Loading ...

Play interactive tourEdit tour

Analysis Report Account Reconciliation.exe

Overview

General Information

Sample Name:Account Reconciliation.exe
Analysis ID:268631
MD5:110a88034d9e642e19edf614022f99a9
SHA1:5d7f28c30e7abf2795414f7b4276013853f3dc57
SHA256:8a2e8c8992d6372ae7d7e4dbb4a8352fa756b7dd4e4822ff0204c2717568812a

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected HawkEye Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM_3
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to detect virtual machines (SGDT)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Process Creation
Stores large binary data to the registry
Tries to load missing DLLs
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Account Reconciliation.exe (PID: 6952 cmdline: 'C:\Users\user\Desktop\Account Reconciliation.exe' MD5: 110A88034D9E642E19EDF614022F99A9)
    • schtasks.exe (PID: 4596 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\nchGKDg' /XML 'C:\Users\user\AppData\Local\Temp\tmp7FD5.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 4588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegSvcs.exe (PID: 4508 cmdline: {path} MD5: 2867A3817C9245F7CF518524DFD18F28)
      • WerFault.exe (PID: 1452 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 1948 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
      • vbc.exe (PID: 7052 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 7068 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["mailpv", "WebBrowserPassView"], "Version": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.345265531.0000000000402000.00000040.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
  • 0x7b6ee:$key: HawkEyeKeylogger
  • 0x7d940:$salt: 099u787978786
  • 0x7bd51:$string1: HawkEye_Keylogger
  • 0x7cb90:$string1: HawkEye_Keylogger
  • 0x7d8a0:$string1: HawkEye_Keylogger
  • 0x7c126:$string2: holdermail.txt
  • 0x7c146:$string2: holdermail.txt
  • 0x7c068:$string3: wallet.dat
  • 0x7c080:$string3: wallet.dat
  • 0x7c096:$string3: wallet.dat
  • 0x7d464:$string4: Keylog Records
  • 0x7d77c:$string4: Keylog Records
  • 0x7d998:$string5: do not script -->
  • 0x7b6d6:$string6: \pidloc.txt
  • 0x7b764:$string7: BSPLIT
  • 0x7b774:$string7: BSPLIT
00000005.00000002.345265531.0000000000402000.00000040.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
    00000005.00000002.345265531.0000000000402000.00000040.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
      00000005.00000002.345265531.0000000000402000.00000040.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
        00000005.00000002.345265531.0000000000402000.00000040.00000001.sdmpHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
        • 0x7bda9:$hawkstr1: HawkEye Keylogger
        • 0x7cbd6:$hawkstr1: HawkEye Keylogger
        • 0x7cf05:$hawkstr1: HawkEye Keylogger
        • 0x7d060:$hawkstr1: HawkEye Keylogger
        • 0x7d1c3:$hawkstr1: HawkEye Keylogger
        • 0x7d43c:$hawkstr1: HawkEye Keylogger
        • 0x7b937:$hawkstr2: Dear HawkEye Customers!
        • 0x7cf58:$hawkstr2: Dear HawkEye Customers!
        • 0x7d0af:$hawkstr2: Dear HawkEye Customers!
        • 0x7d216:$hawkstr2: Dear HawkEye Customers!
        • 0x7ba58:$hawkstr3: HawkEye Logger Details:
        Click to see the 22 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        5.2.RegSvcs.exe.400000.0.unpackRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
        • 0x7b8ee:$key: HawkEyeKeylogger
        • 0x7db40:$salt: 099u787978786
        • 0x7bf51:$string1: HawkEye_Keylogger
        • 0x7cd90:$string1: HawkEye_Keylogger
        • 0x7daa0:$string1: HawkEye_Keylogger
        • 0x7c326:$string2: holdermail.txt
        • 0x7c346:$string2: holdermail.txt
        • 0x7c268:$string3: wallet.dat
        • 0x7c280:$string3: wallet.dat
        • 0x7c296:$string3: wallet.dat
        • 0x7d664:$string4: Keylog Records
        • 0x7d97c:$string4: Keylog Records
        • 0x7db98:$string5: do not script -->
        • 0x7b8d6:$string6: \pidloc.txt
        • 0x7b964:$string7: BSPLIT
        • 0x7b974:$string7: BSPLIT
        5.2.RegSvcs.exe.400000.0.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
          5.2.RegSvcs.exe.400000.0.unpackJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
            5.2.RegSvcs.exe.400000.0.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
              5.2.RegSvcs.exe.400000.0.unpackHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
              • 0x7bfa9:$hawkstr1: HawkEye Keylogger
              • 0x7cdd6:$hawkstr1: HawkEye Keylogger
              • 0x7d105:$hawkstr1: HawkEye Keylogger
              • 0x7d260:$hawkstr1: HawkEye Keylogger
              • 0x7d3c3:$hawkstr1: HawkEye Keylogger
              • 0x7d63c:$hawkstr1: HawkEye Keylogger
              • 0x7bb37:$hawkstr2: Dear HawkEye Customers!
              • 0x7d158:$hawkstr2: Dear HawkEye Customers!
              • 0x7d2af:$hawkstr2: Dear HawkEye Customers!
              • 0x7d416:$hawkstr2: Dear HawkEye Customers!
              • 0x7bc58:$hawkstr3: HawkEye Logger Details:

              Sigma Overview

              System Summary:

              barindex
              Sigma detected: Scheduled temp file as task from temp locationShow sources
              Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\nchGKDg' /XML 'C:\Users\user\AppData\Local\Temp\tmp7FD5.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\nchGKDg' /XML 'C:\Users\user\AppData\Local\Temp\tmp7FD5.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\Account Reconciliation.exe' , ParentImage: C:\Users\user\Desktop\Account Reconciliation.exe, ParentProcessId: 6952, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\nchGKDg' /XML 'C:\Users\user\AppData\Local\Temp\tmp7FD5.tmp', ProcessId: 4596
              Sigma detected: Suspicious Process CreationShow sources
              Source: Process startedAuthor: Florian Roth, Daniil Yugoslavskiy, oscd.community (update): Data: Command: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt', CommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt', CommandLine|base64offset|contains: ^, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, ParentCommandLine: {path}, ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentProcessId: 4508, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt', ProcessId: 7052

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: WerFault.exe.1452.16.memstrMalware Configuration Extractor: HawkEye {"Modules": ["mailpv", "WebBrowserPassView"], "Version": ""}
              Machine Learning detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\nchGKDg.exeJoe Sandbox ML: detected
              Machine Learning detection for sampleShow sources
              Source: Account Reconciliation.exeJoe Sandbox ML: detected
              Source: Account Reconciliation.exe, 00000000.00000002.282043939.0000000005851000.00000004.00000001.sdmpBinary or memory string: autorun.inf
              Source: Account Reconciliation.exe, 00000000.00000002.282043939.0000000005851000.00000004.00000001.sdmpBinary or memory string: [autorun]
              Source: RegSvcs.exe, 00000005.00000002.345265531.0000000000402000.00000040.00000001.sdmpBinary or memory string: autorun.inf
              Source: RegSvcs.exe, 00000005.00000002.345265531.0000000000402000.00000040.00000001.sdmpBinary or memory string: [autorun]
              Source: RegSvcs.exe, 00000005.00000002.348169441.000000000355A000.00000004.00000001.sdmpBinary or memory string: l[autorun]
              Source: WerFault.exe, 00000010.00000003.323655329.0000000005470000.00000004.00000001.sdmpBinary or memory string: autorun.inf
              Source: WerFault.exe, 00000010.00000003.323655329.0000000005470000.00000004.00000001.sdmpBinary or memory string: [autorun]
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]5_2_0807FE8B
              Source: unknownDNS traffic detected: query: 209.183.8.0.in-addr.arpa replaycode: Name error (3)
              Source: Account Reconciliation.exe, 00000000.00000002.282043939.0000000005851000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.345265531.0000000000402000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
              Source: Account Reconciliation.exe, 00000000.00000002.282043939.0000000005851000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.345265531.0000000000402000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
              Source: unknownDNS traffic detected: queries for: 209.183.8.0.in-addr.arpa
              Source: Account Reconciliation.exe, 00000000.00000002.282043939.0000000005851000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.345265531.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
              Source: RegSvcs.exe, 00000005.00000003.273137987.00000000064CE000.00000004.00000001.sdmpString found in binary or memory: http://en.wikip
              Source: RegSvcs.exe, 00000005.00000002.351263502.0000000006590000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
              Source: Account Reconciliation.exe, 00000000.00000002.282043939.0000000005851000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.345265531.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
              Source: WerFault.exe, 00000010.00000003.320118555.0000000005770000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
              Source: WerFault.exe, 00000010.00000003.320118555.0000000005770000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
              Source: WerFault.exe, 00000010.00000003.320118555.0000000005770000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
              Source: WerFault.exe, 00000010.00000003.320118555.0000000005770000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
              Source: WerFault.exe, 00000010.00000003.320118555.0000000005770000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
              Source: WerFault.exe, 00000010.00000003.320118555.0000000005770000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
              Source: WerFault.exe, 00000010.00000003.320118555.0000000005770000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
              Source: Account Reconciliation.exe, 00000000.00000002.271259077.00000000029C1000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.347549853.0000000003291000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.320118555.0000000005770000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: WerFault.exe, 00000010.00000003.320118555.0000000005770000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
              Source: WerFault.exe, 00000010.00000003.320118555.0000000005770000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
              Source: WerFault.exe, 00000010.00000003.320118555.0000000005770000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
              Source: WerFault.exe, 00000010.00000003.320118555.0000000005770000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
              Source: WerFault.exe, 00000010.00000003.320118555.0000000005770000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
              Source: WerFault.exe, 00000010.00000003.320118555.0000000005770000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
              Source: WerFault.exe, 00000010.00000003.320118555.0000000005770000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
              Source: Account Reconciliation.exe, 00000000.00000002.282043939.0000000005851000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.345265531.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 00000010.00000003.323655329.0000000005470000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/-
              Source: RegSvcs.exe, 00000005.00000002.351263502.0000000006590000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: RegSvcs.exe, 00000005.00000003.274160957.00000000064C8000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
              Source: RegSvcs.exe, 00000005.00000003.274160957.00000000064C8000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comL
              Source: RegSvcs.exe, 00000005.00000003.274072975.00000000064C8000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comaH:
              Source: RegSvcs.exe, 00000005.00000003.274225271.00000000064C8000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comfac
              Source: RegSvcs.exe, 00000005.00000002.351263502.0000000006590000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
              Source: RegSvcs.exe, 00000005.00000003.274135383.00000000064C8000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comt
              Source: RegSvcs.exe, 00000005.00000003.274225271.00000000064C8000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com~
              Source: RegSvcs.exe, 00000005.00000002.351263502.0000000006590000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
              Source: RegSvcs.exe, 00000005.00000003.279824401.00000000064CA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com.TTF
              Source: RegSvcs.exe, 00000005.00000002.351263502.0000000006590000.00000002.00000001.sdmp, RegSvcs.exe, 00000005.00000003.285751921.00000000064CA000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000003.285714464.00000000064CA000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000003.280421741.00000000064CA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
              Source: RegSvcs.exe, 00000005.00000003.279824401.00000000064CA000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000003.279757469.00000000064CA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
              Source: RegSvcs.exe, 00000005.00000002.351263502.0000000006590000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
              Source: RegSvcs.exe, 00000005.00000003.285614975.00000000064CA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
              Source: RegSvcs.exe, 00000005.00000002.351263502.0000000006590000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
              Source: RegSvcs.exe, 00000005.00000002.351263502.0000000006590000.00000002.00000001.sdmp, RegSvcs.exe, 00000005.00000003.285511407.00000000064CA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
              Source: RegSvcs.exe, 00000005.00000003.282694586.00000000064CA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmlL
              Source: RegSvcs.exe, 00000005.00000002.351263502.0000000006590000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
              Source: RegSvcs.exe, 00000005.00000002.351263502.0000000006590000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
              Source: RegSvcs.exe, 00000005.00000003.294068862.00000000064CA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersB
              Source: RegSvcs.exe, 00000005.00000002.351263502.0000000006590000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
              Source: RegSvcs.exe, 00000005.00000003.285751921.00000000064CA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG6
              Source: RegSvcs.exe, 00000005.00000003.281720277.00000000064CA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersL6
              Source: RegSvcs.exe, 00000005.00000003.285751921.00000000064CA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersQ6
              Source: RegSvcs.exe, 00000005.00000003.285751921.00000000064CA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comA
              Source: RegSvcs.exe, 00000005.00000003.287072216.00000000064CA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comE.TTF_
              Source: RegSvcs.exe, 00000005.00000003.285751921.00000000064CA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalsa
              Source: RegSvcs.exe, 00000005.00000003.286116804.00000000064CA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcomm
              Source: RegSvcs.exe, 00000005.00000003.285511407.00000000064CA000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000003.280421741.00000000064CA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
              Source: RegSvcs.exe, 00000005.00000003.295584140.00000000064C9000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.come.comt
              Source: RegSvcs.exe, 00000005.00000003.281720277.00000000064CA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comessed
              Source: RegSvcs.exe, 00000005.00000003.281720277.00000000064CA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comessedt
              Source: RegSvcs.exe, 00000005.00000003.285511407.00000000064CA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comkf
              Source: RegSvcs.exe, 00000005.00000003.281720277.00000000064CA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comm
              Source: RegSvcs.exe, 00000005.00000003.279757469.00000000064CA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comnc.
              Source: RegSvcs.exe, 00000005.00000003.295584140.00000000064C9000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000003.286116804.00000000064CA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.como
              Source: RegSvcs.exe, 00000005.00000003.295584140.00000000064C9000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comoitu
              Source: RegSvcs.exe, 00000005.00000003.281720277.00000000064CA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comue
              Source: RegSvcs.exe, 00000005.00000002.351263502.0000000006590000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
              Source: RegSvcs.exe, 00000005.00000002.351263502.0000000006590000.00000002.00000001.sdmp, RegSvcs.exe, 00000005.00000003.273256418.00000000064CE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
              Source: RegSvcs.exe, 00000005.00000003.273137987.00000000064CE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn$7J
              Source: RegSvcs.exe, 00000005.00000003.273710671.00000000064C5000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn.:A
              Source: RegSvcs.exe, 00000005.00000002.351263502.0000000006590000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
              Source: RegSvcs.exe, 00000005.00000002.351263502.0000000006590000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
              Source: RegSvcs.exe, 00000005.00000003.273389319.00000000064CE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnh
              Source: RegSvcs.exe, 00000005.00000003.273137987.00000000064CE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cni
              Source: RegSvcs.exe, 00000005.00000003.273256418.00000000064CE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnr-c
              Source: RegSvcs.exe, 00000005.00000003.273256418.00000000064CE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn~
              Source: RegSvcs.exe, 00000005.00000003.289282253.00000000064CA000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
              Source: RegSvcs.exe, 00000005.00000002.351263502.0000000006590000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
              Source: RegSvcs.exe, 00000005.00000002.351263502.0000000006590000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
              Source: RegSvcs.exe, 00000005.00000003.289767933.00000000064E7000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm2b
              Source: RegSvcs.exe, 00000005.00000003.289282253.00000000064CA000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/t4
              Source: RegSvcs.exe, 00000005.00000003.289282253.00000000064CA000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/z4
              Source: RegSvcs.exe, 00000005.00000002.351263502.0000000006590000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
              Source: RegSvcs.exe, 00000005.00000003.272812194.00000000064CE000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.krF
              Source: RegSvcs.exe, 00000005.00000003.272812194.00000000064CE000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.krn
              Source: RegSvcs.exe, 00000005.00000003.275885532.00000000064CA000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000003.275188594.00000000064C5000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000003.276962295.00000000064C8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
              Source: RegSvcs.exe, 00000005.00000003.275543839.00000000064C5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//:
              Source: RegSvcs.exe, 00000005.00000003.275885532.00000000064CA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/5
              Source: RegSvcs.exe, 00000005.00000003.275885532.00000000064CA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/8
              Source: RegSvcs.exe, 00000005.00000003.275885532.00000000064CA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/H
              Source: RegSvcs.exe, 00000005.00000003.275885532.00000000064CA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/P
              Source: RegSvcs.exe, 00000005.00000003.275885532.00000000064CA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0/
              Source: RegSvcs.exe, 00000005.00000003.277993486.00000000064C9000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/f
              Source: RegSvcs.exe, 00000005.00000003.277993486.00000000064C9000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000003.275885532.00000000064CA000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000003.276244966.00000000064C5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
              Source: RegSvcs.exe, 00000005.00000003.276244966.00000000064C5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/t
              Source: RegSvcs.exe, 00000005.00000003.274310589.00000000064C8000.00000004.00000001.sdmpString found in binary or memory: http://www.micro.
              Source: RegSvcs.exe, 00000005.00000003.281720277.00000000064CA000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000003.290270299.00000000064CA000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
              Source: RegSvcs.exe, 00000005.00000003.288992377.00000000064CA000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.L
              Source: RegSvcs.exe, 00000005.00000002.345265531.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
              Source: RegSvcs.exe, 00000005.00000002.351263502.0000000006590000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
              Source: RegSvcs.exe, 00000005.00000002.351263502.0000000006590000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
              Source: RegSvcs.exe, 00000005.00000003.277262383.00000000064C8000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.comr
              Source: RegSvcs.exe, 00000005.00000003.277607388.00000000064C8000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com~
              Source: RegSvcs.exe, 00000005.00000002.351263502.0000000006590000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
              Source: RegSvcs.exe, 00000005.00000003.272812194.00000000064CE000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krcom
              Source: RegSvcs.exe, 00000005.00000003.272750353.00000000064CE000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krony
              Source: RegSvcs.exe, 00000005.00000002.347644797.00000000032FA000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
              Source: RegSvcs.exe, 00000005.00000002.351263502.0000000006590000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
              Source: RegSvcs.exe, 00000005.00000003.274859679.00000000064C8000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comI0
              Source: RegSvcs.exe, 00000005.00000003.274693866.00000000064C8000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comicL
              Source: RegSvcs.exe, 00000005.00000002.351263502.0000000006590000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
              Source: RegSvcs.exe, 00000005.00000003.286302064.00000000064CA000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
              Source: RegSvcs.exe, 00000005.00000002.351263502.0000000006590000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
              Source: RegSvcs.exe, 00000005.00000003.279569063.00000000064CA000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.detu
              Source: RegSvcs.exe, 00000005.00000003.286302064.00000000064CA000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.dev0
              Source: RegSvcs.exe, 00000005.00000003.279569063.00000000064CA000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.dewa
              Source: RegSvcs.exe, 00000005.00000003.279569063.00000000064CA000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.dex0
              Source: RegSvcs.exe, 00000005.00000002.351263502.0000000006590000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
              Source: RegSvcs.exe, 00000005.00000003.274009504.00000000064C5000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnaH:

              Key, Mouse, Clipboard, Microphone and Screen Capturing:

              barindex
              Yara detected HawkEye KeyloggerShow sources
              Source: Yara matchFile source: 00000005.00000002.345265531.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000003.323655329.0000000005470000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.282043939.0000000005851000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.348106652.000000000353C000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.348077217.000000000352C000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: WerFault.exe PID: 1452, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Account Reconciliation.exe PID: 6952, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4508, type: MEMORY
              Source: Yara matchFile source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
              Contains functionality to log keystrokes (.Net Source)Show sources
              Source: 5.2.RegSvcs.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
              Installs a global keyboard hookShow sources
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

              System Summary:

              barindex
              Malicious sample detected (through community Yara rule)Show sources
              Source: 00000005.00000002.345265531.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000005.00000002.345265531.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000010.00000003.323655329.0000000005470000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000010.00000003.323655329.0000000005470000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000002.282043939.0000000005851000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000000.00000002.282043939.0000000005851000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000005.00000002.348106652.000000000353C000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000005.00000002.348077217.000000000352C000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: C:\Users\user\Desktop\Account Reconciliation.exeCode function: 0_2_010604680_2_01060468
              Source: C:\Users\user\Desktop\Account Reconciliation.exeCode function: 0_2_010617400_2_01061740
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_017CB29C5_2_017CB29C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_017CC3105_2_017CC310
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_017CB2905_2_017CB290
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_017C99D05_2_017C99D0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_017CDFD05_2_017CDFD0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_07DD1BF05_2_07DD1BF0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0807BDB05_2_0807BDB0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0807EEC85_2_0807EEC8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_080700405_2_08070040
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0807B4E05_2_0807B4E0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_080700065_2_08070006
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0807B1985_2_0807B198
              Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 1948
              Source: Account Reconciliation.exe, 00000000.00000002.282043939.0000000005851000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs Account Reconciliation.exe
              Source: Account Reconciliation.exe, 00000000.00000002.282043939.0000000005851000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs Account Reconciliation.exe
              Source: Account Reconciliation.exe, 00000000.00000002.282043939.0000000005851000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs Account Reconciliation.exe
              Source: Account Reconciliation.exe, 00000000.00000002.282043939.0000000005851000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs Account Reconciliation.exe
              Source: Account Reconciliation.exe, 00000000.00000002.279459045.00000000049C0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLoreal.exe4 vs Account Reconciliation.exe
              Source: Account Reconciliation.exe, 00000000.00000002.287662119.000000000F0B0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Account Reconciliation.exe
              Source: Account Reconciliation.exe, 00000000.00000002.271259077.00000000029C1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAmun.dll, vs Account Reconciliation.exe
              Source: Account Reconciliation.exe, 00000000.00000002.288354535.000000000F1A0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Account Reconciliation.exe
              Source: Account Reconciliation.exe, 00000000.00000002.288354535.000000000F1A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Account Reconciliation.exe
              Source: Account Reconciliation.exe, 00000000.00000002.269877469.0000000000746000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameHHd.exe8 vs Account Reconciliation.exe
              Source: Account Reconciliation.exeBinary or memory string: OriginalFilenameHHd.exe8 vs Account Reconciliation.exe
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: webio.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: cryptnet.dllJump to behavior
              Source: 00000005.00000002.345265531.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000005.00000002.345265531.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000010.00000003.323655329.0000000005470000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000010.00000003.323655329.0000000005470000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000000.00000002.282043939.0000000005851000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000000.00000002.282043939.0000000005851000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000005.00000002.348106652.000000000353C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000005.00000002.348077217.000000000352C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: Account Reconciliation.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: nchGKDg.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: 5.2.RegSvcs.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 5.2.RegSvcs.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 5.2.RegSvcs.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 5.2.RegSvcs.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
              Source: 5.2.RegSvcs.exe.400000.0.unpack, Form1.csBase64 encoded string: 'NlYlPFj3sfbL9B+Hdl5MsaC/zJhmdnavk/JjdHgSL33EhNbiPvw4h8ddePxaqSFFNJBkyK7Iw1MluhdkEUbu9A==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@11/10@1/1
              Source: C:\Users\user\Desktop\Account Reconciliation.exeFile created: C:\Users\user\AppData\Roaming\nchGKDg.exeJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4588:120:WilError_01
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4508
              Source: C:\Users\user\Desktop\Account Reconciliation.exeFile created: C:\Users\user\AppData\Local\Temp\tmp7FD5.tmpJump to behavior
              Source: Account Reconciliation.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\Account Reconciliation.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\Account Reconciliation.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\Account Reconciliation.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: Account Reconciliation.exe, 00000000.00000002.282043939.0000000005851000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.345265531.0000000000402000.00000040.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
              Source: Account Reconciliation.exe, 00000000.00000002.282043939.0000000005851000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.345265531.0000000000402000.00000040.00000001.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
              Source: Account Reconciliation.exe, 00000000.00000002.282043939.0000000005851000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.345265531.0000000000402000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
              Source: Account Reconciliation.exe, 00000000.00000002.282043939.0000000005851000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.345265531.0000000000402000.00000040.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
              Source: Account Reconciliation.exe, 00000000.00000002.282043939.0000000005851000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.345265531.0000000000402000.00000040.00000001.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
              Source: Account Reconciliation.exe, 00000000.00000002.282043939.0000000005851000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.345265531.0000000000402000.00000040.00000001.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
              Source: Account Reconciliation.exe, 00000000.00000002.282043939.0000000005851000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.345265531.0000000000402000.00000040.00000001.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
              Source: C:\Users\user\Desktop\Account Reconciliation.exeFile read: C:\Users\user\Desktop\Account Reconciliation.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\Account Reconciliation.exe 'C:\Users\user\Desktop\Account Reconciliation.exe'
              Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\nchGKDg' /XML 'C:\Users\user\AppData\Local\Temp\tmp7FD5.tmp'
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
              Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 1948
              Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
              Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
              Source: C:\Users\user\Desktop\Account Reconciliation.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\nchGKDg' /XML 'C:\Users\user\AppData\Local\Temp\tmp7FD5.tmp'Jump to behavior
              Source: C:\Users\user\Desktop\Account Reconciliation.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'Jump to behavior
              Source: C:\Users\user\Desktop\Account Reconciliation.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
              Source: C:\Users\user\Desktop\Account Reconciliation.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: Account Reconciliation.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: Account Reconciliation.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: Binary string: System.Xml.pdbP<S source: WERDECD.tmp.dmp.16.dr
              Source: Binary string: rsaenh.pdb source: WerFault.exe, 00000010.00000003.328091513.000000000526B000.00000004.00000040.sdmp
              Source: Binary string: anagement.pdb source: WerFault.exe, 00000010.00000003.327992718.000000000527C000.00000004.00000001.sdmp
              Source: Binary string: System.ni.pdb% source: WerFault.exe, 00000010.00000003.327706861.000000000526E000.00000004.00000040.sdmp
              Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 00000010.00000003.323655329.0000000005470000.00000004.00000001.sdmp
              Source: Binary string: System.ni.pdb" source: WerFault.exe, 00000010.00000003.327992718.000000000527C000.00000004.00000001.sdmp
              Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000010.00000003.311177757.0000000004CF6000.00000004.00000001.sdmp
              Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000010.00000003.328091513.000000000526B000.00000004.00000040.sdmp
              Source: Binary string: Microsoft.VisualBasic.pdbr source: WERDECD.tmp.dmp.16.dr
              Source: Binary string: onfiguration.ni.pdb source: WerFault.exe, 00000010.00000003.327992718.000000000527C000.00000004.00000001.sdmp
              Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000010.00000003.328078962.0000000005268000.00000004.00000040.sdmp
              Source: Binary string: wbemcomn.pdb source: WerFault.exe, 00000010.00000003.327706861.000000000526E000.00000004.00000040.sdmp
              Source: Binary string: NapiNSP.pdb source: WerFault.exe, 00000010.00000003.327706861.000000000526E000.00000004.00000040.sdmp
              Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000010.00000003.327904101.0000000005291000.00000004.00000001.sdmp
              Source: Binary string: pnrpnsp.pdbS source: WerFault.exe, 00000010.00000003.327706861.000000000526E000.00000004.00000040.sdmp
              Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000010.00000003.327904101.0000000005291000.00000004.00000001.sdmp
              Source: Binary string: wntdll.pdb source: WerFault.exe, 00000010.00000003.327904101.0000000005291000.00000004.00000001.sdmp
              Source: Binary string: fastprox.pdbi source: WerFault.exe, 00000010.00000003.327706861.000000000526E000.00000004.00000040.sdmp
              Source: Binary string: winnsi.pdb source: WerFault.exe, 00000010.00000003.327706861.000000000526E000.00000004.00000040.sdmp
              Source: Binary string: ml.pdb source: WerFault.exe, 00000010.00000003.327992718.000000000527C000.00000004.00000001.sdmp
              Source: Binary string: bcryptprimitives.pdbp source: WerFault.exe, 00000010.00000003.327904101.0000000005291000.00000004.00000001.sdmp
              Source: Binary string: clr.pdb source: WerFault.exe, 00000010.00000003.328137428.0000000005260000.00000004.00000040.sdmp
              Source: Binary string: .ni.pdb source: WerFault.exe, 00000010.00000003.327992718.000000000527C000.00000004.00000001.sdmp
              Source: Binary string: cryptsp.pdb source: WerFault.exe, 00000010.00000003.328091513.000000000526B000.00000004.00000040.sdmp
              Source: Binary string: System.Windows.Forms.pdb" source: WerFault.exe, 00000010.00000003.327992718.000000000527C000.00000004.00000001.sdmp
              Source: Binary string: advapi32.pdb source: WerFault.exe, 00000010.00000003.327904101.0000000005291000.00000004.00000001.sdmp
              Source: Binary string: System.Configuration.pdbXSS source: WerFault.exe, 00000010.00000003.327706861.000000000526E000.00000004.00000040.sdmp
              Source: Binary string: ility.pdb source: WerFault.exe, 00000010.00000003.327992718.000000000527C000.00000004.00000001.sdmp
              Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000010.00000003.327904101.0000000005291000.00000004.00000001.sdmp
              Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 00000010.00000003.327706861.000000000526E000.00000004.00000040.sdmp
              Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 00000010.00000003.323655329.0000000005470000.00000004.00000001.sdmp, WERDECD.tmp.dmp.16.dr
              Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 00000010.00000003.327706861.000000000526E000.00000004.00000040.sdmp
              Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 00000010.00000003.323655329.0000000005470000.00000004.00000001.sdmp
              Source: Binary string: CLBCatQ.pdbG source: WerFault.exe, 00000010.00000003.327706861.000000000526E000.00000004.00000040.sdmp
              Source: Binary string: ml.pdbe source: WerFault.exe, 00000010.00000003.327992718.000000000527C000.00000004.00000001.sdmp
              Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000010.00000003.309913441.0000000002E55000.00000004.00000001.sdmp
              Source: Binary string: ole32.pdb} source: WerFault.exe, 00000010.00000003.328091513.000000000526B000.00000004.00000040.sdmp
              Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000010.00000003.327759711.0000000005262000.00000004.00000040.sdmp
              Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000010.00000003.323655329.0000000005470000.00000004.00000001.sdmp, WERDECD.tmp.dmp.16.dr
              Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: Account Reconciliation.exe, 00000000.00000002.282043939.0000000005851000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.353732148.0000000007DC0000.00000004.00000001.sdmp
              Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: Account Reconciliation.exe, 00000000.00000002.282043939.0000000005851000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.345265531.0000000000402000.00000040.00000001.sdmp
              Source: Binary string: System.Xml.pdbx source: WerFault.exe, 00000010.00000003.323655329.0000000005470000.00000004.00000001.sdmp
              Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000010.00000003.328091513.000000000526B000.00000004.00000040.sdmp
              Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb+ source: RegSvcs.exe, 00000005.00000002.355411720.0000000008B5A000.00000004.00000010.sdmp
              Source: Binary string: System.Management.pdb'SSe source: WerFault.exe, 00000010.00000003.327706861.000000000526E000.00000004.00000040.sdmp
              Source: Binary string: mscoree.pdb source: WerFault.exe, 00000010.00000003.327904101.0000000005291000.00000004.00000001.sdmp
              Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000010.00000003.328091513.000000000526B000.00000004.00000040.sdmp
              Source: Binary string: System.Runtime.Remoting.pdbx source: WerFault.exe, 00000010.00000003.323655329.0000000005470000.00000004.00000001.sdmp
              Source: Binary string: shlwapi.pdbk source: WerFault.exe, 00000010.00000003.327759711.0000000005262000.00000004.00000040.sdmp
              Source: Binary string: symbols\dll\mscorlib.pdb source: RegSvcs.exe, 00000005.00000002.355411720.0000000008B5A000.00000004.00000010.sdmp
              Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000010.00000003.327706861.000000000526E000.00000004.00000040.sdmp
              Source: Binary string: System.Xml.ni.pdb'SSe source: WerFault.exe, 00000010.00000003.327706861.000000000526E000.00000004.00000040.sdmp
              Source: Binary string: comctl32.pdbc source: WerFault.exe, 00000010.00000003.327706861.000000000526E000.00000004.00000040.sdmp
              Source: Binary string: nsi.pdb source: WerFault.exe, 00000010.00000003.327706861.000000000526E000.00000004.00000040.sdmp
              Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000010.00000003.328078962.0000000005268000.00000004.00000040.sdmp
              Source: Binary string: powrprof.pdb source: WerFault.exe, 00000010.00000003.328091513.000000000526B000.00000004.00000040.sdmp
              Source: Binary string: msvcr120_clr0400.i386.pdb% source: WerFault.exe, 00000010.00000003.328091513.000000000526B000.00000004.00000040.sdmp
              Source: Binary string: mscorlib.ni.pdbRSDS source: WERDECD.tmp.dmp.16.dr
              Source: Binary string: System.Configuration.ni.pdb'SSe source: WerFault.exe, 00000010.00000003.327706861.000000000526E000.00000004.00000040.sdmp
              Source: Binary string: System.Configuration.pdb source: WerFault.exe, 00000010.00000003.323655329.0000000005470000.00000004.00000001.sdmp, WERDECD.tmp.dmp.16.dr
              Source: Binary string: comctl32v582.pdb"R[i source: WerFault.exe, 00000010.00000003.327823706.0000000005276000.00000004.00000040.sdmp
              Source: Binary string: ole32.pdb source: WerFault.exe, 00000010.00000003.328091513.000000000526B000.00000004.00000040.sdmp
              Source: Binary string: System.Runtime.Remoting.pdb'SSe source: WerFault.exe, 00000010.00000003.327706861.000000000526E000.00000004.00000040.sdmp
              Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 00000010.00000003.323655329.0000000005470000.00000004.00000001.sdmp
              Source: Binary string: System.pdb'SSe source: WerFault.exe, 00000010.00000003.327706861.000000000526E000.00000004.00000040.sdmp
              Source: Binary string: comctl32v582.pdb"R[i) source: WerFault.exe, 00000010.00000003.327706861.000000000526E000.00000004.00000040.sdmp
              Source: Binary string: mscorlib.pdb source: RegSvcs.exe, 00000005.00000002.355411720.0000000008B5A000.00000004.00000010.sdmp, WerFault.exe, 00000010.00000003.323655329.0000000005470000.00000004.00000001.sdmp, WERDECD.tmp.dmp.16.dr
              Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000010.00000003.327706861.000000000526E000.00000004.00000040.sdmp
              Source: Binary string: DWrite.pdb source: WerFault.exe, 00000010.00000003.327706861.000000000526E000.00000004.00000040.sdmp
              Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000010.00000003.328091513.000000000526B000.00000004.00000040.sdmp
              Source: Binary string: mscorlib.ni.pdb'SSe source: WerFault.exe, 00000010.00000003.327706861.000000000526E000.00000004.00000040.sdmp
              Source: Binary string: combase.pdb source: WerFault.exe, 00000010.00000003.327759711.0000000005262000.00000004.00000040.sdmp
              Source: Binary string: System.Drawing.pdb source: WerFault.exe, 00000010.00000003.323655329.0000000005470000.00000004.00000001.sdmp, WERDECD.tmp.dmp.16.dr
              Source: Binary string: System.Management.pdb source: WerFault.exe, 00000010.00000003.323655329.0000000005470000.00000004.00000001.sdmp, WERDECD.tmp.dmp.16.dr
              Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000010.00000003.327706861.000000000526E000.00000004.00000040.sdmp
              Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WERDECD.tmp.dmp.16.dr
              Source: Binary string: Accessibility.pdbx source: WerFault.exe, 00000010.00000003.323655329.0000000005470000.00000004.00000001.sdmp
              Source: Binary string: System.Xml.ni.pdbRSDS source: WERDECD.tmp.dmp.16.dr
              Source: Binary string: profapi.pdb[ source: WerFault.exe, 00000010.00000003.328091513.000000000526B000.00000004.00000040.sdmp
              Source: Binary string: rasadhlp.pdb source: WerFault.exe, 00000010.00000003.327706861.000000000526E000.00000004.00000040.sdmp
              Source: Binary string: nsi.pdb"[[` source: WerFault.exe, 00000010.00000003.327706861.000000000526E000.00000004.00000040.sdmp
              Source: Binary string: ml.ni.pdb source: WerFault.exe, 00000010.00000003.327992718.000000000527C000.00000004.00000001.sdmp
              Source: Binary string: System.Core.ni.pdbRSDSD source: WERDECD.tmp.dmp.16.dr
              Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000010.00000003.327706861.000000000526E000.00000004.00000040.sdmp
              Source: Binary string: diasymreader.pdb_ source: WerFault.exe, 00000010.00000003.327706861.000000000526E000.00000004.00000040.sdmp
              Source: Binary string: Accessibility.pdb source: WerFault.exe, 00000010.00000003.323655329.0000000005470000.00000004.00000001.sdmp, WERDECD.tmp.dmp.16.dr
              Source: Binary string: System.Management.pdbx source: WerFault.exe, 00000010.00000003.323655329.0000000005470000.00000004.00000001.sdmp
              Source: Binary string: rawing.pdb source: WerFault.exe, 00000010.00000003.327992718.000000000527C000.00000004.00000001.sdmp
              Source: Binary string: pnrpnsp.pdb source: WerFault.exe, 00000010.00000003.327706861.000000000526E000.00000004.00000040.sdmp
              Source: Binary string: System.Configuration.pdbMRR source: WerFault.exe, 00000010.00000003.327823706.0000000005276000.00000004.00000040.sdmp
              Source: Binary string: mscorlib.pdbx source: WerFault.exe, 00000010.00000003.323655329.0000000005470000.00000004.00000001.sdmp
              Source: Binary string: mscoreei.pdbk source: WerFault.exe, 00000010.00000003.327759711.0000000005262000.00000004.00000040.sdmp
              Source: Binary string: nlaapi.pdb! source: WerFault.exe, 00000010.00000003.327706861.000000000526E000.00000004.00000040.sdmp
              Source: Binary string: System.Runtime.Remoting.pdbvk@ source: WERDECD.tmp.dmp.16.dr
              Source: Binary string: shcore.pdb source: WerFault.exe, 00000010.00000003.328091513.000000000526B000.00000004.00000040.sdmp
              Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 00000010.00000003.327706861.000000000526E000.00000004.00000040.sdmp
              Source: Binary string: wbemprox.pdbA source: WerFault.exe, 00000010.00000003.327706861.000000000526E000.00000004.00000040.sdmp
              Source: Binary string: System.Core.ni.pdb'SSe source: WerFault.exe, 00000010.00000003.327706861.000000000526E000.00000004.00000040.sdmp
              Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000010.00000003.328137428.0000000005260000.00000004.00000040.sdmp
              Source: Binary string: fltLib.pdb source: WerFault.exe, 00000010.00000003.328091513.000000000526B000.00000004.00000040.sdmp
              Source: Binary string: System.Xml.pdb'SSe source: WerFault.exe, 00000010.00000003.327706861.000000000526E000.00000004.00000040.sdmp
              Source: Binary string: shell32.pdb source: WerFault.exe, 00000010.00000003.328091513.000000000526B000.00000004.00000040.sdmp
              Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 00000010.00000003.323655329.0000000005470000.00000004.00000001.sdmp, WERDECD.tmp.dmp.16.dr
              Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000010.00000003.328137428.0000000005260000.00000004.00000040.sdmp
              Source: Binary string: edputil.pdbM source: WerFault.exe, 00000010.00000003.327706861.000000000526E000.00000004.00000040.sdmp
              Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000010.00000003.327706861.000000000526E000.00000004.00000040.sdmp
              Source: Binary string: wimm32.pdb source: WerFault.exe, 00000010.00000003.328091513.000000000526B000.00000004.00000040.sdmp
              Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000010.00000003.328091513.000000000526B000.00000004.00000040.sdmp
              Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 00000010.00000003.323655329.0000000005470000.00000004.00000001.sdmp
              Source: Binary string: nlaapi.pdb source: WerFault.exe, 00000010.00000003.327706861.000000000526E000.00000004.00000040.sdmp
              Source: Binary string: diasymreader.pdb source: WerFault.exe, 00000010.00000003.327706861.000000000526E000.00000004.00000040.sdmp
              Source: Binary string: j0C:\Windows\mscorlib.pdb source: RegSvcs.exe, 00000005.00000002.355411720.0000000008B5A000.00000004.00000010.sdmp
              Source: Binary string: System.Core.pdb'SSe source: WerFault.exe, 00000010.00000003.327706861.000000000526E000.00000004.00000040.sdmp
              Source: Binary string: wUxTheme.pdbO source: WerFault.exe, 00000010.00000003.328091513.000000000526B000.00000004.00000040.sdmp
              Source: Binary string: oleaut32.pdbU source: WerFault.exe, 00000010.00000003.328091513.000000000526B000.00000004.00000040.sdmp
              Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000010.00000003.328091513.000000000526B000.00000004.00000040.sdmp
              Source: Binary string: wwin32u.pdbI source: WerFault.exe, 00000010.00000003.328091513.000000000526B000.00000004.00000040.sdmp
              Source: Binary string: wmiutils.pdb source: WerFault.exe, 00000010.00000003.327706861.000000000526E000.00000004.00000040.sdmp
              Source: Binary string: gdiplus.pdb source: WerFault.exe, 00000010.00000003.327706861.000000000526E000.00000004.00000040.sdmp
              Source: Binary string: System.ni.pdbT3 source: WerFault.exe, 00000010.00000003.323655329.0000000005470000.00000004.00000001.sdmp
              Source: Binary string: winnsi.pdb9 source: WerFault.exe, 00000010.00000003.327706861.000000000526E000.00000004.00000040.sdmp
              Source: Binary string: System.pdbx source: WerFault.exe, 00000010.00000003.323655329.0000000005470000.00000004.00000001.sdmp
              Source: Binary string: System.Drawing.pdb'SSe source: WerFault.exe, 00000010.00000003.327706861.000000000526E000.00000004.00000040.sdmp
              Source: Binary string: profapi.pdb source: WerFault.exe, 00000010.00000003.328091513.000000000526B000.00000004.00000040.sdmp
              Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000010.00000003.327706861.000000000526E000.00000004.00000040.sdmp
              Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 00000010.00000003.323655329.0000000005470000.00000004.00000001.sdmp, WERDECD.tmp.dmp.16.dr
              Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000010.00000003.328137428.0000000005260000.00000004.00000040.sdmp
              Source: Binary string: dhcpcsvc.pdb_ source: WerFault.exe, 00000010.00000003.327706861.000000000526E000.00000004.00000040.sdmp
              Source: Binary string: sechost.pdb source: WerFault.exe, 00000010.00000003.327904101.0000000005291000.00000004.00000001.sdmp
              Source: Binary string: System.ni.pdbRSDS source: WERDECD.tmp.dmp.16.dr
              Source: Binary string: clrjit.pdb source: WerFault.exe, 00000010.00000003.328091513.000000000526B000.00000004.00000040.sdmp
              Source: Binary string: System.Windows.Forms.pdb\ source: WERDECD.tmp.dmp.16.dr
              Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 00000010.00000003.328091513.000000000526B000.00000004.00000040.sdmp
              Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 00000010.00000003.323655329.0000000005470000.00000004.00000001.sdmp, WERDECD.tmp.dmp.16.dr
              Source: Binary string: fastprox.pdb source: WerFault.exe, 00000010.00000003.327706861.000000000526E000.00000004.00000040.sdmp
              Source: Binary string: wbemsvc.pdb source: WerFault.exe, 00000010.00000003.327706861.000000000526E000.00000004.00000040.sdmp
              Source: Binary string: winrnr.pdb source: WerFault.exe, 00000010.00000003.327706861.000000000526E000.00000004.00000040.sdmp
              Source: Binary string: wbemcomn.pdbo source: WerFault.exe, 00000010.00000003.327706861.000000000526E000.00000004.00000040.sdmp
              Source: Binary string: onfiguration.pdbn source: WerFault.exe, 00000010.00000003.327992718.000000000527C000.00000004.00000001.sdmp
              Source: Binary string: RegSvcs.PDBp source: RegSvcs.exe, 00000005.00000002.355411720.0000000008B5A000.00000004.00000010.sdmp
              Source: Binary string: msctf.pdb source: WerFault.exe, 00000010.00000003.327706861.000000000526E000.00000004.00000040.sdmp
              Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: Account Reconciliation.exe, 00000000.00000002.282043939.0000000005851000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.345265531.0000000000402000.00000040.00000001.sdmp
              Source: Binary string: System.Runtime.Remoting.pdb source: WerFault.exe, 00000010.00000003.323655329.0000000005470000.00000004.00000001.sdmp, WERDECD.tmp.dmp.16.dr
              Source: Binary string: wmswsock.pdb source: WerFault.exe, 00000010.00000003.328091513.000000000526B000.00000004.00000040.sdmp
              Source: Binary string: version.pdb source: WerFault.exe, 00000010.00000003.328091513.000000000526B000.00000004.00000040.sdmp
              Source: Binary string: onfiguration.pdb source: WerFault.exe, 00000010.00000003.327992718.000000000527C000.00000004.00000001.sdmp
              Source: Binary string: System.Xml.pdb source: WerFault.exe, 00000010.00000003.323655329.0000000005470000.00000004.00000001.sdmp, WERDECD.tmp.dmp.16.dr
              Source: Binary string: System.pdb source: WerFault.exe, 00000010.00000003.323655329.0000000005470000.00000004.00000001.sdmp, WERDECD.tmp.dmp.16.dr
              Source: Binary string: ore.ni.pdb source: WerFault.exe, 00000010.00000003.327992718.000000000527C000.00000004.00000001.sdmp
              Source: Binary string: ore.pdb source: WerFault.exe, 00000010.00000003.327992718.000000000527C000.00000004.00000001.sdmp
              Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000010.00000003.323655329.0000000005470000.00000004.00000001.sdmp, WERDECD.tmp.dmp.16.dr
              Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000010.00000003.328137428.0000000005260000.00000004.00000040.sdmp
              Source: Binary string: psapi.pdb source: WerFault.exe, 00000010.00000003.327706861.000000000526E000.00000004.00000040.sdmp
              Source: Binary string: WMINet_Utils.pdb source: WerFault.exe, 00000010.00000003.327706861.000000000526E000.00000004.00000040.sdmp
              Source: Binary string: cfgmgr32.pdbC source: WerFault.exe, 00000010.00000003.328091513.000000000526B000.00000004.00000040.sdmp
              Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000010.00000003.327904101.0000000005291000.00000004.00000001.sdmp
              Source: Binary string: System.Core.pdbx source: WerFault.exe, 00000010.00000003.323655329.0000000005470000.00000004.00000001.sdmp
              Source: Binary string: mscoreei.pdb source: WerFault.exe, 00000010.00000003.327759711.0000000005262000.00000004.00000040.sdmp
              Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000010.00000003.309913441.0000000002E55000.00000004.00000001.sdmp
              Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000010.00000003.327904101.0000000005291000.00000004.00000001.sdmp
              Source: Binary string: System.Drawing.pdbx source: WerFault.exe, 00000010.00000003.323655329.0000000005470000.00000004.00000001.sdmp
              Source: Binary string: combase.pdbk source: WerFault.exe, 00000010.00000003.327759711.0000000005262000.00000004.00000040.sdmp
              Source: Binary string: System.Core.pdb source: WerFault.exe, 00000010.00000003.323655329.0000000005470000.00000004.00000001.sdmp, WERDECD.tmp.dmp.16.dr
              Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000010.00000003.328091513.000000000526B000.00000004.00000040.sdmp
              Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 00000010.00000003.323655329.0000000005470000.00000004.00000001.sdmp
              Source: Binary string: wuser32.pdb source: WerFault.exe, 00000010.00000003.328091513.000000000526B000.00000004.00000040.sdmp
              Source: Binary string: .pdb source: RegSvcs.exe, 00000005.00000002.355411720.0000000008B5A000.00000004.00000010.sdmp
              Source: Binary string: comctl32.pdb source: WerFault.exe, 00000010.00000003.327706861.000000000526E000.00000004.00000040.sdmp
              Source: Binary string: untime.Remoting.pdb source: WerFault.exe, 00000010.00000003.327992718.000000000527C000.00000004.00000001.sdmp
              Source: Binary string: wbemprox.pdb source: WerFault.exe, 00000010.00000003.327706861.000000000526E000.00000004.00000040.sdmp
              Source: Binary string: System.ni.pdb source: WerFault.exe, 00000010.00000003.323655329.0000000005470000.00000004.00000001.sdmp, WERDECD.tmp.dmp.16.dr
              Source: Binary string: iphlpapi.pdb3 source: WerFault.exe, 00000010.00000003.327706861.000000000526E000.00000004.00000040.sdmp
              Source: Binary string: edputil.pdb source: WerFault.exe, 00000010.00000003.327706861.000000000526E000.00000004.00000040.sdmp

              Data Obfuscation:

              barindex
              .NET source code contains potential unpackerShow sources
              Source: 5.2.RegSvcs.exe.400000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 5.2.RegSvcs.exe.400000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 5.2.RegSvcs.exe.400000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 5.2.RegSvcs.exe.400000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: C:\Users\user\Desktop\Account Reconciliation.exeCode function: 0_2_00695C76 push ebx; ret 0_2_00695C8C
              Source: initial sampleStatic PE information: section name: .text entropy: 7.91132516835
              Source: initial sampleStatic PE information: section name: .text entropy: 7.91132516835
              Source: C:\Users\user\Desktop\Account Reconciliation.exeFile created: C:\Users\user\AppData\Roaming\nchGKDg.exeJump to dropped file

              Boot Survival:

              barindex
              Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
              Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\nchGKDg' /XML 'C:\Users\user\AppData\Local\Temp\tmp7FD5.tmp'

              Hooking and other Techniques for Hiding and Protection:

              barindex
              Changes the view of files in windows explorer (hidden files and folders)Show sources
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HiddenJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363} DeviceTicketJump to behavior
              Source: C:\Users\user\Desktop\Account Reconciliation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Account Reconciliation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Account Reconciliation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Account Reconciliation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Account Reconciliation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Account Reconciliation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Account Reconciliation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Account Reconciliation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Account Reconciliation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Account Reconciliation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Account Reconciliation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Account Reconciliation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Account Reconciliation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Account Reconciliation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Account Reconciliation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Account Reconciliation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Account Reconciliation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Account Reconciliation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Account Reconciliation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Account Reconciliation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Account Reconciliation.e