Loading ...

Play interactive tourEdit tour

Analysis Report Sendung.exe

Overview

General Information

Sample Name:Sendung.exe
Analysis ID:261293
MD5:37037b5d3bab92a5a423eeb0393a8cd5
SHA1:9b20925bc3303b0053c736a6af33cb762dc08d9a
SHA256:624de709b0c0d728783e02d20569c9b571db1eb4183dafefd5683e4cf124066f

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected HawkEye Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Maps a DLL or memory area into another process
Sample uses process hollowing technique
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Process Creation
Stores large binary data to the registry
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Sendung.exe (PID: 6276 cmdline: 'C:\Users\user\Desktop\Sendung.exe' MD5: 37037B5D3BAB92A5A423EEB0393A8CD5)
    • RegAsm.exe (PID: 6300 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
      • WerFault.exe (PID: 6760 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6300 -s 2052 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
      • vbc.exe (PID: 1240 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 1640 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["mailpv", "WebBrowserPassView"], "Version": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000003.326101054.0000000005740000.00000004.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
  • 0x100f7:$key: HawkEyeKeylogger
  • 0x12361:$salt: 099u787978786
  • 0x10738:$string1: HawkEye_Keylogger
  • 0x1158b:$string1: HawkEye_Keylogger
  • 0x122c1:$string1: HawkEye_Keylogger
  • 0x10b21:$string2: holdermail.txt
  • 0x10b41:$string2: holdermail.txt
  • 0x10a63:$string3: wallet.dat
  • 0x10a7b:$string3: wallet.dat
  • 0x10a91:$string3: wallet.dat
  • 0x11e85:$string4: Keylog Records
  • 0x1219d:$string4: Keylog Records
  • 0x123b9:$string5: do not script -->
  • 0x100df:$string6: \pidloc.txt
  • 0x1016d:$string7: BSPLIT
  • 0x1017d:$string7: BSPLIT
00000009.00000003.326101054.0000000005740000.00000004.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
    00000009.00000003.326101054.0000000005740000.00000004.00000001.sdmpHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
    • 0x10790:$hawkstr1: HawkEye Keylogger
    • 0x115d1:$hawkstr1: HawkEye Keylogger
    • 0x11900:$hawkstr1: HawkEye Keylogger
    • 0x11a5b:$hawkstr1: HawkEye Keylogger
    • 0x11bbe:$hawkstr1: HawkEye Keylogger
    • 0x11e5d:$hawkstr1: HawkEye Keylogger
    • 0x1031e:$hawkstr2: Dear HawkEye Customers!
    • 0x11953:$hawkstr2: Dear HawkEye Customers!
    • 0x11aaa:$hawkstr2: Dear HawkEye Customers!
    • 0x11c11:$hawkstr2: Dear HawkEye Customers!
    • 0x1043f:$hawkstr3: HawkEye Logger Details:
    00000000.00000002.280154728.0000000003525000.00000004.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
    • 0x106667:$key: HawkEyeKeylogger
    • 0x1088d1:$salt: 099u787978786
    • 0x106ca8:$string1: HawkEye_Keylogger
    • 0x107afb:$string1: HawkEye_Keylogger
    • 0x108831:$string1: HawkEye_Keylogger
    • 0x107091:$string2: holdermail.txt
    • 0x1070b1:$string2: holdermail.txt
    • 0x106fd3:$string3: wallet.dat
    • 0x106feb:$string3: wallet.dat
    • 0x107001:$string3: wallet.dat
    • 0x1083f5:$string4: Keylog Records
    • 0x10870d:$string4: Keylog Records
    • 0x108929:$string5: do not script -->
    • 0x10664f:$string6: \pidloc.txt
    • 0x1066dd:$string7: BSPLIT
    • 0x1066ed:$string7: BSPLIT
    00000000.00000002.280154728.0000000003525000.00000004.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
      Click to see the 33 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      14.2.vbc.exe.400000.0.raw.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
        13.2.vbc.exe.400000.0.raw.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
          13.2.vbc.exe.400000.0.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
            14.2.vbc.exe.400000.0.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
              0.2.Sendung.exe.5200000.3.unpackRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
              • 0x7b917:$key: HawkEyeKeylogger
              • 0x7db81:$salt: 099u787978786
              • 0x7bf58:$string1: HawkEye_Keylogger
              • 0x7cdab:$string1: HawkEye_Keylogger
              • 0x7dae1:$string1: HawkEye_Keylogger
              • 0x7c341:$string2: holdermail.txt
              • 0x7c361:$string2: holdermail.txt
              • 0x7c283:$string3: wallet.dat
              • 0x7c29b:$string3: wallet.dat
              • 0x7c2b1:$string3: wallet.dat
              • 0x7d6a5:$string4: Keylog Records
              • 0x7d9bd:$string4: Keylog Records
              • 0x7dbd9:$string5: do not script -->
              • 0x7b8ff:$string6: \pidloc.txt
              • 0x7b98d:$string7: BSPLIT
              • 0x7b99d:$string7: BSPLIT
              Click to see the 9 entries

              Sigma Overview

              System Summary:

              barindex
              Sigma detected: Suspicious Process CreationShow sources
              Source: Process startedAuthor: Florian Roth, Daniil Yugoslavskiy, oscd.community (update): Data: Command: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt', CommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt', CommandLine|base64offset|contains: ^, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, ParentCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentProcessId: 6300, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt', ProcessId: 1240

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: WerFault.exe.6760.9.memstrMalware Configuration Extractor: HawkEye {"Modules": ["mailpv", "WebBrowserPassView"], "Version": ""}
              Machine Learning detection for sampleShow sources
              Source: Sendung.exeJoe Sandbox ML: detected
              Source: Sendung.exe, 00000000.00000002.280154728.0000000003525000.00000004.00000001.sdmpBinary or memory string: autorun.inf
              Source: Sendung.exe, 00000000.00000002.280154728.0000000003525000.00000004.00000001.sdmpBinary or memory string: [autorun]
              Source: RegAsm.exe, 00000001.00000002.347155829.0000000000402000.00000040.00000001.sdmpBinary or memory string: autorun.inf
              Source: RegAsm.exe, 00000001.00000002.347155829.0000000000402000.00000040.00000001.sdmpBinary or memory string: [autorun]
              Source: WerFault.exe, 00000009.00000003.326101054.0000000005740000.00000004.00000001.sdmpBinary or memory string: autorun.inf
              Source: WerFault.exe, 00000009.00000003.326101054.0000000005740000.00000004.00000001.sdmpBinary or memory string: [autorun]
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,13_2_00408441
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,13_2_00407E0E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]1_2_07F3FE8A
              Source: Sendung.exe, 00000000.00000002.280154728.0000000003525000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.347155829.0000000000402000.00000040.00000001.sdmp, vbc.exe, 0000000D.00000002.349659180.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
              Source: Sendung.exe, 00000000.00000002.280154728.0000000003525000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.347155829.0000000000402000.00000040.00000001.sdmp, vbc.exe, 0000000D.00000002.349659180.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
              Source: vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
              Source: vbc.exe, 0000000D.00000003.349180712.0000000000A4C000.00000004.00000001.sdmpString found in binary or memory: le://192.168.2.1/temp/Office16.x86.en-US.ISOfile:///C:/jbxinitvm.au3https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
              Source: vbc.exe, 0000000D.00000003.349180712.0000000000A4C000.00000004.00000001.sdmpString found in binary or memory: le://192.168.2.1/temp/Office16.x86.en-US.ISOfile:///C:/jbxinitvm.au3https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
              Source: unknownDNS traffic detected: queries for: 55.235.10.0.in-addr.arpa
              Source: Sendung.exeString found in binary or memory: http://bootswatch.com/darkly/
              Source: Sendung.exe, 00000000.00000002.280154728.0000000003525000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.347155829.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
              Source: WerFault.exe, 00000009.00000002.341735078.0000000002F8B000.00000004.00000020.sdmpString found in binary or memory: http://crl.micr
              Source: RegAsm.exe, 00000001.00000002.356791060.00000000063D0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
              Source: Sendung.exeString found in binary or memory: http://getbootstrap.com)
              Source: Sendung.exe, 00000000.00000002.280154728.0000000003525000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.347155829.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
              Source: WerFault.exe, 00000009.00000003.325586495.0000000005A40000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
              Source: WerFault.exe, 00000009.00000003.325586495.0000000005A40000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
              Source: WerFault.exe, 00000009.00000003.325586495.0000000005A40000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
              Source: WerFault.exe, 00000009.00000003.325586495.0000000005A40000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
              Source: WerFault.exe, 00000009.00000003.325586495.0000000005A40000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
              Source: WerFault.exe, 00000009.00000003.325586495.0000000005A40000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
              Source: WerFault.exe, 00000009.00000003.325586495.0000000005A40000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
              Source: RegAsm.exe, 00000001.00000002.348855706.00000000032C1000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.325586495.0000000005A40000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: WerFault.exe, 00000009.00000003.325586495.0000000005A40000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
              Source: WerFault.exe, 00000009.00000003.325586495.0000000005A40000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
              Source: WerFault.exe, 00000009.00000003.325586495.0000000005A40000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
              Source: WerFault.exe, 00000009.00000003.325586495.0000000005A40000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
              Source: WerFault.exe, 00000009.00000003.325586495.0000000005A40000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
              Source: WerFault.exe, 00000009.00000003.325586495.0000000005A40000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
              Source: WerFault.exe, 00000009.00000003.325586495.0000000005A40000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
              Source: Sendung.exe, 00000000.00000002.280154728.0000000003525000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.347155829.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 00000009.00000003.326101054.0000000005740000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/-
              Source: RegAsm.exe, 00000001.00000002.356791060.00000000063D0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: RegAsm.exe, 00000001.00000003.287843715.000000000629D000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000003.287324844.000000000626C000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
              Source: RegAsm.exe, 00000001.00000003.287486972.000000000629D000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com-u(
              Source: RegAsm.exe, 00000001.00000003.287843715.000000000629D000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com8%
              Source: RegAsm.exe, 00000001.00000003.287585282.000000000626C000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comC
              Source: RegAsm.exe, 00000001.00000003.287843715.000000000629D000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comQ
              Source: RegAsm.exe, 00000001.00000003.287543693.000000000626C000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTC
              Source: RegAsm.exe, 00000001.00000003.287493566.000000000626C000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTC?
              Source: RegAsm.exe, 00000001.00000003.287324844.000000000626C000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comic
              Source: RegAsm.exe, 00000001.00000002.356791060.00000000063D0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
              Source: RegAsm.exe, 00000001.00000003.287843715.000000000629D000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comn-u
              Source: RegAsm.exe, 00000001.00000003.287843715.000000000629D000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000003.287228842.000000000629D000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.
              Source: RegAsm.exe, 00000001.00000003.287615911.000000000629D000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comr-f
              Source: RegAsm.exe, 00000001.00000002.356791060.00000000063D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
              Source: RegAsm.exe, 00000001.00000002.356791060.00000000063D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
              Source: RegAsm.exe, 00000001.00000002.356791060.00000000063D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
              Source: RegAsm.exe, 00000001.00000002.356791060.00000000063D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
              Source: RegAsm.exe, 00000001.00000002.356791060.00000000063D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
              Source: RegAsm.exe, 00000001.00000002.356791060.00000000063D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
              Source: RegAsm.exe, 00000001.00000002.356791060.00000000063D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
              Source: RegAsm.exe, 00000001.00000002.356791060.00000000063D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
              Source: RegAsm.exe, 00000001.00000002.356523221.0000000006260000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma.
              Source: RegAsm.exe, 00000001.00000002.356523221.0000000006260000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.como
              Source: RegAsm.exe, 00000001.00000002.356791060.00000000063D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
              Source: RegAsm.exe, 00000001.00000002.356791060.00000000063D0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
              Source: RegAsm.exe, 00000001.00000002.356791060.00000000063D0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
              Source: RegAsm.exe, 00000001.00000002.356791060.00000000063D0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
              Source: RegAsm.exe, 00000001.00000002.356791060.00000000063D0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
              Source: RegAsm.exe, 00000001.00000002.356791060.00000000063D0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
              Source: RegAsm.exe, 00000001.00000002.356791060.00000000063D0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
              Source: RegAsm.exe, 00000001.00000002.356791060.00000000063D0000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
              Source: RegAsm.exe, 00000001.00000003.290843275.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://www.mo.J
              Source: RegAsm.exe, 00000001.00000003.295690294.0000000006271000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.-8.
              Source: vbc.exe, 0000000E.00000002.546813359.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
              Source: RegAsm.exe, 00000001.00000002.356791060.00000000063D0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
              Source: RegAsm.exe, 00000001.00000002.356791060.00000000063D0000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
              Source: RegAsm.exe, 00000001.00000002.356791060.00000000063D0000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
              Source: RegAsm.exe, 00000001.00000002.348855706.00000000032C1000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
              Source: RegAsm.exe, 00000001.00000002.356791060.00000000063D0000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
              Source: RegAsm.exe, 00000001.00000003.286631292.000000000629D000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com#
              Source: RegAsm.exe, 00000001.00000003.288012571.000000000626C000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com&2
              Source: RegAsm.exe, 00000001.00000002.356791060.00000000063D0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
              Source: RegAsm.exe, 00000001.00000002.356791060.00000000063D0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
              Source: RegAsm.exe, 00000001.00000003.287843715.000000000629D000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
              Source: RegAsm.exe, 00000001.00000003.287155872.000000000629D000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn-
              Source: RegAsm.exe, 00000001.00000003.287155872.000000000629D000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnn-u(
              Source: RegAsm.exe, 00000001.00000003.287155872.000000000629D000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.
              Source: Sendung.exeString found in binary or memory: https://fonts.googleapis.com/css?family=Lato:400
              Source: Sendung.exeString found in binary or memory: https://github.com/h5bp/html5-boilerplate/blob/master/src/css/main.css
              Source: Sendung.exeString found in binary or memory: https://github.com/twbs/bootstrap/blob/master/LICENSE)
              Source: vbc.exe, 0000000D.00000003.349240449.0000000000A4B000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_authorize.srf?client_id=000
              Source: vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
              Source: vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin

              Key, Mouse, Clipboard, Microphone and Screen Capturing:

              barindex
              Yara detected HawkEye KeyloggerShow sources
              Source: Yara matchFile source: 00000009.00000003.326101054.0000000005740000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.280154728.0000000003525000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.347155829.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.281597004.0000000005202000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.281450689.0000000004BF8000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.348855706.00000000032C1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: WerFault.exe PID: 6760, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6300, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Sendung.exe PID: 6276, type: MEMORY
              Source: Yara matchFile source: 0.2.Sendung.exe.5200000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
              Contains functionality to log keystrokes (.Net Source)Show sources
              Source: 0.2.Sendung.exe.5200000.3.unpack, Form1.cs.Net Code: HookKeyboard
              Source: 1.2.RegAsm.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
              Installs a global keyboard hookShow sources
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_0040D674 OpenClipboard,GetLastError,DeleteFileW,13_2_0040D674
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

              System Summary:

              barindex
              Malicious sample detected (through community Yara rule)Show sources
              Source: 00000009.00000003.326101054.0000000005740000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000009.00000003.326101054.0000000005740000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000002.280154728.0000000003525000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000000.00000002.280154728.0000000003525000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000001.00000002.347155829.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000001.00000002.347155829.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000002.281597004.0000000005202000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000000.00000002.281597004.0000000005202000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000002.281450689.0000000004BF8000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000000.00000002.281450689.0000000004BF8000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000001.00000002.348855706.00000000032C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 0.2.Sendung.exe.5200000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0.2.Sendung.exe.5200000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: C:\Users\user\Desktop\Sendung.exeCode function: 0_2_04BE00AD NtOpenSection,NtMapViewOfSection,0_2_04BE00AD
              Source: C:\Users\user\Desktop\Sendung.exeCode function: 0_2_04BE1C09 CreateProcessW,NtQueryInformationProcess,NtReadVirtualMemory,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtWriteVirtualMemory,NtGetContextThread,NtSetContextThread,NtResumeThread,0_2_04BE1C09
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_07BD2778 NtWriteVirtualMemory,1_2_07BD2778
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_07BD2618 NtUnmapViewOfSection,1_2_07BD2618
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_07BD2830 NtGetContextThread,1_2_07BD2830
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_07BD2770 NtWriteVirtualMemory,1_2_07BD2770
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_07BD2613 NtUnmapViewOfSection,1_2_07BD2613
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_07BD2828 NtGetContextThread,1_2_07BD2828
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,FindCloseChangeNotification,_wcsicmp,FindCloseChangeNotification,FreeLibrary,13_2_00408836
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_030DB29C1_2_030DB29C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_030DC3101_2_030DC310
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_030DB2901_2_030DB290
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_030DB1F21_2_030DB1F2
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_030D99D01_2_030D99D0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_030DDFD01_2_030DDFD0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_07BD1C481_2_07BD1C48
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_07F3B4E01_2_07F3B4E0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_07F300401_2_07F30040
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_07F3EEC81_2_07F3EEC8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_07F3BDB01_2_07F3BDB0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_07F372D61_2_07F372D6
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_07F3B1981_2_07F3B198
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_07F300061_2_07F30006
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_0040441913_2_00404419
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_0040451613_2_00404516
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_0041353813_2_00413538
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_004145A113_2_004145A1
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_0040E63913_2_0040E639
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_004337AF13_2_004337AF
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_004399B113_2_004399B1
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_0043DAE713_2_0043DAE7
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00405CF613_2_00405CF6
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00403F8513_2_00403F85
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00411F9913_2_00411F99
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00442A90 appears 36 times
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004141D6 appears 88 times
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413F8E appears 66 times
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413E2D appears 34 times
              Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6300 -s 2052
              Source: Sendung.exe, 00000000.00000002.281345391.00000000049F0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamehhcQOSYEeOmgNhrW.river.exe4 vs Sendung.exe
              Source: Sendung.exe, 00000000.00000002.280154728.0000000003525000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs Sendung.exe
              Source: Sendung.exe, 00000000.00000002.280154728.0000000003525000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs Sendung.exe
              Source: Sendung.exe, 00000000.00000002.280154728.0000000003525000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs Sendung.exe
              Source: Sendung.exe, 00000000.00000002.280154728.0000000003525000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs Sendung.exe
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: netprofm.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: npmproxy.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: netprofm.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: npmproxy.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: windows.security.authentication.onlineid.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: webio.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: cryptnet.dllJump to behavior
              Source: 00000009.00000003.326101054.0000000005740000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000009.00000003.326101054.0000000005740000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000000.00000002.280154728.0000000003525000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000000.00000002.280154728.0000000003525000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000001.00000002.347155829.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000001.00000002.347155829.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000000.00000002.281597004.0000000005202000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000000.00000002.281597004.0000000005202000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000000.00000002.281450689.0000000004BF8000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000000.00000002.281450689.0000000004BF8000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000001.00000002.348855706.00000000032C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 0.2.Sendung.exe.5200000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 0.2.Sendung.exe.5200000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 0.2.Sendung.exe.5200000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 0.2.Sendung.exe.5200000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 0.2.Sendung.exe.5200000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 0.2.Sendung.exe.5200000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
              Source: 1.2.RegAsm.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 1.2.RegAsm.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 1.2.RegAsm.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 1.2.RegAsm.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
              Source: 0.2.Sendung.exe.5200000.3.unpack, Form1.csBase64 encoded string: 'Ta2Jfga3JLt9/E73uK1VhbUkk6jqZCdloIN2u06AJMoTMeKiapqOoCfJFBjcj+Ok8ojK3Xa4zTJPtjgAWPgTDA==', 'qV6RbSlp+AMZw5SKvXWylN1rCuU8c5wmPAh3Hdmo0Ki+cXj7F0pWkNOaz5xvcV8/1lMVIeZ7DPLAHupVS+LnUQ==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
              Source: 1.2.RegAsm.exe.400000.0.unpack, Form1.csBase64 encoded string: 'Ta2Jfga3JLt9/E73uK1VhbUkk6jqZCdloIN2u06AJMoTMeKiapqOoCfJFBjcj+Ok8ojK3Xa4zTJPtjgAWPgTDA==', 'qV6RbSlp+AMZw5SKvXWylN1rCuU8c5wmPAh3Hdmo0Ki+cXj7F0pWkNOaz5xvcV8/1lMVIeZ7DPLAHupVS+LnUQ==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@8/8@1/1
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00415AFD GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,13_2_00415AFD
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00415F87 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,13_2_00415F87
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00411196 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,FindCloseChangeNotification,free,Process32NextW,FindCloseChangeNotification,13_2_00411196
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00411EF8 FindResourceW,SizeofResource,LoadResource,LockResource,13_2_00411EF8
              Source: C:\Users\user\Desktop\Sendung.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Sendung.exe.logJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6300
              Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER72EB.tmpJump to behavior
              Source: Sendung.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\Sendung.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSystem information queried: HandleInformationJump to behavior
              Source: C:\Users\user\Desktop\Sendung.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: Sendung.exe, 00000000.00000002.280154728.0000000003525000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
              Source: Sendung.exe, 00000000.00000002.280154728.0000000003525000.00000004.00000001.sdmp, vbc.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
              Source: Sendung.exe, 00000000.00000002.280154728.0000000003525000.00000004.00000001.sdmp, vbc.exe, 0000000D.00000002.349659180.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
              Source: Sendung.exe, 00000000.00000002.280154728.0000000003525000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
              Source: Sendung.exe, 00000000.00000002.280154728.0000000003525000.00000004.00000001.sdmp, vbc.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
              Source: Sendung.exe, 00000000.00000002.280154728.0000000003525000.00000004.00000001.sdmp, vbc.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
              Source: Sendung.exe, 00000000.00000002.280154728.0000000003525000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
              Source: Sendung.exeString found in binary or memory: -align:middle}.navbar-form .form-control-static{display:inline-block}.navbar-form .input-group{display:inline-table;vertical-align:middle}.navbar-form .input-group .input-group-addon,.navbar-form .input-group .input-group-btn,.navbar-form .input-group .form-co
              Source: Sendung.exeString found in binary or memory: phicon-backward:before{content:"\e071"}.glyphicon-play:before{content:"\e072"}.glyphicon-pause:before{content:"\e073"}.glyphicon-stop:before{content:"\e074"}.glyphicon-forward:before{content:"\e075"}.glyphicon-fast-forward:before{content:"\e076"}.glyphicon-ste
              Source: Sendung.exeString found in binary or memory: ;box-shadow:inset 0 1px 1px rgba(0,0,0,0.075)}.has-success .form-control:focus{border-color:#e6e6e6;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #fff;box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #fff}.has-success .input-group-addon{colo
              Source: Sendung.exeString found in binary or memory: ba(0,0,0,0.075)}.has-warning .form-control:focus{border-color:#e6e6e6;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #fff;box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #fff}.has-warning .input-group-addon{color:#ffffff;border-color:#ffffff
              Source: Sendung.exeString found in binary or memory: ol-feedback{color:#f39c12}.has-warning .form-control,.has-warning .form-control:focus{-webkit-box-shadow:none;box-shadow:none}.has-warning .input-group-addon{border-color:#f39c12}.has-error .help-block,.has-error .control-label,.has-error .radio,.has-error .ch
              Source: Sendung.exeString found in binary or memory: r-color:#e6e6e6;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #fff;box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #fff}.has-error .input-group-addon{color:#ffffff;border-color:#ffffff;background-color:#e74c3c}.has-error .form-control-feedb
              Source: Sendung.exeString found in binary or memory: control:focus{-webkit-box-shadow:none;box-shadow:none}.has-error .input-group-addon{border-color:#e74c3c}.has-success .help-block,.has-success .control-label,.has-success .radio,.has-success .checkbox,.has-success .radio-inline,.has-success .checkbox-inline,.h
              Source: Sendung.exeString found in binary or memory: :none}.has-success .input-group-addon{border-color:#00bc8c}.input-group-addon{color:#ffffff}.nav .open>a,.nav .open>a:hover,.nav .open>a:focus{border-color:#464545}.nav-tabs>li>a,.nav-pills>li>a{color:#fff}.pager a,.pager a:hover{color:#fff}.pager .disabled>a,
              Source: Sendung.exeString found in binary or memory: line .input-group .input-group-addon,.form-inline .input-group .input-group-btn,.form-inline .input-group .form-control{width:auto}.form-inline .input-group>.form-control{width:100%}.form-inline .control-label{margin-bottom:0;vertical-align:middle}.form-inline
              Source: Sendung.exeString found in binary or memory: 0}.input-group .form-control:focus{z-index:3}.input-group-lg>.form-control,.input-group-lg>.input-group-addon,.input-group-lg>.input-group-btn>.btn{height:66px;padding:18px 27px;font-size:19px;line-height:1.3333333;border-radius:6px}select.input-group-lg>.form
              Source: Sendung.exeString found in binary or memory: control,select.input-group-lg>.input-group-addon,select.input-group-lg>.input-group-btn>.btn{height:66px;line-height:66px}textarea.input-group-lg>.form-control,textarea.input-group-lg>.input-group-addon,textarea.input-group-lg>.input-group-btn>.btn,select[mult
              Source: Sendung.exeString found in binary or memory: ple].input-group-lg>.form-control,select[multiple].input-group-lg>.input-group-addon,select[multiple].input-group-lg>.input-group-btn>.btn{height:auto}.input-group-sm>.form-control,.input-group-sm>.input-group-addon,.input-group-sm>.input-group-btn>.btn{height
              Source: Sendung.exeString found in binary or memory: 35px;padding:6px 9px;font-size:13px;line-height:1.5;border-radius:3px}select.input-group-sm>.form-control,select.input-group-sm>.input-group-addon,select.input-group-sm>.input-group-btn>.btn{height:35px;line-height:35px}textarea.input-group-sm>.form-control,te
              Source: Sendung.exeString found in binary or memory: tarea.input-group-sm>.input-group-addon,textarea.input-group-sm>.input-group-btn>.btn,select[multiple].input-group-sm>.form-control,select[multiple].input-group-sm>.input-group-addon,select[multiple].input-group-sm>.input-group-btn>.btn{height:auto}.input-grou
              Source: Sendung.exeString found in binary or memory: -addon,.input-group-btn,.input-group .form-control{display:table-cell}.input-group-addon:not(:first-child):not(:last-child),.input-group-btn:not(:first-child):not(:last-child),.input-group .form-control:not(:first-child):not(:last-child){border-radius:0}.input
              Source: Sendung.exeString found in binary or memory: group-addon,.input-group-btn{width:1%;white-space:nowrap;vertical-align:middle}.input-group-addon{padding:10px 15px;font-size:15px;font-weight:normal;line-height:1;color:#464545;text-align:center;background-color:#464545;border:1px solid transparent;border-rad
              Source: Sendung.exeString found in binary or memory: us:4px}.input-group-addon.input-sm{padding:6px 9px;font-size:13px;border-radius:3px}.input-group-addon.input-lg{padding:18px 27px;font-size:19px;border-radius:6px}.input-group-addon input[type="radio"],.input-group-addon input[type="checkbox"]{margin-top:0}.in
              Source: Sendung.exeString found in binary or memory: ut-group .form-control:first-child,.input-group-addon:first-child,.input-group-btn:first-child>.btn,.input-group-btn:first-child>.btn-group>.btn,.input-group-btn:first-child>.dropdown-toggle,.input-group-btn:last-child>.btn:not(:last-child):not(.dropdown-toggl
              Source: Sendung.exeString found in binary or memory: ),.input-group-btn:last-child>.btn-group:not(:last-child)>.btn{border-bottom-right-radius:0;border-top-right-radius:0}.input-group-addon:first-child{border-right:0}.input-group .form-control:last-child,.input-group-addon:last-child,.input-group-btn:last-child>
              Source: Sendung.exeString found in binary or memory: .input-group-addon:last-child{border-left:0}.input-group-btn{position:relative;font-size:0;white-space:nowrap}.input-group-btn>.btn{position:relative}.input-group-btn>.btn+.btn{margin-left:-1px}.input-group-btn>.btn:hover,.input-group-btn>.btn:focus,.input-gro
              Source: unknownProcess created: C:\Users\user\Desktop\Sendung.exe 'C:\Users\user\Desktop\Sendung.exe'
              Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
              Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6300 -s 2052
              Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
              Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
              Source: C:\Users\user\Desktop\Sendung.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: Sendung.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: Sendung.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: Binary string: rsaenh.pdb source: WerFault.exe, 00000009.00000003.328184088.0000000005432000.00000004.00000001.sdmp
              Source: Binary string: anagement.pdb source: WerFault.exe, 00000009.00000003.328464868.0000000005469000.00000004.00000001.sdmp
              Source: Binary string: System.ni.pdb% source: WerFault.exe, 00000009.00000003.328184088.0000000005432000.00000004.00000001.sdmp
              Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 00000009.00000003.326101054.0000000005740000.00000004.00000001.sdmp
              Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000009.00000003.316533268.0000000002FDF000.00000004.00000001.sdmp
              Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000009.00000003.328950870.000000000542B000.00000004.00000040.sdmp
              Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000009.00000003.328950870.000000000542B000.00000004.00000040.sdmp
              Source: Binary string: onfiguration.ni.pdb source: WerFault.exe, 00000009.00000003.328464868.0000000005469000.00000004.00000001.sdmp
              Source: Binary string: wbemcomn.pdb source: WerFault.exe, 00000009.00000003.328184088.0000000005432000.00000004.00000001.sdmp
              Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000009.00000003.328125663.0000000005422000.00000004.00000040.sdmp
              Source: Binary string: NapiNSP.pdb source: WerFault.exe, 00000009.00000003.328184088.0000000005432000.00000004.00000001.sdmp
              Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000009.00000003.328324479.0000000005451000.00000004.00000001.sdmp
              Source: Binary string: cryptbase.pdbaI!\r source: WerFault.exe, 00000009.00000003.328950870.000000000542B000.00000004.00000040.sdmp
              Source: Binary string: RegAsm.pdb source: WerFault.exe, 00000009.00000002.342729752.0000000004B70000.00000002.00000001.sdmp
              Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000009.00000003.328920422.0000000005420000.00000004.00000040.sdmp
              Source: Binary string: wntdll.pdb source: WerFault.exe, 00000009.00000003.328324479.0000000005451000.00000004.00000001.sdmp
              Source: Binary string: winnsi.pdb source: WerFault.exe, 00000009.00000003.328184088.0000000005432000.00000004.00000001.sdmp
              Source: Binary string: ml.pdb source: WerFault.exe, 00000009.00000003.328464868.0000000005469000.00000004.00000001.sdmp
              Source: Binary string: .ni.pdb source: WerFault.exe, 00000009.00000003.328464868.0000000005469000.00000004.00000001.sdmp
              Source: Binary string: clr.pdb source: WerFault.exe, 00000009.00000003.328142881.000000000542B000.00000004.00000040.sdmp
              Source: Binary string: DWrite.pdbvx source: WerFault.exe, 00000009.00000003.328184088.0000000005432000.00000004.00000001.sdmp
              Source: Binary string: cryptsp.pdb source: WerFault.exe, 00000009.00000003.328184088.0000000005432000.00000004.00000001.sdmp
              Source: Binary string: System.Windows.Forms.pdb" source: WerFault.exe, 00000009.00000003.328430222.0000000005454000.00000004.00000001.sdmp
              Source: Binary string: advapi32.pdb source: WerFault.exe, 00000009.00000003.328950870.000000000542B000.00000004.00000040.sdmp
              Source: Binary string: ility.pdb source: WerFault.exe, 00000009.00000003.328464868.0000000005469000.00000004.00000001.sdmp
              Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000009.00000003.328950870.000000000542B000.00000004.00000040.sdmp
              Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 00000009.00000003.328184088.0000000005432000.00000004.00000001.sdmp
              Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 00000009.00000003.326101054.0000000005740000.00000004.00000001.sdmp, WER72EB.tmp.dmp.9.dr
              Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 00000009.00000003.328184088.0000000005432000.00000004.00000001.sdmp
              Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 00000009.00000003.326101054.0000000005740000.00000004.00000001.sdmp
              Source: Binary string: gdiplus.pdb: source: WerFault.exe, 00000009.00000003.328184088.0000000005432000.00000004.00000001.sdmp
              Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000009.00000003.315829741.0000000002FE5000.00000004.00000001.sdmp
              Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000009.00000003.328950870.000000000542B000.00000004.00000040.sdmp
              Source: Binary string: mpr.pdb source: WerFault.exe, 00000009.00000003.328142881.000000000542B000.00000004.00000040.sdmp
              Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000009.00000003.326101054.0000000005740000.00000004.00000001.sdmp, WER72EB.tmp.dmp.9.dr
              Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: Sendung.exe, 00000000.00000002.280154728.0000000003525000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.347155829.0000000000402000.00000040.00000001.sdmp
              Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: Sendung.exe, 00000000.00000002.280154728.0000000003525000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.347155829.0000000000402000.00000040.00000001.sdmp, vbc.exe, 0000000E.00000002.546813359.0000000000400000.00000040.00000001.sdmp
              Source: Binary string: System.Xml.pdbx source: WerFault.exe, 00000009.00000003.326101054.0000000005740000.00000004.00000001.sdmp
              Source: Binary string: RegAsm.pdb4 source: WerFault.exe, 00000009.00000002.342729752.0000000004B70000.00000002.00000001.sdmp
              Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000009.00000003.328184088.0000000005432000.00000004.00000001.sdmp
              Source: Binary string: mscoree.pdb source: WerFault.exe, 00000009.00000003.328324479.0000000005451000.00000004.00000001.sdmp
              Source: Binary string: sfc.pdb! source: WerFault.exe, 00000009.00000003.328234949.0000000005431000.00000004.00000040.sdmp
              Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000009.00000003.328184088.0000000005432000.00000004.00000001.sdmp
              Source: Binary string: cryptsp.pdb. source: WerFault.exe, 00000009.00000003.328184088.0000000005432000.00000004.00000001.sdmp
              Source: Binary string: winspool.pdb source: WerFault.exe, 00000009.00000003.328950870.000000000542B000.00000004.00000040.sdmp
              Source: Binary string: System.Runtime.Remoting.pdbx source: WerFault.exe, 00000009.00000003.326101054.0000000005740000.00000004.00000001.sdmp
              Source: Binary string: shell32.pdbk source: WerFault.exe, 00000009.00000003.328125663.0000000005422000.00000004.00000040.sdmp
              Source: Binary string: symbols\dll\mscorlib.pdb source: RegAsm.exe, 00000001.00000002.361074778.0000000008B1A000.00000004.00000010.sdmp
              Source: Binary string: .pdb0 source: RegAsm.exe, 00000001.00000002.361074778.0000000008B1A000.00000004.00000010.sdmp
              Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000009.00000003.328950870.000000000542B000.00000004.00000040.sdmp
              Source: Binary string: nsi.pdb source: WerFault.exe, 00000009.00000003.328184088.0000000005432000.00000004.00000001.sdmp
              Source: Binary string: System.Xml.pdb4" source: WER72EB.tmp.dmp.9.dr
              Source: Binary string: clrjit.pdb< source: WerFault.exe, 00000009.00000003.328184088.0000000005432000.00000004.00000001.sdmp
              Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000009.00000003.328125663.0000000005422000.00000004.00000040.sdmp
              Source: Binary string: powrprof.pdb source: WerFault.exe, 00000009.00000003.328950870.000000000542B000.00000004.00000040.sdmp
              Source: Binary string: msvcr120_clr0400.i386.pdb% source: WerFault.exe, 00000009.00000003.328142881.000000000542B000.00000004.00000040.sdmp
              Source: Binary string: mscorlib.ni.pdbRSDS source: WER72EB.tmp.dmp.9.dr
              Source: Binary string: System.Configuration.pdb source: WerFault.exe, 00000009.00000003.326101054.0000000005740000.00000004.00000001.sdmp, WER72EB.tmp.dmp.9.dr
              Source: Binary string: ole32.pdb source: WerFault.exe, 00000009.00000003.328950870.000000000542B000.00000004.00000040.sdmp
              Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000009.00000003.328324479.0000000005451000.00000004.00000001.sdmp
              Source: Binary string: rsaenh.pdb source: WerFault.exe, 00000009.00000003.328184088.0000000005432000.00000004.00000001.sdmp
              Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 00000009.00000003.326101054.0000000005740000.00000004.00000001.sdmp
              Source: Binary string: mscorlib.pdb source: RegAsm.exe, 00000001.00000002.361074778.0000000008B1A000.00000004.00000010.sdmp, WerFault.exe, 00000009.00000003.326101054.0000000005740000.00000004.00000001.sdmp, WER72EB.tmp.dmp.9.dr
              Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000009.00000003.328184088.0000000005432000.00000004.00000001.sdmp
              Source: Binary string: wmiutils.pdbnx source: WerFault.exe, 00000009.00000003.328184088.0000000005432000.00000004.00000001.sdmp
              Source: Binary string: DWrite.pdb source: WerFault.exe, 00000009.00000003.328184088.0000000005432000.00000004.00000001.sdmp
              Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000009.00000003.328125663.0000000005422000.00000004.00000040.sdmp
              Source: Binary string: System.Drawing.pdb source: WerFault.exe, 00000009.00000003.326101054.0000000005740000.00000004.00000001.sdmp, WER72EB.tmp.dmp.9.dr
              Source: Binary string: System.Management.pdb source: WerFault.exe, 00000009.00000003.326101054.0000000005740000.00000004.00000001.sdmp, WER72EB.tmp.dmp.9.dr
              Source: Binary string: combase.pdb source: WerFault.exe, 00000009.00000003.328950870.000000000542B000.00000004.00000040.sdmp
              Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000009.00000003.328920422.0000000005420000.00000004.00000040.sdmp
              Source: Binary string: dhcpcsvc.pdbFx \a source: WerFault.exe, 00000009.00000003.328184088.0000000005432000.00000004.00000001.sdmp
              Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER72EB.tmp.dmp.9.dr
              Source: Binary string: sfc.pdb source: WerFault.exe, 00000009.00000003.328142881.000000000542B000.00000004.00000040.sdmp
              Source: Binary string: Accessibility.pdbx source: WerFault.exe, 00000009.00000003.326101054.0000000005740000.00000004.00000001.sdmp
              Source: Binary string: dhcpcsvc6.pdbRx<\ source: WerFault.exe, 00000009.00000003.328184088.0000000005432000.00000004.00000001.sdmp
              Source: Binary string: apphelp.pdb source: WerFault.exe, 00000009.00000003.328324479.0000000005451000.00000004.00000001.sdmp
              Source: Binary string: System.Xml.ni.pdbRSDS source: WER72EB.tmp.dmp.9.dr
              Source: Binary string: NapiNSP.pdbTx6\ source: WerFault.exe, 00000009.00000003.328184088.0000000005432000.00000004.00000001.sdmp
              Source: Binary string: rasadhlp.pdb source: WerFault.exe, 00000009.00000003.328184088.0000000005432000.00000004.00000001.sdmp
              Source: Binary string: RegAsm.PDB[ source: RegAsm.exe, 00000001.00000002.361074778.0000000008B1A000.00000004.00000010.sdmp
              Source: Binary string: ml.ni.pdb source: WerFault.exe, 00000009.00000003.328464868.0000000005469000.00000004.00000001.sdmp
              Source: Binary string: C:\Windows\mscorlib.pdb source: RegAsm.exe, 00000001.00000002.361074778.0000000008B1A000.00000004.00000010.sdmp
              Source: Binary string: System.Core.ni.pdbRSDSD source: WER72EB.tmp.dmp.9.dr
              Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000009.00000003.328184088.0000000005432000.00000004.00000001.sdmp
              Source: Binary string: diasymreader.pdb_ source: WerFault.exe, 00000009.00000003.328209388.000000000543D000.00000004.00000001.sdmp
              Source: Binary string: System.Runtime.Remoting.pdb8 source: WER72EB.tmp.dmp.9.dr
              Source: Binary string: Accessibility.pdb source: WerFault.exe, 00000009.00000003.326101054.0000000005740000.00000004.00000001.sdmp, WER72EB.tmp.dmp.9.dr
              Source: Binary string: System.Management.pdbx source: WerFault.exe, 00000009.00000003.326101054.0000000005740000.00000004.00000001.sdmp
              Source: Binary string: rawing.pdb source: WerFault.exe, 00000009.00000003.328464868.0000000005469000.00000004.00000001.sdmp
              Source: Binary string: pnrpnsp.pdb source: WerFault.exe, 00000009.00000003.328184088.0000000005432000.00000004.00000001.sdmp
              Source: Binary string: (Pvj0C:\Windows\mscorlib.pdbpdblib.pdb source: RegAsm.exe, 00000001.00000002.361074778.0000000008B1A000.00000004.00000010.sdmp
              Source: Binary string: mscorlib.pdbx source: WerFault.exe, 00000009.00000003.326101054.0000000005740000.00000004.00000001.sdmp
              Source: Binary string: shcore.pdb source: WerFault.exe, 00000009.00000003.328920422.0000000005420000.00000004.00000040.sdmp
              Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 00000009.00000003.328184088.0000000005432000.00000004.00000001.sdmp
              Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000009.00000003.328324479.0000000005451000.00000004.00000001.sdmp
              Source: Binary string: fltLib.pdb source: WerFault.exe, 00000009.00000003.328950870.000000000542B000.00000004.00000040.sdmp
              Source: Binary string: mscorlib.pdbj source: WerFault.exe, 00000009.00000003.328353608.0000000005469000.00000004.00000001.sdmp
              Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 00000009.00000003.326101054.0000000005740000.00000004.00000001.sdmp, WER72EB.tmp.dmp.9.dr
              Source: Binary string: shell32.pdb source: WerFault.exe, 00000009.00000003.328125663.0000000005422000.00000004.00000040.sdmp
              Source: Binary string: msvcp_win.pdbk source: WerFault.exe, 00000009.00000003.328125663.0000000005422000.00000004.00000040.sdmp
              Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000009.00000003.328125663.0000000005422000.00000004.00000040.sdmp
              Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000009.00000003.328184088.0000000005432000.00000004.00000001.sdmp
              Source: Binary string: fltLib.pdb{I;\ source: WerFault.exe, 00000009.00000003.328950870.000000000542B000.00000004.00000040.sdmp
              Source: Binary string: wimm32.pdb source: WerFault.exe, 00000009.00000003.328950870.000000000542B000.00000004.00000040.sdmp
              Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000009.00000003.328324479.0000000005451000.00000004.00000001.sdmp
              Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 00000009.00000003.326101054.0000000005740000.00000004.00000001.sdmp
              Source: Binary string: nlaapi.pdb source: WerFault.exe, 00000009.00000003.328184088.0000000005432000.00000004.00000001.sdmp
              Source: Binary string: setupapi.pdb source: WerFault.exe, 00000009.00000003.328950870.000000000542B000.00000004.00000040.sdmp
              Source: Binary string: diasymreader.pdb source: WerFault.exe, 00000009.00000003.328209388.000000000543D000.00000004.00000001.sdmp
              Source: Binary string: winrnr.pdbXx:\ source: WerFault.exe, 00000009.00000003.328184088.0000000005432000.00000004.00000001.sdmp
              Source: Binary string: ore.pdb, source: WerFault.exe, 00000009.00000003.328464868.0000000005469000.00000004.00000001.sdmp
              Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000009.00000003.328184088.0000000005432000.00000004.00000001.sdmp
              Source: Binary string: wmiutils.pdb source: WerFault.exe, 00000009.00000003.328184088.0000000005432000.00000004.00000001.sdmp
              Source: Binary string: System.pdb| source: WER72EB.tmp.dmp.9.dr
              Source: Binary string: gdiplus.pdb source: WerFault.exe, 00000009.00000003.328184088.0000000005432000.00000004.00000001.sdmp
              Source: Binary string: propsys.pdb}I=\t source: WerFault.exe, 00000009.00000003.328950870.000000000542B000.00000004.00000040.sdmp
              Source: Binary string: System.ni.pdbT3 source: WerFault.exe, 00000009.00000003.326101054.0000000005740000.00000004.00000001.sdmp
              Source: Binary string: System.pdbx source: WerFault.exe, 00000009.00000003.326101054.0000000005740000.00000004.00000001.sdmp
              Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: RegAsm.exe, 00000001.00000002.361074778.0000000008B1A000.00000004.00000010.sdmp
              Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000009.00000003.328184088.0000000005432000.00000004.00000001.sdmp
              Source: Binary string: profapi.pdb source: WerFault.exe, 00000009.00000003.328950870.000000000542B000.00000004.00000040.sdmp
              Source: Binary string: System.Configuration.pdbXp* source: WER72EB.tmp.dmp.9.dr
              Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 00000009.00000003.326101054.0000000005740000.00000004.00000001.sdmp, WER72EB.tmp.dmp.9.dr
              Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000009.00000003.328324479.0000000005451000.00000004.00000001.sdmp
              Source: Binary string: sechost.pdb source: WerFault.exe, 00000009.00000003.328950870.000000000542B000.00000004.00000040.sdmp
              Source: Binary string: System.ni.pdbRSDS source: WER72EB.tmp.dmp.9.dr
              Source: Binary string: clrjit.pdb source: WerFault.exe, 00000009.00000003.328184088.0000000005432000.00000004.00000001.sdmp
              Source: Binary string: propsys.pdb source: WerFault.exe, 00000009.00000003.328950870.000000000542B000.00000004.00000040.sdmp
              Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000009.00000003.328125663.0000000005422000.00000004.00000040.sdmp
              Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 00000009.00000003.328142881.000000000542B000.00000004.00000040.sdmp
              Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 00000009.00000003.326101054.0000000005740000.00000004.00000001.sdmp, WER72EB.tmp.dmp.9.dr
              Source: Binary string: fastprox.pdb source: WerFault.exe, 00000009.00000003.328184088.0000000005432000.00000004.00000001.sdmp
              Source: Binary string: wbemsvc.pdb source: WerFault.exe, 00000009.00000003.328184088.0000000005432000.00000004.00000001.sdmp
              Source: Binary string: winrnr.pdb source: WerFault.exe, 00000009.00000003.328184088.0000000005432000.00000004.00000001.sdmp
              Source: Binary string: msctf.pdb source: WerFault.exe, 00000009.00000003.328184088.0000000005432000.00000004.00000001.sdmp
              Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: Sendung.exe, 00000000.00000002.280154728.0000000003525000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.347155829.0000000000402000.00000040.00000001.sdmp, vbc.exe
              Source: Binary string: System.Runtime.Remoting.pdb source: WerFault.exe, 00000009.00000003.326101054.0000000005740000.00000004.00000001.sdmp, WER72EB.tmp.dmp.9.dr
              Source: Binary string: wmswsock.pdb source: WerFault.exe, 00000009.00000003.328184088.0000000005432000.00000004.00000001.sdmp
              Source: Binary string: bcrypt.pdbwI7\ source: WerFault.exe, 00000009.00000003.328950870.000000000542B000.00000004.00000040.sdmp
              Source: Binary string: version.pdb source: WerFault.exe, 00000009.00000003.328950870.000000000542B000.00000004.00000040.sdmp
              Source: Binary string: onfiguration.pdb source: WerFault.exe, 00000009.00000003.328464868.0000000005469000.00000004.00000001.sdmp
              Source: Binary string: System.Xml.pdb source: WerFault.exe, 00000009.00000003.326101054.0000000005740000.00000004.00000001.sdmp, WER72EB.tmp.dmp.9.dr
              Source: Binary string: System.pdb source: WerFault.exe, 00000009.00000003.326101054.0000000005740000.00000004.00000001.sdmp, WER72EB.tmp.dmp.9.dr
              Source: Binary string: ore.ni.pdb source: WerFault.exe, 00000009.00000003.328464868.0000000005469000.00000004.00000001.sdmp
              Source: Binary string: ore.pdb source: WerFault.exe, 00000009.00000003.328464868.0000000005469000.00000004.00000001.sdmp
              Source: Binary string: jCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000009.00000002.340418552.0000000002C72000.00000004.00000010.sdmp
              Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000009.00000003.326101054.0000000005740000.00000004.00000001.sdmp, WER72EB.tmp.dmp.9.dr
              Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000009.00000003.328920422.0000000005420000.00000004.00000040.sdmp
              Source: Binary string: psapi.pdb source: WerFault.exe, 00000009.00000003.328184088.0000000005432000.00000004.00000001.sdmp
              Source: Binary string: WMINet_Utils.pdb source: WerFault.exe, 00000009.00000003.328184088.0000000005432000.00000004.00000001.sdmp
              Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000009.00000003.328950870.000000000542B000.00000004.00000040.sdmp
              Source: Binary string: System.Core.pdbx source: WerFault.exe, 00000009.00000003.326101054.0000000005740000.00000004.00000001.sdmp
              Source: Binary string: mscoreei.pdb source: WerFault.exe, 00000009.00000003.328950870.000000000542B000.00000004.00000040.sdmp
              Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000009.00000003.328920422.0000000005420000.00000004.00000040.sdmp
              Source: Binary string: System.Drawing.pdbx source: WerFault.exe, 00000009.00000003.326101054.0000000005740000.00000004.00000001.sdmp
              Source: Binary string: System.Core.pdb source: WerFault.exe, 00000009.00000003.326101054.0000000005740000.00000004.00000001.sdmp, WER72EB.tmp.dmp.9.dr
              Source: Binary string: psapi.pdbzx source: WerFault.exe, 00000009.00000003.328184088.0000000005432000.00000004.00000001.sdmp
              Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000009.00000003.328950870.000000000542B000.00000004.00000040.sdmp
              Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 00000009.00000003.326101054.0000000005740000.00000004.00000001.sdmp
              Source: Binary string: System.Drawing.pdbb source: WER72EB.tmp.dmp.9.dr
              Source: Binary string: wbemsvc.pdb`x source: WerFault.exe, 00000009.00000003.328184088.0000000005432000.00000004.00000001.sdmp
              Source: Binary string: wuser32.pdb source: WerFault.exe, 00000009.00000003.328324479.0000000005451000.00000004.00000001.sdmp
              Source: Binary string: comctl32.pdb source: WerFault.exe, 00000009.00000003.328184088.0000000005432000.00000004.00000001.sdmp
              Source: Binary string: untime.Remoting.pdb source: WerFault.exe, 00000009.00000003.328464868.0000000005469000.00000004.00000001.sdmp
              Source: Binary string: wbemprox.pdb source: WerFault.exe, 00000009.00000003.328184088.0000000005432000.00000004.00000001.sdmp
              Source: Binary string: System.ni.pdb source: WerFault.exe, 00000009.00000003.326101054.0000000005740000.00000004.00000001.sdmp, WER72EB.tmp.dmp.9.dr
              Source: Binary string: edputil.pdb source: WerFault.exe, 00000009.00000003.328184088.0000000005432000.00000004.00000001.sdmp

              Data Obfuscation:

              bar