Loading ...

Play interactive tourEdit tour

Analysis Report Verfolgung.exe

Overview

General Information

Sample Name:Verfolgung.exe
Analysis ID:269732
MD5:b8c8e2ed38e36f7df43e32f11275cb4d
SHA1:069627d495565967082c20f79f264d7d0ab0a918
SHA256:91738cb45f5a36f2c957d9aa58c5ccf07c377a50c7d2e134e203347cbbccd0a1

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected HawkEye Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Contains functionality to register a low level keyboard hook
Injects a PE file into a foreign processes
Installs a global keyboard hook
Maps a DLL or memory area into another process
Sample uses process hollowing technique
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Process Creation
Stores large binary data to the registry
Tries to load missing DLLs
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Verfolgung.exe (PID: 6796 cmdline: 'C:\Users\user\Desktop\Verfolgung.exe' MD5: B8C8E2ED38E36F7DF43E32F11275CB4D)
    • RegAsm.exe (PID: 6824 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
    • RegAsm.exe (PID: 6832 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
      • WerFault.exe (PID: 5748 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6832 -s 1844 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
      • vbc.exe (PID: 5432 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 6432 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["WebBrowserPassView"], "Version": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.295032492.0000000000402000.00000040.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
  • 0x7b717:$key: HawkEyeKeylogger
  • 0x7d981:$salt: 099u787978786
  • 0x7bd58:$string1: HawkEye_Keylogger
  • 0x7cbab:$string1: HawkEye_Keylogger
  • 0x7d8e1:$string1: HawkEye_Keylogger
  • 0x7c141:$string2: holdermail.txt
  • 0x7c161:$string2: holdermail.txt
  • 0x7c083:$string3: wallet.dat
  • 0x7c09b:$string3: wallet.dat
  • 0x7c0b1:$string3: wallet.dat
  • 0x7d4a5:$string4: Keylog Records
  • 0x7d7bd:$string4: Keylog Records
  • 0x7d9d9:$string5: do not script -->
  • 0x7b6ff:$string6: \pidloc.txt
  • 0x7b78d:$string7: BSPLIT
  • 0x7b79d:$string7: BSPLIT
00000002.00000002.295032492.0000000000402000.00000040.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
    00000002.00000002.295032492.0000000000402000.00000040.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
      00000002.00000002.295032492.0000000000402000.00000040.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
        00000002.00000002.295032492.0000000000402000.00000040.00000001.sdmpHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
        • 0x7bdb0:$hawkstr1: HawkEye Keylogger
        • 0x7cbf1:$hawkstr1: HawkEye Keylogger
        • 0x7cf20:$hawkstr1: HawkEye Keylogger
        • 0x7d07b:$hawkstr1: HawkEye Keylogger
        • 0x7d1de:$hawkstr1: HawkEye Keylogger
        • 0x7d47d:$hawkstr1: HawkEye Keylogger
        • 0x7b93e:$hawkstr2: Dear HawkEye Customers!
        • 0x7cf73:$hawkstr2: Dear HawkEye Customers!
        • 0x7d0ca:$hawkstr2: Dear HawkEye Customers!
        • 0x7d231:$hawkstr2: Dear HawkEye Customers!
        • 0x7ba5f:$hawkstr3: HawkEye Logger Details:
        Click to see the 33 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        8.2.vbc.exe.400000.0.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
          7.2.vbc.exe.400000.0.raw.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
            7.2.vbc.exe.400000.0.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
              2.2.RegAsm.exe.400000.0.unpackRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
              • 0x7b917:$key: HawkEyeKeylogger
              • 0x7db81:$salt: 099u787978786
              • 0x7bf58:$string1: HawkEye_Keylogger
              • 0x7cdab:$string1: HawkEye_Keylogger
              • 0x7dae1:$string1: HawkEye_Keylogger
              • 0x7c341:$string2: holdermail.txt
              • 0x7c361:$string2: holdermail.txt
              • 0x7c283:$string3: wallet.dat
              • 0x7c29b:$string3: wallet.dat
              • 0x7c2b1:$string3: wallet.dat
              • 0x7d6a5:$string4: Keylog Records
              • 0x7d9bd:$string4: Keylog Records
              • 0x7dbd9:$string5: do not script -->
              • 0x7b8ff:$string6: \pidloc.txt
              • 0x7b98d:$string7: BSPLIT
              • 0x7b99d:$string7: BSPLIT
              2.2.RegAsm.exe.400000.0.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
                Click to see the 9 entries

                Sigma Overview

                System Summary:

                barindex
                Sigma detected: Suspicious Process CreationShow sources
                Source: Process startedAuthor: Florian Roth, Daniil Yugoslavskiy, oscd.community (update): Data: Command: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt', CommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt', CommandLine|base64offset|contains: ^, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, ParentCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentProcessId: 6832, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt', ProcessId: 5432

                Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Found malware configurationShow sources
                Source: vbc.exe.5432.7.memstrMalware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView"], "Version": ""}
                Source: Verfolgung.exe, 00000000.00000002.219823799.000000000549E000.00000004.00000001.sdmpBinary or memory string: autorun.inf
                Source: Verfolgung.exe, 00000000.00000002.219823799.000000000549E000.00000004.00000001.sdmpBinary or memory string: [autorun]
                Source: RegAsm.exe, 00000002.00000002.295032492.0000000000402000.00000040.00000001.sdmpBinary or memory string: autorun.inf
                Source: RegAsm.exe, 00000002.00000002.295032492.0000000000402000.00000040.00000001.sdmpBinary or memory string: [autorun]
                Source: WerFault.exe, 00000006.00000003.269191135.0000000005980000.00000004.00000001.sdmpBinary or memory string: autorun.inf
                Source: WerFault.exe, 00000006.00000003.269191135.0000000005980000.00000004.00000001.sdmpBinary or memory string: [autorun]
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,7_2_00408441
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,7_2_00407E0E
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,8_2_00406EC3
                Source: C:\Users\user\Desktop\Verfolgung.exeCode function: 4x nop then mov esp, ebp0_2_013B1118
                Source: C:\Users\user\Desktop\Verfolgung.exeCode function: 4x nop then mov esp, ebp0_2_013B1110
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]2_2_079F26D9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then call 053AA6E8h2_2_079FC63A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]2_2_079FC63A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then call 053AA6E8h2_2_079FC550
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]2_2_079FC550
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]2_2_079FCC24
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]2_2_079F2BA1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]2_2_079FC8FF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]2_2_079F2835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]2_2_079FD3ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]2_2_079FD303
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]2_2_079F326B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then call 053AA6E8h2_2_079FBDF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]2_2_079FBDF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]2_2_07B62B36
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]2_2_07B629A0
                Source: unknownDNS traffic detected: query: 51.143.5.0.in-addr.arpa replaycode: Name error (3)
                Source: Verfolgung.exe, 00000000.00000002.219823799.000000000549E000.00000004.00000001.sdmp, RegAsm.exe, 00000002.00000002.295032492.0000000000402000.00000040.00000001.sdmp, vbc.exe, 00000007.00000002.296932814.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                Source: Verfolgung.exe, 00000000.00000002.219823799.000000000549E000.00000004.00000001.sdmp, RegAsm.exe, 00000002.00000002.295032492.0000000000402000.00000040.00000001.sdmp, vbc.exe, 00000007.00000002.296932814.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                Source: vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                Source: vbc.exe, 00000007.00000003.296488217.0000000000B1C000.00000004.00000001.sdmpString found in binary or memory: ogle.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                Source: vbc.exe, 00000007.00000003.296488217.0000000000B1C000.00000004.00000001.sdmpString found in binary or memory: ogle.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                Source: unknownDNS traffic detected: queries for: 51.143.5.0.in-addr.arpa
                Source: Verfolgung.exe, 00000000.00000002.219823799.000000000549E000.00000004.00000001.sdmp, RegAsm.exe, 00000002.00000002.295032492.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
                Source: RegAsm.exe, 00000002.00000002.305458490.0000000006000000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                Source: Verfolgung.exe, 00000000.00000002.219823799.000000000549E000.00000004.00000001.sdmp, RegAsm.exe, 00000002.00000002.295032492.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                Source: WerFault.exe, 00000006.00000003.268363077.0000000005C80000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
                Source: WerFault.exe, 00000006.00000003.268363077.0000000005C80000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
                Source: WerFault.exe, 00000006.00000003.268363077.0000000005C80000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
                Source: WerFault.exe, 00000006.00000003.268363077.0000000005C80000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
                Source: WerFault.exe, 00000006.00000003.268363077.0000000005C80000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
                Source: WerFault.exe, 00000006.00000003.268363077.0000000005C80000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
                Source: WerFault.exe, 00000006.00000003.268363077.0000000005C80000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
                Source: RegAsm.exe, 00000002.00000002.296655328.0000000002BE1000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.268363077.0000000005C80000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: WerFault.exe, 00000006.00000003.268363077.0000000005C80000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
                Source: WerFault.exe, 00000006.00000003.268363077.0000000005C80000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
                Source: WerFault.exe, 00000006.00000003.268363077.0000000005C80000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
                Source: WerFault.exe, 00000006.00000003.268363077.0000000005C80000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
                Source: WerFault.exe, 00000006.00000003.268363077.0000000005C80000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
                Source: WerFault.exe, 00000006.00000003.268363077.0000000005C80000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
                Source: WerFault.exe, 00000006.00000003.268363077.0000000005C80000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
                Source: Verfolgung.exe, 00000000.00000002.219823799.000000000549E000.00000004.00000001.sdmp, RegAsm.exe, 00000002.00000002.295032492.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 00000006.00000003.269191135.0000000005980000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/-
                Source: RegAsm.exe, 00000002.00000003.225289414.0000000005E94000.00000004.00000001.sdmp, RegAsm.exe, 00000002.00000002.305458490.0000000006000000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: RegAsm.exe, 00000002.00000003.225706220.0000000005E97000.00000004.00000001.sdmp, RegAsm.exe, 00000002.00000003.225551351.0000000005E99000.00000004.00000001.sdmp, RegAsm.exe, 00000002.00000003.225486568.0000000005E98000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                Source: RegAsm.exe, 00000002.00000003.225706220.0000000005E97000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com-d
                Source: RegAsm.exe, 00000002.00000003.225706220.0000000005E97000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com-e
                Source: RegAsm.exe, 00000002.00000003.225551351.0000000005E99000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com//ws
                Source: RegAsm.exe, 00000002.00000003.225706220.0000000005E97000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comH
                Source: RegAsm.exe, 00000002.00000003.225854872.0000000005E97000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTC
                Source: RegAsm.exe, 00000002.00000003.225706220.0000000005E97000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coma-eb
                Source: RegAsm.exe, 00000002.00000003.225633159.0000000005E97000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comark
                Source: RegAsm.exe, 00000002.00000003.225551351.0000000005E99000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comd
                Source: RegAsm.exe, 00000002.00000003.225706220.0000000005E97000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comde
                Source: RegAsm.exe, 00000002.00000003.225706220.0000000005E97000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comh
                Source: RegAsm.exe, 00000002.00000003.225486568.0000000005E98000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comhlyP
                Source: RegAsm.exe, 00000002.00000002.305458490.0000000006000000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: RegAsm.exe, 00000002.00000003.225706220.0000000005E97000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comn-u
                Source: RegAsm.exe, 00000002.00000003.225486568.0000000005E98000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comncy#
                Source: RegAsm.exe, 00000002.00000003.225418181.0000000005E97000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comv
                Source: RegAsm.exe, 00000002.00000002.305458490.0000000006000000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: RegAsm.exe, 00000002.00000003.229958269.0000000005E9C000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: RegAsm.exe, 00000002.00000002.305458490.0000000006000000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: RegAsm.exe, 00000002.00000002.305458490.0000000006000000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: RegAsm.exe, 00000002.00000002.305458490.0000000006000000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                Source: RegAsm.exe, 00000002.00000002.305458490.0000000006000000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: RegAsm.exe, 00000002.00000002.305458490.0000000006000000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: RegAsm.exe, 00000002.00000002.305458490.0000000006000000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: RegAsm.exe, 00000002.00000003.230377064.0000000005E9C000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designerso
                Source: RegAsm.exe, 00000002.00000003.230377064.0000000005E9C000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designerss
                Source: RegAsm.exe, 00000002.00000003.233415369.0000000005E97000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comE.TTFu
                Source: RegAsm.exe, 00000002.00000003.233415369.0000000005E97000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
                Source: RegAsm.exe, 00000002.00000002.305005871.0000000005E90000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comQ
                Source: RegAsm.exe, 00000002.00000003.230377064.0000000005E9C000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
                Source: RegAsm.exe, 00000002.00000003.233415369.0000000005E97000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalsF
                Source: RegAsm.exe, 00000002.00000003.229958269.0000000005E9C000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comc
                Source: RegAsm.exe, 00000002.00000003.233415369.0000000005E97000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcom
                Source: RegAsm.exe, 00000002.00000003.230377064.0000000005E9C000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comessedO
                Source: RegAsm.exe, 00000002.00000002.305005871.0000000005E90000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comicc
                Source: RegAsm.exe, 00000002.00000003.233415369.0000000005E97000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comitudQ
                Source: RegAsm.exe, 00000002.00000002.305458490.0000000006000000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                Source: RegAsm.exe, 00000002.00000002.305458490.0000000006000000.00000002.00000001.sdmp, RegAsm.exe, 00000002.00000003.224507522.0000000005E9A000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: RegAsm.exe, 00000002.00000002.305458490.0000000006000000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: RegAsm.exe, 00000002.00000002.305458490.0000000006000000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: RegAsm.exe, 00000002.00000003.224571898.0000000005ECD000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/d
                Source: RegAsm.exe, 00000002.00000002.305458490.0000000006000000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: RegAsm.exe, 00000002.00000003.235081451.0000000005E97000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/O
                Source: RegAsm.exe, 00000002.00000003.235081451.0000000005E97000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/Q
                Source: RegAsm.exe, 00000002.00000003.235081451.0000000005E97000.00000004.00000001.sdmp, RegAsm.exe, 00000002.00000002.305458490.0000000006000000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: RegAsm.exe, 00000002.00000002.305458490.0000000006000000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: RegAsm.exe, 00000002.00000003.227479807.0000000005E9F000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: RegAsm.exe, 00000002.00000003.227479807.0000000005E9F000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/2
                Source: RegAsm.exe, 00000002.00000003.227479807.0000000005E9F000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/;
                Source: RegAsm.exe, 00000002.00000003.227112893.0000000005E97000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/F
                Source: RegAsm.exe, 00000002.00000003.227479807.0000000005E9F000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0O
                Source: RegAsm.exe, 00000002.00000003.227479807.0000000005E9F000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                Source: RegAsm.exe, 00000002.00000003.227479807.0000000005E9F000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/c
                Source: RegAsm.exe, 00000002.00000003.227112893.0000000005E97000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/u
                Source: RegAsm.exe, 00000002.00000003.227479807.0000000005E9F000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/z
                Source: vbc.exe, vbc.exe, 00000008.00000002.287210355.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
                Source: RegAsm.exe, 00000002.00000003.222404975.0000000005E96000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: RegAsm.exe, 00000002.00000003.222404975.0000000005E96000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comX
                Source: RegAsm.exe, 00000002.00000003.222404975.0000000005E96000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.come
                Source: RegAsm.exe, 00000002.00000003.222404975.0000000005E96000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comj
                Source: RegAsm.exe, 00000002.00000002.305458490.0000000006000000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                Source: RegAsm.exe, 00000002.00000002.305458490.0000000006000000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: RegAsm.exe, 00000002.00000002.296655328.0000000002BE1000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
                Source: RegAsm.exe, 00000002.00000002.305458490.0000000006000000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                Source: RegAsm.exe, 00000002.00000002.305458490.0000000006000000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                Source: RegAsm.exe, 00000002.00000002.305458490.0000000006000000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: RegAsm.exe, 00000002.00000003.225418181.0000000005E97000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: RegAsm.exe, 00000002.00000003.225289414.0000000005E94000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnH
                Source: RegAsm.exe, 00000002.00000003.225397219.0000000005E94000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnl-g
                Source: RegAsm.exe, 00000002.00000003.225418181.0000000005E97000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.7
                Source: RegAsm.exe, 00000002.00000003.225418181.0000000005E97000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnorm
                Source: Verfolgung.exeString found in binary or memory: https://auth.api.rackspacecloud.com/v1.0
                Source: Verfolgung.exeString found in binary or memory: https://auth.api.rackspacecloud.com/v1.0Xhttps://lon.auth.api.rackspacecloud.com/v1.0
                Source: vbc.exe, 00000007.00000003.296547055.0000000000B1B000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.liv
                Source: vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
                Source: Verfolgung.exeString found in binary or memory: https://lon.auth.api.rackspacecloud.com/v1.0
                Source: vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin

                Key, Mouse, Clipboard, Microphone and Screen Capturing:

                barindex
                Yara detected HawkEye KeyloggerShow sources
                Source: Yara matchFile source: 00000002.00000002.295032492.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.219823799.000000000549E000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000003.269191135.0000000005980000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.218784136.0000000003E05000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.219959067.0000000005AB2000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.296655328.0000000002BE1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Verfolgung.exe PID: 6796, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: WerFault.exe PID: 5748, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6832, type: MEMORY
                Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Verfolgung.exe.5ab0000.3.unpack, type: UNPACKEDPE
                Contains functionality to log keystrokes (.Net Source)Show sources
                Source: 0.2.Verfolgung.exe.5ab0000.3.unpack, Form1.cs.Net Code: HookKeyboard
                Source: 2.2.RegAsm.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
                Contains functionality to register a low level keyboard hookShow sources
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_079F04E4 SetWindowsHookExA 0000000D,00000000,?,?2_2_079F04E4
                Installs a global keyboard hookShow sources
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_0040D674 OpenClipboard,GetLastError,DeleteFileW,7_2_0040D674
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                System Summary:

                barindex
                Malicious sample detected (through community Yara rule)Show sources
                Source: 00000002.00000002.295032492.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000002.00000002.295032492.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000000.00000002.219823799.000000000549E000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000000.00000002.219823799.000000000549E000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000006.00000003.269191135.0000000005980000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000006.00000003.269191135.0000000005980000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000000.00000002.218784136.0000000003E05000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000000.00000002.218784136.0000000003E05000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000000.00000002.219959067.0000000005AB2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000000.00000002.219959067.0000000005AB2000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000002.00000002.296655328.0000000002BE1000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0.2.Verfolgung.exe.5ab0000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0.2.Verfolgung.exe.5ab0000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: C:\Users\user\Desktop\Verfolgung.exeCode function: 0_2_05481C09 CreateProcessW,NtQueryInformationProcess,NtReadVirtualMemory,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtTerminateProcess,NtUnmapViewOfSection,NtWriteVirtualMemory,NtGetContextThread,NtSetContextThread,NtResumeThread,0_2_05481C09
                Source: C:\Users\user\Desktop\Verfolgung.exeCode function: 0_2_054800AD NtOpenSection,NtMapViewOfSection,0_2_054800AD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07B62798 NtResumeThread,2_2_07B62798
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07B62E68 NtSetContextThread,2_2_07B62E68
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07B628F8 NtWriteVirtualMemory,2_2_07B628F8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07B62792 NtResumeThread,2_2_07B62792
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07B62E60 NtSetContextThread,2_2_07B62E60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07B628F0 NtWriteVirtualMemory,2_2_07B628F0
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,FindCloseChangeNotification,_wcsicmp,FindCloseChangeNotification,FreeLibrary,7_2_00408836
                Source: C:\Users\user\Desktop\Verfolgung.exeCode function: 0_2_013B0A880_2_013B0A88
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_02BBB29C2_2_02BBB29C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_02BBC3102_2_02BBC310
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_02BBB2902_2_02BBB290
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_02BBB1F22_2_02BBB1F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_02BB99D02_2_02BB99D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_02BBDFD02_2_02BBDFD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_079FE4802_2_079FE480
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_079F22B82_2_079F22B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_079F2BA82_2_079F2BA8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_079FF1C12_2_079FF1C1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_079FBE002_2_079FBE00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_079F3BE82_2_079F3BE8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_079F98C02_2_079F98C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_079F22A92_2_079F22A9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_079FBDF02_2_079FBDF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_079F3BD72_2_079F3BD7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07B61BF02_2_07B61BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07B8B4E02_2_07B8B4E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07B800402_2_07B80040
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07B8EEC82_2_07B8EEC8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07B8BDB02_2_07B8BDB0
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_004044197_2_00404419
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_004045167_2_00404516
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_004135387_2_00413538
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_004145A17_2_004145A1
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_0040E6397_2_0040E639
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_004337AF7_2_004337AF
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_004399B17_2_004399B1
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_0043DAE77_2_0043DAE7
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00405CF67_2_00405CF6
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00403F857_2_00403F85
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00411F997_2_00411F99
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00404DDB8_2_00404DDB
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0040BD8A8_2_0040BD8A
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00404E4C8_2_00404E4C
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00404EBD8_2_00404EBD
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00404F4E8_2_00404F4E
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413F8E appears 66 times
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413E2D appears 34 times
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00442A90 appears 36 times
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004141D6 appears 88 times
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00411538 appears 35 times
                Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6832 -s 1844
                Source: Verfolgung.exe, 00000000.00000002.220035866.0000000005B32000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs Verfolgung.exe
                Source: Verfolgung.exe, 00000000.00000002.219694833.00000000052D0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameyrHgDOfsDRrzGDUH.river.exe4 vs Verfolgung.exe
                Source: Verfolgung.exe, 00000000.00000002.219823799.000000000549E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs Verfolgung.exe
                Source: Verfolgung.exe, 00000000.00000002.219823799.000000000549E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs Verfolgung.exe
                Source: Verfolgung.exe, 00000000.00000002.219823799.000000000549E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs Verfolgung.exe
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: dsreg.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: twinapi.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: rmclient.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: netprofm.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: npmproxy.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: netprofm.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: npmproxy.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: windows.security.authentication.onlineid.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: twinapi.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: rmclient.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: webio.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: cryptnet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: twinapi.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: rmclient.dllJump to behavior
                Source: 00000002.00000002.295032492.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000002.00000002.295032492.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000000.00000002.219823799.000000000549E000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000000.00000002.219823799.000000000549E000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000006.00000003.269191135.0000000005980000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000006.00000003.269191135.0000000005980000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000000.00000002.218784136.0000000003E05000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000000.00000002.218784136.0000000003E05000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000000.00000002.219959067.0000000005AB2000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000000.00000002.219959067.0000000005AB2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000002.00000002.296655328.0000000002BE1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0.2.Verfolgung.exe.5ab0000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0.2.Verfolgung.exe.5ab0000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: Verfolgung.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: 0.2.Verfolgung.exe.5ab0000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 0.2.Verfolgung.exe.5ab0000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 0.2.Verfolgung.exe.5ab0000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 0.2.Verfolgung.exe.5ab0000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
                Source: 2.2.RegAsm.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 2.2.RegAsm.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 2.2.RegAsm.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 2.2.RegAsm.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
                Source: 0.2.Verfolgung.exe.5ab0000.3.unpack, Form1.csBase64 encoded string: 'Ta2Jfga3JLt9/E73uK1VhbUkk6jqZCdloIN2u06AJMoTMeKiapqOoCfJFBjcj+Ok8ojK3Xa4zTJPtjgAWPgTDA==', 'qV6RbSlp+AMZw5SKvXWylN1rCuU8c5wmPAh3Hdmo0Ki+cXj7F0pWkNOaz5xvcV8/1lMVIeZ7DPLAHupVS+LnUQ==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: 2.2.RegAsm.exe.400000.0.unpack, Form1.csBase64 encoded string: 'Ta2Jfga3JLt9/E73uK1VhbUkk6jqZCdloIN2u06AJMoTMeKiapqOoCfJFBjcj+Ok8ojK3Xa4zTJPtjgAWPgTDA==', 'qV6RbSlp+AMZw5SKvXWylN1rCuU8c5wmPAh3Hdmo0Ki+cXj7F0pWkNOaz5xvcV8/1lMVIeZ7DPLAHupVS+LnUQ==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@10/8@1/1
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00415AFD GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,7_2_00415AFD
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00415F87 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,7_2_00415F87
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00411196 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,FindCloseChangeNotification,free,Process32NextW,FindCloseChangeNotification,7_2_00411196
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00411EF8 FindResourceW,SizeofResource,LoadResource,LockResource,7_2_00411EF8
                Source: C:\Users\user\Desktop\Verfolgung.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Verfolgung.exe.logJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6832
                Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER71DF.tmpJump to behavior
                Source: Verfolgung.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\Verfolgung.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSystem information queried: HandleInformationJump to behavior
                Source: C:\Users\user\Desktop\Verfolgung.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: Verfolgung.exe, 00000000.00000002.219823799.000000000549E000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                Source: Verfolgung.exe, 00000000.00000002.219823799.000000000549E000.00000004.00000001.sdmp, vbc.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                Source: Verfolgung.exe, 00000000.00000002.219823799.000000000549E000.00000004.00000001.sdmp, vbc.exe, 00000007.00000002.296932814.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                Source: Verfolgung.exe, 00000000.00000002.219823799.000000000549E000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                Source: Verfolgung.exe, 00000000.00000002.219823799.000000000549E000.00000004.00000001.sdmp, vbc.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                Source: Verfolgung.exe, 00000000.00000002.219823799.000000000549E000.00000004.00000001.sdmp, vbc.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                Source: Verfolgung.exe, 00000000.00000002.219823799.000000000549E000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                Source: unknownProcess created: C:\Users\user\Desktop\Verfolgung.exe 'C:\Users\user\Desktop\Verfolgung.exe'
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6832 -s 1844
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                Source: C:\Users\user\Desktop\Verfolgung.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
                Source: C:\Users\user\Desktop\Verfolgung.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                Source: Verfolgung.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: Verfolgung.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                Source: Verfolgung.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: rsaenh.pdb source: WerFault.exe, 00000006.00000003.271172101.000000000586E000.00000004.00000040.sdmp
                Source: Binary string: anagement.pdb source: WerFault.exe, 00000006.00000003.271445736.00000000056A3000.00000004.00000001.sdmp
                Source: Binary string: System.ni.pdb% source: WerFault.exe, 00000006.00000003.271172101.000000000586E000.00000004.00000040.sdmp
                Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 00000006.00000003.269191135.0000000005980000.00000004.00000001.sdmp
                Source: Binary string: System.ni.pdb" source: WerFault.exe, 00000006.00000003.271445736.00000000056A3000.00000004.00000001.sdmp
                Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000006.00000003.258482527.00000000010EC000.00000004.00000001.sdmp
                Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000006.00000003.271265274.0000000005868000.00000004.00000040.sdmp
                Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000006.00000003.271265274.0000000005868000.00000004.00000040.sdmp
                Source: Binary string: onfiguration.ni.pdb source: WerFault.exe, 00000006.00000003.271445736.00000000056A3000.00000004.00000001.sdmp
                Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000006.00000003.271341667.00000000056A1000.00000004.00000001.sdmp
                Source: Binary string: wbemcomn.pdb source: WerFault.exe, 00000006.00000003.271172101.000000000586E000.00000004.00000040.sdmp
                Source: Binary string: NapiNSP.pdb source: WerFault.exe, 00000006.00000003.271172101.000000000586E000.00000004.00000040.sdmp
                Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000006.00000003.271341667.00000000056A1000.00000004.00000001.sdmp
                Source: Binary string: RegAsm.pdb source: WerFault.exe, 00000006.00000002.284594657.0000000003560000.00000002.00000001.sdmp
                Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000006.00000003.271265274.0000000005868000.00000004.00000040.sdmp
                Source: Binary string: wntdll.pdb source: WerFault.exe, 00000006.00000003.271914442.0000000005860000.00000004.00000040.sdmp
                Source: Binary string: winnsi.pdb source: WerFault.exe, 00000006.00000003.271172101.000000000586E000.00000004.00000040.sdmp
                Source: Binary string: ml.pdb source: WerFault.exe, 00000006.00000003.271445736.00000000056A3000.00000004.00000001.sdmp
                Source: Binary string: clr.pdb source: WerFault.exe, 00000006.00000003.271172101.000000000586E000.00000004.00000040.sdmp
                Source: Binary string: clrjit.pdb { source: WerFault.exe, 00000006.00000003.271172101.000000000586E000.00000004.00000040.sdmp
                Source: Binary string: .ni.pdb source: WerFault.exe, 00000006.00000003.271445736.00000000056A3000.00000004.00000001.sdmp
                Source: Binary string: cryptsp.pdb source: WerFault.exe, 00000006.00000003.271172101.000000000586E000.00000004.00000040.sdmp
                Source: Binary string: System.Windows.Forms.pdb" source: WerFault.exe, 00000006.00000003.271445736.00000000056A3000.00000004.00000001.sdmp
                Source: Binary string: advapi32.pdb source: WerFault.exe, 00000006.00000003.271265274.0000000005868000.00000004.00000040.sdmp
                Source: Binary string: ility.pdb source: WerFault.exe, 00000006.00000003.271445736.00000000056A3000.00000004.00000001.sdmp
                Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000006.00000003.271265274.0000000005868000.00000004.00000040.sdmp
                Source: Binary string: wmswsock.pdb,{ source: WerFault.exe, 00000006.00000003.271172101.000000000586E000.00000004.00000040.sdmp
                Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 00000006.00000003.271172101.000000000586E000.00000004.00000040.sdmp
                Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 00000006.00000003.271341667.00000000056A1000.00000004.00000001.sdmp, WER71DF.tmp.dmp.6.dr
                Source: Binary string: i0C:\Windows\mscorlib.pdbpdblib.pdb source: RegAsm.exe, 00000002.00000002.310059583.000000000858A000.00000004.00000010.sdmp
                Source: Binary string: RegAsm.PDB source: RegAsm.exe, 00000002.00000002.310059583.000000000858A000.00000004.00000010.sdmp
                Source: Binary string: cryptsp.pdb*{ source: WerFault.exe, 00000006.00000003.271172101.000000000586E000.00000004.00000040.sdmp
                Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 00000006.00000003.271172101.000000000586E000.00000004.00000040.sdmp
                Source: Binary string: shcore.pdb_ source: WerFault.exe, 00000006.00000003.271341667.00000000056A1000.00000004.00000001.sdmp
                Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 00000006.00000003.269191135.0000000005980000.00000004.00000001.sdmp
                Source: Binary string: rsaenh.pdb2{ source: WerFault.exe, 00000006.00000003.271172101.000000000586E000.00000004.00000040.sdmp
                Source: Binary string: System.Runtime.Remoting.pdbhb source: WER71DF.tmp.dmp.6.dr
                Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000006.00000003.258874268.00000000010C8000.00000004.00000001.sdmp
                Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000006.00000003.271265274.0000000005868000.00000004.00000040.sdmp
                Source: Binary string: mpr.pdb source: WerFault.exe, 00000006.00000003.271172101.000000000586E000.00000004.00000040.sdmp
                Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000006.00000003.271341667.00000000056A1000.00000004.00000001.sdmp, WER71DF.tmp.dmp.6.dr
                Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: Verfolgung.exe, 00000000.00000002.219823799.000000000549E000.00000004.00000001.sdmp, RegAsm.exe, 00000002.00000002.295032492.0000000000402000.00000040.00000001.sdmp
                Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: Verfolgung.exe, 00000000.00000002.219823799.000000000549E000.00000004.00000001.sdmp, RegAsm.exe, 00000002.00000002.295032492.0000000000402000.00000040.00000001.sdmp, vbc.exe
                Source: Binary string: System.Xml.pdbx source: WerFault.exe, 00000006.00000003.269191135.0000000005980000.00000004.00000001.sdmp
                Source: Binary string: RegAsm.pdb4 source: WerFault.exe, 00000006.00000002.284594657.0000000003560000.00000002.00000001.sdmp
                Source: Binary string: System.Xml.pdb4"9l< source: WER71DF.tmp.dmp.6.dr
                Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000006.00000003.271172101.000000000586E000.00000004.00000040.sdmp
                Source: Binary string: mscoree.pdb source: WerFault.exe, 00000006.00000003.271914442.0000000005860000.00000004.00000040.sdmp
                Source: Binary string: sfc.pdb! source: WerFault.exe, 00000006.00000003.271172101.000000000586E000.00000004.00000040.sdmp
                Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000006.00000003.271172101.000000000586E000.00000004.00000040.sdmp
                Source: Binary string: winspool.pdb source: WerFault.exe, 00000006.00000003.271265274.0000000005868000.00000004.00000040.sdmp
                Source: Binary string: System.Runtime.Remoting.pdbx source: WerFault.exe, 00000006.00000003.269191135.0000000005980000.00000004.00000001.sdmp
                Source: Binary string: symbols\dll\mscorlib.pdb source: RegAsm.exe, 00000002.00000002.310059583.000000000858A000.00000004.00000010.sdmp
                Source: Binary string: .pdb0 source: RegAsm.exe, 00000002.00000002.310059583.000000000858A000.00000004.00000010.sdmp
                Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000006.00000003.271265274.0000000005868000.00000004.00000040.sdmp
                Source: Binary string: nsi.pdb source: WerFault.exe, 00000006.00000003.271172101.000000000586E000.00000004.00000040.sdmp
                Source: Binary string: fltLib.pdb"L source: WerFault.exe, 00000006.00000003.271265274.0000000005868000.00000004.00000040.sdmp
                Source: Binary string: powrprof.pdb8L source: WerFault.exe, 00000006.00000003.271265274.0000000005868000.00000004.00000040.sdmp
                Source: Binary string: powrprof.pdb source: WerFault.exe, 00000006.00000003.271265274.0000000005868000.00000004.00000040.sdmp
                Source: Binary string: mscorlib.ni.pdbRSDS source: WER71DF.tmp.dmp.6.dr
                Source: Binary string: sechost.pdb$L source: WerFault.exe, 00000006.00000003.271265274.0000000005868000.00000004.00000040.sdmp
                Source: Binary string: System.Configuration.pdb source: WerFault.exe, 00000006.00000003.271341667.00000000056A1000.00000004.00000001.sdmp, WER71DF.tmp.dmp.6.dr
                Source: Binary string: ole32.pdb source: WerFault.exe, 00000006.00000003.271265274.0000000005868000.00000004.00000040.sdmp
                Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000006.00000003.271341667.00000000056A1000.00000004.00000001.sdmp
                Source: Binary string: wUxTheme.pdb>{ source: WerFault.exe, 00000006.00000003.271172101.000000000586E000.00000004.00000040.sdmp
                Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 00000006.00000003.269191135.0000000005980000.00000004.00000001.sdmp
                Source: Binary string: msasn1.pdb source: WerFault.exe, 00000006.00000003.271172101.000000000586E000.00000004.00000040.sdmp
                Source: Binary string: mscorlib.pdb source: RegAsm.exe, 00000002.00000002.310059583.000000000858A000.00000004.00000010.sdmp, WerFault.exe, 00000006.00000003.271389138.00000000056BA000.00000004.00000001.sdmp, WER71DF.tmp.dmp.6.dr
                Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000006.00000003.271172101.000000000586E000.00000004.00000040.sdmp
                Source: Binary string: DWrite.pdb source: WerFault.exe, 00000006.00000003.271172101.000000000586E000.00000004.00000040.sdmp
                Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000006.00000003.271341667.00000000056A1000.00000004.00000001.sdmp
                Source: Binary string: combase.pdb source: WerFault.exe, 00000006.00000003.271265274.0000000005868000.00000004.00000040.sdmp
                Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000006.00000003.271265274.0000000005868000.00000004.00000040.sdmp
                Source: Binary string: System.Drawing.pdb source: WerFault.exe, 00000006.00000003.271341667.00000000056A1000.00000004.00000001.sdmp, WER71DF.tmp.dmp.6.dr
                Source: Binary string: System.Management.pdb source: WerFault.exe, 00000006.00000003.271341667.00000000056A1000.00000004.00000001.sdmp, WER71DF.tmp.dmp.6.dr
                Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000006.00000003.258848212.00000000010C2000.00000004.00000001.sdmp
                Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER71DF.tmp.dmp.6.dr
                Source: Binary string: C:\xampp\htdocs\Aspire\files\fatcat247_yrHgDOfsDRrzGDUH\yrHgDOfsDRrzGDUHma.pdbT source: Verfolgung.exe
                Source: Binary string: sfc.pdb source: WerFault.exe, 00000006.00000003.271172101.000000000586E000.00000004.00000040.sdmp
                Source: Binary string: Accessibility.pdbx source: WerFault.exe, 00000006.00000003.269191135.0000000005980000.00000004.00000001.sdmp
                Source: Binary string: System.pdb2 source: WerFault.exe, 00000006.00000003.271445736.00000000056A3000.00000004.00000001.sdmp
                Source: Binary string: apphelp.pdb source: WerFault.exe, 00000006.00000003.271914442.0000000005860000.00000004.00000040.sdmp
                Source: Binary string: System.Xml.ni.pdbRSDS source: WER71DF.tmp.dmp.6.dr
                Source: Binary string: psapi.pdb4{ source: WerFault.exe, 00000006.00000003.271172101.000000000586E000.00000004.00000040.sdmp
                Source: Binary string: rasadhlp.pdb source: WerFault.exe, 00000006.00000003.271172101.000000000586E000.00000004.00000040.sdmp
                Source: Binary string: ml.ni.pdb source: WerFault.exe, 00000006.00000003.271445736.00000000056A3000.00000004.00000001.sdmp
                Source: Binary string: C:\Windows\mscorlib.pdb source: RegAsm.exe, 00000002.00000002.310059583.000000000858A000.00000004.00000010.sdmp
                Source: Binary string: xecute.pdb source: WerFault.exe, 00000006.00000003.271445736.00000000056A3000.00000004.00000001.sdmp
                Source: Binary string: System.Core.ni.pdbRSDSD source: WER71DF.tmp.dmp.6.dr
                Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000006.00000003.271172101.000000000586E000.00000004.00000040.sdmp
                Source: Binary string: Accessibility.pdb source: WerFault.exe, 00000006.00000003.271341667.00000000056A1000.00000004.00000001.sdmp, WER71DF.tmp.dmp.6.dr
                Source: Binary string: System.Management.pdbx source: WerFault.exe, 00000006.00000003.269191135.0000000005980000.00000004.00000001.sdmp
                Source: Binary string: rawing.pdb source: WerFault.exe, 00000006.00000003.271445736.00000000056A3000.00000004.00000001.sdmp
                Source: Binary string: pnrpnsp.pdb source: WerFault.exe, 00000006.00000003.271172101.000000000586E000.00000004.00000040.sdmp
                Source: Binary string: mscorlib.pdbx source: WerFault.exe, 00000006.00000003.269191135.0000000005980000.00000004.00000001.sdmp
                Source: Binary string: wimm32.pdb6L source: WerFault.exe, 00000006.00000003.271265274.0000000005868000.00000004.00000040.sdmp
                Source: Binary string: shcore.pdb source: WerFault.exe, 00000006.00000003.271341667.00000000056A1000.00000004.00000001.sdmp
                Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 00000006.00000003.271172101.000000000586E000.00000004.00000040.sdmp
                Source: Binary string: iphlpapi.pdbL source: WerFault.exe, 00000006.00000003.271265274.0000000005868000.00000004.00000040.sdmp
                Source: Binary string: wrpcrt4.pdbs source: WerFault.exe, 00000006.00000003.271265274.0000000005868000.00000004.00000040.sdmp
                Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000006.00000003.271341667.00000000056A1000.00000004.00000001.sdmp
                Source: Binary string: fltLib.pdb source: WerFault.exe, 00000006.00000003.271265274.0000000005868000.00000004.00000040.sdmp
                Source: Binary string: CMemoryExecute.pdb source: WerFault.exe, 00000006.00000003.271341667.00000000056A1000.00000004.00000001.sdmp, WER71DF.tmp.dmp.6.dr
                Source: Binary string: shell32.pdb source: WerFault.exe, 00000006.00000003.271341667.00000000056A1000.00000004.00000001.sdmp
                Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 00000006.00000003.271341667.00000000056A1000.00000004.00000001.sdmp, WER71DF.tmp.dmp.6.dr
                Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000006.00000003.271341667.00000000056A1000.00000004.00000001.sdmp
                Source: Binary string: CMemoryExecute.pdbP; source: WerFault.exe, 00000006.00000003.269191135.0000000005980000.00000004.00000001.sdmp
                Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000006.00000003.271172101.000000000586E000.00000004.00000040.sdmp
                Source: Binary string: setupapi.pdb.L source: WerFault.exe, 00000006.00000003.271265274.0000000005868000.00000004.00000040.sdmp
                Source: Binary string: wimm32.pdb source: WerFault.exe, 00000006.00000003.271265274.0000000005868000.00000004.00000040.sdmp
                Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000006.00000003.271341667.00000000056A1000.00000004.00000001.sdmp
                Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 00000006.00000003.269191135.0000000005980000.00000004.00000001.sdmp
                Source: Binary string: setupapi.pdb source: WerFault.exe, 00000006.00000003.271265274.0000000005868000.00000004.00000040.sdmp
                Source: Binary string: nlaapi.pdb source: WerFault.exe, 00000006.00000003.271172101.000000000586E000.00000004.00000040.sdmp
                Source: Binary string: diasymreader.pdb source: WerFault.exe, 00000006.00000003.271172101.000000000586E000.00000004.00000040.sdmp
                Source: Binary string: mscorlib.pdbT source: WerFault.exe, 00000006.00000003.271389138.00000000056BA000.00000004.00000001.sdmp
                Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000006.00000003.271172101.000000000586E000.00000004.00000040.sdmp
                Source: Binary string: wmiutils.pdb source: WerFault.exe, 00000006.00000003.271172101.000000000586E000.00000004.00000040.sdmp
                Source: Binary string: gdiplus.pdb source: WerFault.exe, 00000006.00000003.271172101.000000000586E000.00000004.00000040.sdmp
                Source: Binary string: System.ni.pdbT3 source: WerFault.exe, 00000006.00000003.269191135.0000000005980000.00000004.00000001.sdmp
                Source: Binary string: System.pdbx source: WerFault.exe, 00000006.00000003.269191135.0000000005980000.00000004.00000001.sdmp
                Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: RegAsm.exe, 00000002.00000002.310059583.000000000858A000.00000004.00000010.sdmp
                Source: Binary string: profapi.pdb source: WerFault.exe, 00000006.00000003.271265274.0000000005868000.00000004.00000040.sdmp
                Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000006.00000003.271172101.000000000586E000.00000004.00000040.sdmp
                Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 00000006.00000003.271341667.00000000056A1000.00000004.00000001.sdmp, WER71DF.tmp.dmp.6.dr
                Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000006.00000003.271341667.00000000056A1000.00000004.00000001.sdmp
                Source: Binary string: WLDP.pdb source: WerFault.exe, 00000006.00000003.271172101.000000000586E000.00000004.00000040.sdmp
                Source: