00000002.1341370109.0000000006310000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: RegAsm.exe, 00000002.00000002.1341370109.0000000006310000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: RegAsm.exe, 00000002.00000002.1332275980.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
                Source: RegAsm.exe, 00000002.00000003.1279270974.0000000006223000.00000004.00000001.sdmp, RegAsm.exe, 00000002.00000002.1341370109.0000000006310000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: RegAsm.exe, 00000002.00000003.1279270974.0000000006223000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com5
                Source: RegAsm.exe, 00000002.00000003.1279270974.0000000006223000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comP
                Source: RegAsm.exe, 00000002.00000002.1341370109.0000000006310000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                Source: RegAsm.exe, 00000002.00000003.1281619771.000000000622E000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: RegAsm.exe, 00000002.00000003.1281619771.000000000622E000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krh
                Source: RegAsm.exe, 00000002.00000002.1334926363.0000000003121000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
                Source: RegAsm.exe, 00000002.00000002.1341370109.0000000006310000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                Source: RegAsm.exe, 00000002.00000002.1341370109.0000000006310000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                Source: RegAsm.exe, 00000002.00000002.1341370109.0000000006310000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: RegAsm.exe, 00000002.00000002.1341370109.0000000006310000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: RegAsm.exe, 00000002.00000003.1284690249.000000000622B000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnrmC

                Key, Mouse, Clipboard, Microphone and Screen Capturing:

                barindex
                Yara detected HawkEye KeyloggerShow sources
                Source: Yara matchFile source: 00000002.00000002.1332275980.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1334926363.0000000003121000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1276103609.00000000039C5000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1276974191.0000000005652000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000003.1316812905.00000000058A0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1276890942.0000000005041000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: WerFault.exe PID: 7024, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: order.exe PID: 6800, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6836, type: MEMORY
                Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.order.exe.5650000.3.unpack, type: UNPACKEDPE
                Contains functionality to log keystrokes (.Net Source)Show sources
                Source: 0.2.order.exe.5650000.3.unpack, Form1.cs.Net Code: HookKeyboard
                Source: 2.2.RegAsm.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
                Installs a global keyboard hookShow sources
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                System Summary:

                barindex
                Malicious sample detected (through community Yara rule)Show sources
                Source: 00000002.00000002.1332275980.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000002.00000002.1332275980.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000002.00000002.1334926363.0000000003121000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000000.00000002.1276103609.00000000039C5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000000.00000002.1276103609.00000000039C5000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000000.00000002.1276974191.0000000005652000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000000.00000002.1276974191.0000000005652000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000005.00000003.1316812905.00000000058A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000005.00000003.1316812905.00000000058A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000000.00000002.1276890942.0000000005041000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000000.00000002.1276890942.0000000005041000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0.2.order.exe.5650000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0.2.order.exe.5650000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Initial sample is a PE file and has a suspicious nameShow sources
                Source: initial sampleStatic PE information: Filename: order.exe
                Source: C:\Users\user\Desktop\order.exeCode function: 0_2_05031C09 CreateProcessW,NtQueryInformationProcess,NtReadVirtualMemory,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtTerminateProcess,NtUnmapViewOfSection,NtWriteVirtualMemory,NtGetContextThread,NtSetContextThread,NtResumeThread,0_2_05031C09
                Source: C:\Users\user\Desktop\order.exeCode function: 0_2_050300AD NtOpenSection,NtMapViewOfSection,0_2_050300AD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_082125C0 NtResumeThread,2_2_082125C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_08212720 NtWriteVirtualMemory,2_2_08212720
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_082127D8 NtSetContextThread,2_2_082127D8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_082125BA NtResumeThread,2_2_082125BA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_08212718 NtWriteVirtualMemory,2_2_08212718
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_082127D0 NtSetContextThread,2_2_082127D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_02FEB29C2_2_02FEB29C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_02FEC3102_2_02FEC310
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_02FEB2902_2_02FEB290
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_02FEB1F22_2_02FEB1F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_02FE99D02_2_02FE99D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_02FEDFD02_2_02FEDFD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0788B4E02_2_0788B4E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_078800402_2_07880040
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0788EEC82_2_0788EEC8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0788BDB02_2_0788BDB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0788B1982_2_0788B198
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_078800072_2_07880007
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_08211BF02_2_08211BF0
                Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6836 -s 2044
                Source: order.exe, 00000000.00000002.1276103609.00000000039C5000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamecbsCvaKUOJNmIaOj.river.exe4 vs order.exe
                Source: order.exe, 00000000.00000002.1276103609.00000000039C5000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs order.exe
                Source: order.exe, 00000000.00000002.1276103609.00000000039C5000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs order.exe
                Source: order.exe, 00000000.00000002.1276103609.00000000039C5000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs order.exe
                Source: order.exe, 00000000.00000002.1276103609.00000000039C5000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs order.exe
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
                Source: 00000002.00000002.1332275980.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000002.00000002.1332275980.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000002.00000002.1334926363.0000000003121000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000000.00000002.1276103609.00000000039C5000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000000.00000002.1276103609.00000000039C5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000000.00000002.1276974191.0000000005652000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000000.00000002.1276974191.0000000005652000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000005.00000003.1316812905.00000000058A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000005.00000003.1316812905.00000000058A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000000.00000002.1276890942.0000000005041000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000000.00000002.1276890942.0000000005041000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0.2.order.exe.5650000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0.2.order.exe.5650000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: order.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: 0.2.order.exe.5650000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 0.2.order.exe.5650000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 0.2.order.exe.5650000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 0.2.order.exe.5650000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
                Source: 2.2.RegAsm.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 2.2.RegAsm.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 2.2.RegAsm.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 2.2.RegAsm.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
                Source: 0.2.order.exe.5650000.3.unpack, Form1.csBase64 encoded string: 'Ta2Jfga3JLt9/E73uK1VhbUkk6jqZCdloIN2u06AJMoTMeKiapqOoCfJFBjcj+Ok8ojK3Xa4zTJPtjgAWPgTDA==', 'qV6RbSlp+AMZw5SKvXWylN1rCuU8c5wmPAh3Hdmo0Ki+cXj7F0pWkNOaz5xvcV8/1lMVIeZ7DPLAHupVS+LnUQ==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: 2.2.RegAsm.exe.400000.0.unpack, Form1.csBase64 encoded string: 'Ta2Jfga3JLt9/E73uK1VhbUkk6jqZCdloIN2u06AJMoTMeKiapqOoCfJFBjcj+Ok8ojK3Xa4zTJPtjgAWPgTDA==', 'qV6RbSlp+AMZw5SKvXWylN1rCuU8c5wmPAh3Hdmo0Ki+cXj7F0pWkNOaz5xvcV8/1lMVIeZ7DPLAHupVS+LnUQ==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@12/15@1/1
                Source: C:\Users\user\Desktop\order.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\order.exe.logJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6272
                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6280
                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6836
                Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERA6D8.tmpJump to behavior
                Source: order.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\order.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\Desktop\order.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: order.exe, 00000000.00000002.1276103609.00000000039C5000.00000004.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                Source: order.exe, 00000000.00000002.1276103609.00000000039C5000.00000004.00000001.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                Source: order.exe, 00000000.00000002.1276103609.00000000039C5000.00000004.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                Source: order.exe, 00000000.00000002.1276103609.00000000039C5000.00000004.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                Source: order.exe, 00000000.00000002.1276103609.00000000039C5000.00000004.00000001.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                Source: order.exe, 00000000.00000002.1276103609.00000000039C5000.00000004.00000001.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                Source: order.exe, 00000000.00000002.1276103609.00000000039C5000.00000004.00000001.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                Source: unknownProcess created: C:\Users\user\Desktop\order.exe 'C:\Users\user\Desktop\order.exe'
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6836 -s 2044
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6280 -s 184
                Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6272 -s 176
                Source: C:\Users\user\Desktop\order.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
                Source: C:\Users\user\Desktop\order.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: order.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: order.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                Source: Binary string: rsaenh.pdb source: WerFault.exe, 00000005.00000003.1318117069.000000000564B000.00000004.00000040.sdmp
                Source: Binary string: anagement.pdb source: WerFault.exe, 00000005.00000003.1318448359.000000000568A000.00000004.00000001.sdmp
                Source: Binary string: System.ni.pdb% source: WerFault.exe, 00000005.00000003.1318117069.000000000564B000.00000004.00000040.sdmp
                Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 00000005.00000003.1316812905.00000000058A0000.00000004.00000001.sdmp
                Source: Binary string: f:\binaries.x86ret\bin\i386\bbt\opt\bin\i386\vbc.pdb source: WerFault.exe, 0000000D.00000002.1359808387.0000000005530000.00000002.00000001.sdmp, WerFault.exe, 0000000E.00000002.1359044163.0000000004C20000.00000002.00000001.sdmp
                Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000005.00000003.1305323173.0000000003140000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.1340802024.0000000005371000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.1341052590.0000000004B31000.00000004.00000001.sdmp
                Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000005.00000003.1318423713.000000000564B000.00000004.00000040.sdmp
                Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000005.00000003.1318423713.000000000564B000.00000004.00000040.sdmp
                Source: Binary string: onfiguration.ni.pdb source: WerFault.exe, 00000005.00000003.1318560618.0000000005689000.00000004.00000001.sdmp
                Source: Binary string: wbemcomn.pdb source: WerFault.exe, 00000005.00000003.1318117069.000000000564B000.00000004.00000040.sdmp
                Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000005.00000003.1318085310.0000000005642000.00000004.00000040.sdmp
                Source: Binary string: NapiNSP.pdb source: WerFault.exe, 00000005.00000003.1318117069.000000000564B000.00000004.00000040.sdmp
                Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000005.00000003.1318280319.0000000005671000.00000004.00000001.sdmp
                Source: Binary string: RegAsm.pdb source: RegAsm.exe, 00000002.00000002.1344004460.0000000007E24000.00000004.00000001.sdmp
                Source: Binary string: (Pgp0C:\Windows\mscorlib.pdbpdblib.pdb source: RegAsm.exe, 00000002.00000002.1345492715.00000000089DA000.00000004.00000010.sdmp
                Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000005.00000003.1318651775.0000000005640000.00000004.00000040.sdmp
                Source: Binary string: wntdll.pdb source: WerFault.exe, 00000005.00000003.1305313178.0000000003134000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.1340802024.0000000005371000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.1341052590.0000000004B31000.00000004.00000001.sdmp
                Source: Binary string: winnsi.pdb source: WerFault.exe, 00000005.00000003.1318117069.000000000564B000.00000004.00000040.sdmp
                Source: Binary string: ml.pdb source: WerFault.exe, 00000005.00000003.1318560618.0000000005689000.00000004.00000001.sdmp
                Source: Binary string: clr.pdb source: WerFault.exe, 00000005.00000003.1318117069.000000000564B000.00000004.00000040.sdmp
                Source: Binary string: .ni.pdb source: WerFault.exe, 00000005.00000003.1318448359.000000000568A000.00000004.00000001.sdmp
                Source: Binary string: cryptsp.pdb source: WerFault.exe, 00000005.00000003.1318117069.000000000564B000.00000004.00000040.sdmp
                Source: Binary string: System.Windows.Forms.pdb" source: WerFault.exe, 00000005.00000003.1318329281.0000000005674000.00000004.00000001.sdmp
                Source: Binary string: advapi32.pdb source: WerFault.exe, 00000005.00000003.1318423713.000000000564B000.00000004.00000040.sdmp
                Source: Binary string: ility.pdb source: WerFault.exe, 00000005.00000003.1318448359.000000000568A000.00000004.00000001.sdmp
                Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000005.00000003.1318423713.000000000564B000.00000004.00000040.sdmp
                Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 00000005.00000003.1318117069.000000000564B000.00000004.00000040.sdmp
                Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 00000005.00000003.1318253942.000000000565D000.00000004.00000040.sdmp, WERA6D8.tmp.dmp.5.dr
                Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 00000005.00000003.1318117069.000000000564B000.00000004.00000040.sdmp
                Source: Binary string: mCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000005.00000002.1327970687.0000000002E32000.00000004.00000010.sdmp, WerFault.exe, 0000000D.00000002.1357592120.0000000002D62000.00000004.00000010.sdmp, WerFault.exe, 0000000E.00000002.1356430744.0000000000672000.00000004.00000010.sdmp
                Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 00000005.00000003.1316812905.00000000058A0000.00000004.00000001.sdmp
                Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000005.00000003.1306991233.0000000003146000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.1340802024.0000000005371000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.1341052590.0000000004B31000.00000004.00000001.sdmp
                Source: Binary string: rasadhlp.pdbrt source: WerFault.exe, 00000005.00000003.1318117069.000000000564B000.00000004.00000040.sdmp
                Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000005.00000003.1318423713.000000000564B000.00000004.00000040.sdmp
                Source: Binary string: mpr.pdb source: WerFault.exe, 00000005.00000003.1318117069.000000000564B000.00000004.00000040.sdmp
                Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000005.00000003.1318117069.000000000564B000.00000004.00000040.sdmp, WERA6D8.tmp.dmp.5.dr
                Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: order.exe, 00000000.00000002.1276103609.00000000039C5000.00000004.00000001.sdmp, RegAsm.exe, 00000002.00000002.1332275980.0000000000402000.00000040.00000001.sdmp
                Source: Binary string: System.pdbrz source: WerFault.exe, 00000005.00000003.1318280319.0000000005671000.00000004.00000001.sdmp
                Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: order.exe, 00000000.00000002.1276103609.00000000039C5000.00000004.00000001.sdmp, RegAsm.exe, 00000002.00000002.1332275980.0000000000402000.00000040.00000001.sdmp
                Source: Binary string: RegAsm.pdb4 source: RegAsm.exe, 00000002.00000002.1344004460.0000000007E24000.00000004.00000001.sdmp
                Source: Binary string: System.Xml.pdbx source: WerFault.exe, 00000005.00000003.1316812905.00000000058A0000.00000004.00000001.sdmp
                Source: Binary string: gdiplus.pdbjte source: WerFault.exe, 00000005.00000003.1318117069.000000000564B000.00000004.00000040.sdmp
                Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000005.00000003.1318117069.000000000564B000.00000004.00000040.sdmp
                Source: Binary string: mscoree.pdb source: WerFault.exe, 00000005.00000003.1318280319.0000000005671000.00000004.00000001.sdmp
                Source: Binary string: sfc.pdb! source: WerFault.exe, 00000005.00000003.1318224002.0000000005651000.00000004.00000040.sdmp
                Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000005.00000003.1318117069.000000000564B000.00000004.00000040.sdmp
                Source: Binary string: clrjit.pdbVtQ source: WerFault.exe, 00000005.00000003.1318117069.000000000564B000.00000004.00000040.sdmp
                Source: Binary string: winspool.pdb source: WerFault.exe, 00000005.00000003.1318423713.000000000564B000.00000004.00000040.sdmp
                Source: Binary string: shell32.pdbk source: WerFault.exe, 00000005.00000003.1318085310.0000000005642000.00000004.00000040.sdmp
                Source: Binary string: System.Runtime.Remoting.pdbx source: WerFault.exe, 00000005.00000003.1316812905.00000000058A0000.00000004.00000001.sdmp
                Source: Binary string: .pdb0 source: RegAsm.exe, 00000002.00000002.1345492715.00000000089DA000.00000004.00000010.sdmp
                Source: Binary string: symbols\dll\mscorlib.pdb source: RegAsm.exe, 00000002.00000002.1345492715.00000000089DA000.00000004.00000010.sdmp
                Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000005.00000003.1318423713.000000000564B000.00000004.00000040.sdmp
                Source: Binary string: nsi.pdb source: WerFault.exe, 00000005.00000003.1318117069.000000000564B000.00000004.00000040.sdmp
                Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000005.00000003.1318085310.0000000005642000.00000004.00000040.sdmp
                Source: Binary string: powrprof.pdb source: WerFault.exe, 00000005.00000003.1318423713.000000000564B000.00000004.00000040.sdmp
                Source: Binary string: msvcr120_clr0400.i386.pdb% source: WerFault.exe, 00000005.00000003.1318117069.000000000564B000.00000004.00000040.sdmp
                Source: Binary string: mscorlib.ni.pdbRSDS source: WERA6D8.tmp.dmp.5.dr
                Source: Binary string: cryptsp.pdbBt] source: WerFault.exe, 00000005.00000003.1318117069.000000000564B000.00000004.00000040.sdmp
                Source: Binary string: System.Configuration.pdb source: WerFault.exe, 00000005.00000003.1318309751.0000000005689000.00000004.00000001.sdmp, WERA6D8.tmp.dmp.5.dr
                Source: Binary string: ole32.pdb source: WerFault.exe, 00000005.00000003.1318423713.000000000564B000.00000004.00000040.sdmp
                Source: Binary string: RegAsm.PDB7 source: RegAsm.exe, 00000002.00000002.1345492715.00000000089DA000.00000004.00000010.sdmp
                Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000005.00000003.1318280319.0000000005671000.00000004.00000001.sdmp
                Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 00000005.00000003.1316812905.00000000058A0000.00000004.00000001.sdmp
                Source: Binary string: mscorlib.pdb source: RegAsm.exe, 00000002.00000002.1344004460.0000000007E24000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.1318309751.0000000005689000.00000004.00000001.sdmp, WERA6D8.tmp.dmp.5.dr
                Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000005.00000003.1318117069.000000000564B000.00000004.00000040.sdmp
                Source: Binary string: DWrite.pdb source: WerFault.exe, 00000005.00000003.1318117069.000000000564B000.00000004.00000040.sdmp
                Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000005.00000003.1318085310.0000000005642000.00000004.00000040.sdmp
                Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000005.00000003.1318651775.0000000005640000.00000004.00000040.sdmp
                Source: Binary string: combase.pdb source: WerFault.exe, 00000005.00000003.1318423713.000000000564B000.00000004.00000040.sdmp
                Source: Binary string: System.Drawing.pdb source: WerFault.exe, 00000005.00000003.1318309751.0000000005689000.00000004.00000001.sdmp, WERA6D8.tmp.dmp.5.dr
                Source: Binary string: System.Management.pdb source: WerFault.exe, 00000005.00000003.1318309751.0000000005689000.00000004.00000001.sdmp, WERA6D8.tmp.dmp.5.dr
                Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000005.00000003.1305323173.0000000003140000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.1337206664.0000000003246000.00000004.00000001.sdmp
                Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WERA6D8.tmp.dmp.5.dr
                Source: Binary string: sfc.pdb source: WerFault.exe, 00000005.00000003.1318117069.000000000564B000.00000004.00000040.sdmp
                Source: Binary string: Accessibility.pdbx source: WerFault.exe, 00000005.00000003.1316812905.00000000058A0000.00000004.00000001.sdmp
                Source: Binary string: wmswsock.pdb~ty source: WerFault.exe, 00000005.00000003.1318117069.000000000564B000.00000004.00000040.sdmp
                Source: Binary string: apphelp.pdb source: WerFault.exe, 00000005.00000003.1318280319.0000000005671000.00000004.00000001.sdmp
                Source: Binary string: System.Xml.ni.pdbRSDS source: WERA6D8.tmp.dmp.5.dr
                Source: Binary string: wntdll.pdbk source: WerFault.exe, 0000000D.00000003.1340802024.0000000005371000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.1341052590.0000000004B31000.00000004.00000001.sdmp
                Source: Binary string: System.Configuration.pdbP source: WERA6D8.tmp.dmp.5.dr
                Source: Binary string: nlaapi.pdb*s source: WerFault.exe, 00000005.00000003.1318117069.000000000564B000.00000004.00000040.sdmp
                Source: Binary string: rasadhlp.pdb source: WerFault.exe, 00000005.00000003.1318117069.000000000564B000.00000004.00000040.sdmp
                Source: Binary string: ml.ni.pdb source: WerFault.exe, 00000005.00000003.1318560618.0000000005689000.00000004.00000001.sdmp
                Source: Binary string: C:\Windows\mscorlib.pdb source: RegAsm.exe, 00000002.00000002.1345492715.00000000089DA000.00000004.00000010.sdmp
                Source: Binary string: System.Core.ni.pdbRSDSD source: WERA6D8.tmp.dmp.5.dr
                Source: Binary string: diasymreader.pdb_ source: WerFault.exe, 00000005.00000003.1318253942.000000000565D000.00000004.00000040.sdmp
                Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000005.00000003.1318117069.000000000564B000.00000004.00000040.sdmp
                Source: Binary string: ws2_32.pdb^r source: WerFault.exe, 00000005.00000003.1318117069.000000000564B000.00000004.00000040.sdmp
                Source: Binary string: Accessibility.pdb source: WerFault.exe, 00000005.00000003.1318309751.0000000005689000.00000004.00000001.sdmp, WERA6D8.tmp.dmp.5.dr
                Source: Binary string: rawing.pdb source: WerFault.exe, 00000005.00000003.1318560618.0000000005689000.00000004.00000001.sdmp
                Source: Binary string: System.Management.pdbx source: WerFault.exe, 00000005.00000003.1316812905.00000000058A0000.00000004.00000001.sdmp
                Source: Binary string: pnrpnsp.pdb source: WerFault.exe, 00000005.00000003.1318117069.000000000564B000.00000004.00000040.sdmp
                Source: Binary string: mscorlib.pdbx source: WerFault.exe, 00000005.00000003.1316812905.00000000058A0000.00000004.00000001.sdmp
                Source: Binary string: shcore.pdb source: WerFault.exe, 00000005.00000003.1318651775.0000000005640000.00000004.00000040.sdmp
                Source: Binary string: rsaenh.pdbXt[ source: WerFault.exe, 00000005.00000003.1318117069.000000000564B000.00000004.00000040.sdmp
                Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 00000005.00000003.1318117069.000000000564B000.00000004.00000040.sdmp
                Source: Binary string: dwmapi.pdbDtG source: WerFault.exe, 00000005.00000003.1318117069.000000000564B000.00000004.00000040.sdmp
                Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000005.00000003.1318280319.0000000005671000.00000004.00000001.sdmp
                Source: Binary string: fltLib.pdb source: WerFault.exe, 00000005.00000003.1318423713.000000000564B000.00000004.00000040.sdmp
                Source: Binary string: comctl32.pdb,s source: WerFault.exe, 00000005.00000003.1318117069.000000000564B000.00000004.00000040.sdmp
                Source: Binary string: f:\binaries.x86ret\bin\i386\bbt\opt\bin\i386\vbc.pdbpUNzUN source: WerFault.exe, 0000000D.00000002.1359808387.0000000005530000.00000002.00000001.sdmp, WerFault.exe, 0000000E.00000002.1359044163.0000000004C20000.00000002.00000001.sdmp
                Source: Binary string: shell32.pdb source: WerFault.exe, 00000005.00000003.1318085310.0000000005642000.00000004.00000040.sdmp
                Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 00000005.00000003.1318117069.000000000564B000.00000004.00000040.sdmp, WERA6D8.tmp.dmp.5.dr
                Source: Binary string: msvcp_win.pdbk source: WerFault.exe, 00000005.00000003.1318085310.0000000005642000.00000004.00000040.sdmp
                Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000005.00000003.1318085310.0000000005642000.00000004.00000040.sdmp
                Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000005.00000003.1318117069.000000000564B000.00000004.00000040.sdmp
                Source: Binary string: wimm32.pdb source: WerFault.exe, 00000005.00000003.1318423713.000000000564B000.00000004.00000040.sdmp
                Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000005.00000003.1318280319.0000000005671000.00000004.00000001.sdmp
                Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 00000005.00000003.1316812905.00000000058A0000.00000004.00000001.sdmp
                Source: Binary string: diasymreader.pdb source: WerFault.exe, 00000005.00000003.1318253942.000000000565D000.00000004.00000040.sdmp
                Source: Binary string: setupapi.pdb source: WerFault.exe, 00000005.00000003.1318423713.000000000564B000.00000004.00000040.sdmp
                Source: Binary string: nlaapi.pdb source: WerFault.exe, 00000005.00000003.1318117069.000000000564B000.00000004.00000040.sdmp
                Source: Binary string: ore.pdb, source: WerFault.exe, 00000005.00000003.1318560618.0000000005689000.00000004.00000001.sdmp
                Source: Binary string: mscorlib.pdb6u source: WerFault.exe, 00000005.00000003.1318309751.0000000005689000.00000004.00000001.sdmp
                Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000005.00000003.1318117069.000000000564B000.00000004.00000040.sdmp
                Source: Binary string: wmiutils.pdb source: WerFault.exe, 00000005.00000003.1318117069.000000000564B000.00000004.00000040.sdmp
                Source: Binary string: gdiplus.pdb source: WerFault.exe, 00000005.00000003.1318117069.000000000564B000.00000004.00000040.sdmp
                Source: Binary string: dnsapi.pdb s source: WerFault.exe, 00000005.00000003.1318117069.000000000564B000.00000004.00000040.sdmp
                Source: Binary string: System.ni.pdbT3 source: WerFault.exe, 00000005.00000003.1316812905.00000000058A0000.00000004.00000001.sdmp
                Source: Binary string: System.pdbx source: WerFault.exe, 00000005.00000003.1316812905.00000000058A0000.00000004.00000001.sdmp
                Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000005.00000003.1305313178.0000000003134000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.1337389230.0000000003240000.00000004.00000001.sdmp
                Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: RegAsm.exe, 00000002.00000002.1345492715.00000000089DA000.00000004.00000010.sdmp
                Source: Binary string: profapi.pdb source: WerFault.exe, 00000005.00000003.1318423713.000000000564B000.00000004.00000040.sdmp
                Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000005.00000003.1318117069.000000000564B000.00000004.00000040.sdmp
                Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 00000005.00000003.1318117069.000000000564B000.00000004.00000040.sdmp, WERA6D8.tmp.dmp.5.dr
                Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000005.00000003.1318280319.0000000005671000.00000004.00000001.sdmp
                Source: Binary string: sechost.pdb source: WerFault.exe, 00000005.00000003.1318423713.000000000564B000.00000004.00000040.sdmp
                Source: Binary string: System.ni.pdbRSDS source: WERA6D8.tmp.dmp.5.dr
                Source: Binary string: clrjit.pdb source: WerFault.exe, 00000005.00000003.1318117069.000000000564B000.00000004.00000040.sdmp
                Source: Binary string: propsys.pdb source: WerFault.exe, 00000005.00000003.1318423713.000000000564B000.00000004.00000040.sdmp
                Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000005.00000003.1318085310.0000000005642000.00000004.00000040.sdmp
                Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 00000005.00000003.1318117069.000000000564B000.00000004.00000040.sdmp
                Source: Binary string: fastprox.pdb source: WerFault.exe, 00000005.00000003.1318117069.000000000564B000.00000004.00000040.sdmp
                Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 00000005.00000003.1318117069.000000000564B000.00000004.00000040.sdmp, WERA6D8.tmp.dmp.5.dr
                Source: Binary string: wbemsvc.pdb source: WerFault.exe, 00000005.00000003.1318117069.000000000564B000.00000004.00000040.sdmp
                Source: Binary string: winrnr.pdb source: WerFault.exe, 00000005.00000003.1318117069.000000000564B000.00000004.00000040.sdmp
                Source: Binary string: msctf.pdb source: WerFault.exe, 00000005.00000003.1318117069.000000000564B000.00000004.00000040.sdmp
                Source: Binary string: Microsoft.VisualBasic.pdbH source: WERA6D8.tmp.dmp.5.dr
                Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: order.exe, 00000000.00000002.1276103609.00000000039C5000.00000004.00000001.sdmp, RegAsm.exe, 00000002.00000002.1337005530.0000000004191000.00000004.00000001.sdmp
                Source: Binary string: System.Runtime.Remoting.pdb source: WerFault.exe, 00000005.00000003.1318309751.0000000005689000.00000004.00000001.sdmp, WERA6D8.tmp.dmp.5.dr
                Source: Binary string: wmswsock.pdb source: WerFault.exe, 00000005.00000003.1318117069.000000000564B000.00000004.00000040.sdmp
                Source: Binary string: version.pdb source: WerFault.exe, 00000005.00000003.1318423713.000000000564B000.00000004.00000040.sdmp
                Source: Binary string: onfiguration.pdb source: WerFault.exe, 00000005.00000003.1318560618.0000000005689000.00000004.00000001.sdmp
                Source: Binary string: System.Xml.pdb source: WerFault.exe, 00000005.00000003.1318309751.0000000005689000.00000004.00000001.sdmp, WERA6D8.tmp.dmp.5.dr
                Source: Binary string: ore.ni.pdb source: WerFault.exe, 00000005.00000003.1318560618.0000000005689000.00000004.00000001.sdmp
                Source: Binary string: System.pdb source: WerFault.exe, 00000005.00000003.1318280319.0000000005671000.00000004.00000001.sdmp, WERA6D8.tmp.dmp.5.dr
                Source: Binary string: ore.pdb source: WerFault.exe, 00000005.00000003.1318560618.0000000005689000.00000004.00000001.sdmp
                Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000005.00000003.1318280319.0000000005671000.00000004.00000001.sdmp, WERA6D8.tmp.dmp.5.dr
                Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000005.00000003.1318651775.0000000005640000.00000004.00000040.sdmp
                Source: Binary string: psapi.pdb source: WerFault.exe, 00000005.00000003.1318117069.000000000564B000.00000004.00000040.sdmp
                Source: Binary string: WMINet_Utils.pdb source: WerFault.exe, 00000005.00000003.1318117069.000000000564B000.00000004.00000040.sdmp
                Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000005.00000003.1318423713.000000000564B000.00000004.00000040.sdmp
                Source: Binary string: System.Management.pdbX source: WERA6D8.tmp.dmp.5.dr
                Source: Binary string: System.Core.pdbx source: WerFault.exe, 00000005.00000003.1316812905.00000000058A0000.00000004.00000001.sdmp
                Source: Binary string: mscoreei.pdb source: WerFault.exe, 00000005.00000003.1318423713.000000000564B000.00000004.00000040.sdmp
                Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000005.00000003.1306991233.0000000003146000.00000004.00000001.sdmp
                Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000005.00000003.1318651775.0000000005640000.00000004.00000040.sdmp
                Source: Binary string: msctf.pdb`tc source: WerFault.exe, 00000005.00000003.1318117069.000000000564B000.00000004.00000040.sdmp
                Source: Binary string: System.Drawing.pdbx source: WerFault.exe, 00000005.00000003.1316812905.00000000058A0000.00000004.00000001.sdmp
                Source: Binary string: mscorlib.pdbC= source: RegAsm.exe, 00000002.00000002.1345492715.00000000089DA000.00000004.00000010.sdmp
                Source: Binary string: System.Core.pdb source: WerFault.exe, 00000005.00000003.1318309751.0000000005689000.00000004.00000001.sdmp, WERA6D8.tmp.dmp.5.dr
                Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000005.00000003.1318423713.000000000564B000.00000004.00000040.sdmp
                Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 00000005.00000003.1316812905.00000000058A0000.00000004.00000001.sdmp
                Source: Binary string: wUxTheme.pdblto source: WerFault.exe, 00000005.00000003.1318117069.000000000564B000.00000004.00000040.sdmp
                Source: Binary string: wuser32.pdb source: WerFault.exe, 00000005.00000003.1318280319.0000000005671000.00000004.00000001.sdmp
                Source: Binary string: comctl32.pdb source: WerFault.exe, 00000005.00000003.1318117069.000000000564B000.00000004.00000040.sdmp
                Source: Binary string: untime.Remoting.pdb source: WerFault.exe, 00000005.00000003.1318448359.000000000568A000.00000004.00000001.sdmp
                Source: Binary string: wbemprox.pdb source: WerFault.exe, 00000005.00000003.1318117069.000000000564B000.00000004.00000040.sdmp
                Source: Binary string: System.ni.pdb source: WerFault.exe, 00000005.00000003.1318117069.000000000564B000.00000004.00000040.sdmp, WERA6D8.tmp.dmp.5.dr
                Source: Binary string: edputil.pdb source: WerFault.exe, 00000005.00000003.1318117069.000000000564B000.00000004.00000040.sdmp

                Data Obfuscation:

                barindex
                .NET source code contains potential unpackerShow sources
                Source: 0.2.order.exe.5650000.3.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 0.2.order.exe.5650000.3.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 0.2.order.exe.5650000.3.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 0.2.order.exe.5650000.3.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 2.2.RegAsm.exe.400000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 2.2.RegAsm.exe.400000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 2.2.RegAsm.exe.400000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 2.2.RegAsm.exe.400000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: C:\Users\user\Desktop\order.exeCode function: 0_2_005A484D push eax; retf 0_2_005A484E
                Source: C:\Users\user\Desktop\order.exeCode function: 0_2_005A6C10 push cs; retf 0_2_005A6C2E
                Source: C:\Users\user\Desktop\order.exeCode function: 0_2_005A6C0C push cs; retf 0_2_005A6C0E
                Source: C:\Users\user\Desktop\order.exeCode function: 0_2_005B0C3D push ebp; retn 0021h0_2_005B0C7B
                Source: C:\Users\user\Desktop\order.exeCode function: 0_2_005A7432 push ebp; ret 0_2_005A7438
                Source: C:\Users\user\Desktop\order.exeCode function: 0_2_005A788C push ebx; retf 0_2_005A788E
                Source: C:\Users\user\Desktop\order.exeCode function: 0_2_005A5114 push eax; retf 0_2_005A514E
                Source: C:\Users\user\Desktop\order.exeCode function: 0_2_005A790C push 0000002Ch; iretw 0_2_005A7A9D
                Source: C:\Users\user\Desktop\order.exeCode function: 0_2_005A3502 push eax; retf 0_2_005A3507
                Source: C:\Users\user\Desktop\order.exeCode function: 0_2_005A7921 push 0000002Ch; iretw 0_2_005A7A9D
                Source: C:\Users\user\Desktop\order.exeCode function: 0_2_005A7656 push 00510171h; retf 0_2_005A76AE
                Source: C:\Users\user\Desktop\order.exeCode function: 0_2_005A6AED push eax; retf 0_2_005A6AEE
                Source: C:\Users\user\Desktop\order.exeCode function: 0_2_005A72E2 push esi; retf 0_2_005A72EE
                Source: C:\Users\user\Desktop\order.exeCode function: 0_2_005A7A9F push 00000026h; iretw 0_2_005A7AAD
                Source: C:\Users\user\Desktop\order.exeCode function: 0_2_005A768C push 00510171h; retf 0_2_005A76AE
                Source: C:\Users\user\Desktop\order.exeCode function: 0_2_005A7AAF push 00000073h; iretw 0_2_005A7ABD
                Source: C:\Users\user\Desktop\order.exeCode function: 0_2_005A4F4C pushad ; retf 0_2_005A4F4E
                Source: C:\Users\user\Desktop\order.exeCode function: 0_2_005A6BCF push cs; retf 0_2_005A6BAE
                Source: C:\Users\user\Desktop\order.exeCode function: 0_2_005A7BCD push ecx; retf 0_2_005A7BCE
                Source: C:\Users\user\Desktop\order.exeCode function: 0_2_005A6BEC push cs; retf 0_2_005A6BEE
                Source: C:\Users\user\Desktop\order.exeCode function: 0_2_005A77E4 push 00000010h; iretw 0_2_005A780D
                Source: C:\Users\user\Desktop\order.exeCode function: 0_2_005A6B81 push cs; retf 0_2_005A6BAE
                Source: C:\Users\user\Desktop\order.exeCode function: 0_2_005A6BBE push cs; retf 0_2_005A6BCE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_02FEE672 push esp; ret 2_2_02FEE679
                Source: initial sampleStatic PE information: section name: .text entropy: 7.17608788288