Loading ...

Play interactive tourEdit tour

Analysis Report company certificate.exe

Overview

General Information

Sample Name:company certificate.exe
Analysis ID:296160
MD5:b934fc6cc0c384172bebd09853d20bb5
SHA1:e56d56fd478c8e74d81a74c8f15ca7ac3fc501c4
SHA256:3822d27d679a8a6ed258783c32000566819f58779cdb911c36e122fe902950f2
Tags:exeHawkEye

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected HawkEye Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM_3
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Changes the view of files in windows explorer (hidden files and folders)
Connects to a pastebin service (likely for C&C)
Contains functionality to log keystrokes (.Net Source)
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops PE files to the startup folder
Hides threads from debuggers
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected WebBrowserPassView password recovery tool
Abnormal high CPU Usage
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Enables debug privileges
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
Queries disk information (often used to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Stores large binary data to the registry
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • company certificate.exe (PID: 1320 cmdline: 'C:\Users\user\Desktop\company certificate.exe' MD5: B934FC6CC0C384172BEBD09853D20BB5)
    • timeout.exe (PID: 2440 cmdline: timeout 4 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
      • conhost.exe (PID: 4420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • company certificate.exe (PID: 6876 cmdline: C:\Users\user\Desktop\company certificate.exe MD5: B934FC6CC0C384172BEBD09853D20BB5)
    • company certificate.exe (PID: 7048 cmdline: C:\Users\user\Desktop\company certificate.exe MD5: B934FC6CC0C384172BEBD09853D20BB5)
      • WerFault.exe (PID: 4768 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7048 -s 2004 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 4544 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1320 -s 1956 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • company certificate.exe (PID: 5204 cmdline: 'C:\Users\user\Desktop\company certificate.exe' MD5: B934FC6CC0C384172BEBD09853D20BB5)
    • timeout.exe (PID: 4388 cmdline: timeout 4 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
      • conhost.exe (PID: 5780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • company certificate.exe (PID: 768 cmdline: 'C:\Users\user\Desktop\company certificate.exe' MD5: B934FC6CC0C384172BEBD09853D20BB5)
    • timeout.exe (PID: 5148 cmdline: timeout 4 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
      • conhost.exe (PID: 5316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • company certificate.exe (PID: 5592 cmdline: 'C:\Users\user\Desktop\company certificate.exe' MD5: B934FC6CC0C384172BEBD09853D20BB5)
    • timeout.exe (PID: 5684 cmdline: timeout 4 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
      • conhost.exe (PID: 5704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • company certificate.exe (PID: 3544 cmdline: 'C:\Users\user\Desktop\company certificate.exe' MD5: B934FC6CC0C384172BEBD09853D20BB5)
    • timeout.exe (PID: 6324 cmdline: timeout 4 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
      • conhost.exe (PID: 6196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • company certificate.exe (PID: 7124 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\company certificate.exe' MD5: B934FC6CC0C384172BEBD09853D20BB5)
    • timeout.exe (PID: 5808 cmdline: timeout 4 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
      • conhost.exe (PID: 5844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000002.938528025.0000000000402000.00000040.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
  • 0x7b6cc:$key: HawkEyeKeylogger
  • 0x7d8fc:$salt: 099u787978786
  • 0x7bd0d:$string1: HawkEye_Keylogger
  • 0x7cb4c:$string1: HawkEye_Keylogger
  • 0x7d85c:$string1: HawkEye_Keylogger
  • 0x7c0e2:$string2: holdermail.txt
  • 0x7c102:$string2: holdermail.txt
  • 0x7c024:$string3: wallet.dat
  • 0x7c03c:$string3: wallet.dat
  • 0x7c052:$string3: wallet.dat
  • 0x7d420:$string4: Keylog Records
  • 0x7d738:$string4: Keylog Records
  • 0x7d954:$string5: do not script -->
  • 0x7b6b4:$string6: \pidloc.txt
  • 0x7b742:$string7: BSPLIT
  • 0x7b752:$string7: BSPLIT
0000000D.00000002.938528025.0000000000402000.00000040.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
    0000000D.00000002.938528025.0000000000402000.00000040.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
      0000000D.00000002.938528025.0000000000402000.00000040.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
        0000000D.00000002.938528025.0000000000402000.00000040.00000001.sdmpHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
        • 0x7bd65:$hawkstr1: HawkEye Keylogger
        • 0x7cb92:$hawkstr1: HawkEye Keylogger
        • 0x7cec1:$hawkstr1: HawkEye Keylogger
        • 0x7d01c:$hawkstr1: HawkEye Keylogger
        • 0x7d17f:$hawkstr1: HawkEye Keylogger
        • 0x7d3f8:$hawkstr1: HawkEye Keylogger
        • 0x7b8f3:$hawkstr2: Dear HawkEye Customers!
        • 0x7cf14:$hawkstr2: Dear HawkEye Customers!
        • 0x7d06b:$hawkstr2: Dear HawkEye Customers!
        • 0x7d1d2:$hawkstr2: Dear HawkEye Customers!
        • 0x7ba14:$hawkstr3: HawkEye Logger Details:
        Click to see the 10 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        13.2.company certificate.exe.400000.0.unpackRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
        • 0x7b8cc:$key: HawkEyeKeylogger
        • 0x7dafc:$salt: 099u787978786
        • 0x7bf0d:$string1: HawkEye_Keylogger
        • 0x7cd4c:$string1: HawkEye_Keylogger
        • 0x7da5c:$string1: HawkEye_Keylogger
        • 0x7c2e2:$string2: holdermail.txt
        • 0x7c302:$string2: holdermail.txt
        • 0x7c224:$string3: wallet.dat
        • 0x7c23c:$string3: wallet.dat
        • 0x7c252:$string3: wallet.dat
        • 0x7d620:$string4: Keylog Records
        • 0x7d938:$string4: Keylog Records
        • 0x7db54:$string5: do not script -->
        • 0x7b8b4:$string6: \pidloc.txt
        • 0x7b942:$string7: BSPLIT
        • 0x7b952:$string7: BSPLIT
        13.2.company certificate.exe.400000.0.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
          13.2.company certificate.exe.400000.0.unpackJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
            13.2.company certificate.exe.400000.0.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
              13.2.company certificate.exe.400000.0.unpackHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
              • 0x7bf65:$hawkstr1: HawkEye Keylogger
              • 0x7cd92:$hawkstr1: HawkEye Keylogger
              • 0x7d0c1:$hawkstr1: HawkEye Keylogger
              • 0x7d21c:$hawkstr1: HawkEye Keylogger
              • 0x7d37f:$hawkstr1: HawkEye Keylogger
              • 0x7d5f8:$hawkstr1: HawkEye Keylogger
              • 0x7baf3:$hawkstr2: Dear HawkEye Customers!
              • 0x7d114:$hawkstr2: Dear HawkEye Customers!
              • 0x7d26b:$hawkstr2: Dear HawkEye Customers!
              • 0x7d3d2:$hawkstr2: Dear HawkEye Customers!
              • 0x7bc14:$hawkstr3: HawkEye Logger Details:

              Sigma Overview

              No Sigma rule has matched

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: company certificate.exe.7048.13.memstrMalware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}
              Multi AV Scanner detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\company certificate.exeReversingLabs: Detection: 20%
              Multi AV Scanner detection for submitted fileShow sources
              Source: company certificate.exeVirustotal: Detection: 15%Perma Link
              Source: company certificate.exeReversingLabs: Detection: 20%
              Machine Learning detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\company certificate.exeJoe Sandbox ML: detected
              Machine Learning detection for sampleShow sources
              Source: company certificate.exeJoe Sandbox ML: detected
              Source: 13.2.company certificate.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 13.2.company certificate.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: company certificate.exe, 0000000D.00000002.938528025.0000000000402000.00000040.00000001.sdmpBinary or memory string: autorun.inf
              Source: company certificate.exe, 0000000D.00000002.938528025.0000000000402000.00000040.00000001.sdmpBinary or memory string: [autorun]

              Networking:

              barindex
              Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
              Source: TrafficSnort IDS: 2019926 ET TROJAN HawkEye Keylogger Report SMTP 192.168.2.4:49775 -> 199.188.200.150:587
              Connects to a pastebin service (likely for C&C)Show sources
              Source: unknownDNS query: name: pastebin.com
              Source: unknownDNS query: name: pastebin.com
              Source: unknownDNS query: name: pastebin.com
              Source: unknownDNS query: name: pastebin.com
              Source: unknownDNS query: name: pastebin.com
              Source: unknownDNS query: name: pastebin.com
              Source: Joe Sandbox ViewIP Address: 104.23.99.190 104.23.99.190
              Source: Joe Sandbox ViewIP Address: 104.23.99.190 104.23.99.190
              Source: Joe Sandbox ViewIP Address: 104.23.98.190 104.23.98.190
              Source: Joe Sandbox ViewIP Address: 104.23.98.190 104.23.98.190
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: company certificate.exe, 0000000D.00000002.938528025.0000000000402000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
              Source: company certificate.exe, 0000000D.00000002.938528025.0000000000402000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
              Source: unknownDNS traffic detected: queries for: pastebin.com
              Source: company certificate.exe, 00000014.00000002.977749712.0000000002615000.00000004.00000001.sdmp, company certificate.exe, 00000017.00000002.983103163.00000000014E4000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
              Source: company certificate.exe, 0000000D.00000002.938528025.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
              Source: company certificate.exe, 00000014.00000002.977749712.0000000002615000.00000004.00000001.sdmp, company certificate.exe, 00000017.00000002.983103163.00000000014E4000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
              Source: company certificate.exe, 00000014.00000002.959779875.00000000008DF000.00000004.00000020.sdmp, company certificate.exe, 00000017.00000002.983103163.00000000014E4000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
              Source: company certificate.exe, 00000014.00000002.977749712.0000000002615000.00000004.00000001.sdmp, company certificate.exe, 00000017.00000002.983103163.00000000014E4000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
              Source: company certificate.exe, 0000000D.00000003.796769756.000000000621E000.00000004.00000001.sdmpString found in binary or memory: http://en.wikip
              Source: company certificate.exe, 0000000D.00000002.944870798.0000000006360000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
              Source: company certificate.exe, 0000000D.00000002.938528025.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
              Source: company certificate.exe, 00000014.00000002.977749712.0000000002615000.00000004.00000001.sdmp, company certificate.exe, 00000017.00000002.983103163.00000000014E4000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
              Source: company certificate.exe, 00000014.00000002.959779875.00000000008DF000.00000004.00000020.sdmp, company certificate.exe, 00000017.00000002.983103163.00000000014E4000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
              Source: WerFault.exe, 00000013.00000003.820674367.0000000004EB0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
              Source: WerFault.exe, 00000013.00000003.820674367.0000000004EB0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
              Source: WerFault.exe, 00000013.00000003.820674367.0000000004EB0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
              Source: WerFault.exe, 00000013.00000003.820674367.0000000004EB0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
              Source: WerFault.exe, 00000013.00000003.820674367.0000000004EB0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
              Source: WerFault.exe, 00000013.00000003.820674367.0000000004EB0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
              Source: WerFault.exe, 00000013.00000003.820674367.0000000004EB0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
              Source: company certificate.exe, 0000000D.00000002.940714364.0000000003041000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.820674367.0000000004EB0000.00000004.00000001.sdmp, company certificate.exe, 00000014.00000002.971243029.00000000025E1000.00000004.00000001.sdmp, company certificate.exe, 00000017.00000002.1026552854.0000000003211000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: WerFault.exe, 00000013.00000003.820674367.0000000004EB0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
              Source: WerFault.exe, 00000013.00000003.820674367.0000000004EB0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
              Source: WerFault.exe, 00000013.00000003.820674367.0000000004EB0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
              Source: WerFault.exe, 00000013.00000003.820674367.0000000004EB0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
              Source: WerFault.exe, 00000013.00000003.820674367.0000000004EB0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
              Source: WerFault.exe, 00000013.00000003.820674367.0000000004EB0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
              Source: WerFault.exe, 00000013.00000003.820674367.0000000004EB0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
              Source: company certificate.exe, 0000000D.00000002.938528025.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/-
              Source: company certificate.exe, 0000000D.00000003.838706232.0000000006218000.00000004.00000001.sdmpString found in binary or memory: http://www.agfamonotype.
              Source: company certificate.exe, 0000000D.00000003.808961571.0000000006217000.00000004.00000001.sdmpString found in binary or memory: http://www.agfamonotype.W
              Source: company certificate.exe, 0000000D.00000002.944870798.0000000006360000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: company certificate.exe, 0000000D.00000003.803302751.0000000006215000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
              Source: company certificate.exe, 0000000D.00000003.801356095.0000000006218000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
              Source: company certificate.exe, 0000000D.00000002.944870798.0000000006360000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
              Source: company certificate.exe, 0000000D.00000002.944870798.0000000006360000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
              Source: company certificate.exe, 0000000D.00000002.944870798.0000000006360000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
              Source: company certificate.exe, 0000000D.00000003.808068399.0000000006215000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
              Source: company certificate.exe, 0000000D.00000002.944870798.0000000006360000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
              Source: company certificate.exe, 0000000D.00000003.811884989.0000000006218000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
              Source: company certificate.exe, 0000000D.00000002.944870798.0000000006360000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
              Source: company certificate.exe, 0000000D.00000003.811884989.0000000006218000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlX
              Source: company certificate.exe, 0000000D.00000003.811600640.0000000006217000.00000004.00000001.sdmp, company certificate.exe, 0000000D.00000003.810397502.0000000006217000.00000004.00000001.sdmp, company certificate.exe, 0000000D.00000002.944870798.0000000006360000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
              Source: company certificate.exe, 0000000D.00000002.944870798.0000000006360000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
              Source: company certificate.exe, 0000000D.00000002.944870798.0000000006360000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
              Source: company certificate.exe, 0000000D.00000002.944870798.0000000006360000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
              Source: company certificate.exe, 0000000D.00000002.940527615.00000000016C7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comF0.g
              Source: company certificate.exe, 0000000D.00000002.940527615.00000000016C7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.coma
              Source: company certificate.exe, 0000000D.00000002.940527615.00000000016C7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comgritoE)
              Source: company certificate.exe, 0000000D.00000002.944870798.0000000006360000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
              Source: company certificate.exe, 0000000D.00000003.796769756.000000000621E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.c
              Source: company certificate.exe, 0000000D.00000003.794504394.000000000621E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
              Source: company certificate.exe, 0000000D.00000003.796509847.0000000006215000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
              Source: company certificate.exe, 0000000D.00000002.944870798.0000000006360000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
              Source: company certificate.exe, 0000000D.00000002.944870798.0000000006360000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
              Source: company certificate.exe, 0000000D.00000003.795874878.000000000621E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnC
              Source: company certificate.exe, 0000000D.00000003.795874878.000000000621E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnTC
              Source: company certificate.exe, 0000000D.00000003.794504394.000000000621E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnl
              Source: company certificate.exe, 0000000D.00000003.795808733.0000000006215000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnn
              Source: company certificate.exe, 0000000D.00000003.820022649.0000000006218000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
              Source: company certificate.exe, 0000000D.00000002.944870798.0000000006360000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
              Source: company certificate.exe, 0000000D.00000002.944870798.0000000006360000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
              Source: company certificate.exe, 0000000D.00000002.944870798.0000000006360000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
              Source: company certificate.exe, 0000000D.00000003.792626574.000000000621E000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kreq
              Source: company certificate.exe, 0000000D.00000003.791679167.000000000621E000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.krn
              Source: company certificate.exe, 0000000D.00000002.944870798.0000000006360000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
              Source: company certificate.exe, 0000000D.00000002.938528025.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
              Source: company certificate.exe, 0000000D.00000002.944870798.0000000006360000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
              Source: company certificate.exe, 0000000D.00000003.803302751.0000000006215000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
              Source: company certificate.exe, 0000000D.00000003.792626574.000000000621E000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
              Source: company certificate.exe, 0000000D.00000003.791542645.000000000621E000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krFeq
              Source: company certificate.exe, 0000000D.00000003.792626574.000000000621E000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kra-e
              Source: company certificate.exe, 0000000D.00000002.940783546.00000000030AB000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
              Source: company certificate.exe, 0000000D.00000002.944870798.0000000006360000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
              Source: company certificate.exe, 0000000D.00000002.944870798.0000000006360000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
              Source: company certificate.exe, 0000000D.00000003.817169231.0000000006218000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
              Source: company certificate.exe, 0000000D.00000002.944870798.0000000006360000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
              Source: company certificate.exe, 0000000D.00000003.816732560.0000000006218000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deFT
              Source: company certificate.exe, 0000000D.00000002.944870798.0000000006360000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
              Source: company certificate.exe, 00000014.00000002.971243029.00000000025E1000.00000004.00000001.sdmp, company certificate.exe, 00000017.00000002.1026552854.0000000003211000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.com
              Source: company certificate.exe, 00000014.00000002.971243029.00000000025E1000.00000004.00000001.sdmp, company certificate.exe, 00000017.00000002.1026552854.0000000003211000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.com/raw/B2rJyfA1
              Source: WerFault.exe, 00000013.00000002.1034248565.0000000004E70000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.com/raw/W63zsRav
              Source: company certificate.exe, 00000014.00000002.977749712.0000000002615000.00000004.00000001.sdmp, company certificate.exe, 00000014.00000002.980268867.000000000262B000.00000004.00000001.sdmp, company certificate.exe, 00000017.00000002.1040111983.000000000325B000.00000004.00000001.sdmp, company certificate.exe, 00000017.00000002.1037390849.0000000003245000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
              Source: company certificate.exe, 00000014.00000002.977749712.0000000002615000.00000004.00000001.sdmp, company certificate.exe, 00000017.00000002.983103163.00000000014E4000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49776
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49773
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
              Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49773 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768
              Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443

              Key, Mouse, Clipboard, Microphone and Screen Capturing:

              barindex
              Yara detected HawkEye KeyloggerShow sources
              Source: Yara matchFile source: 0000000D.00000002.938528025.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000002.940975830.00000000032DA000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000002.941020971.00000000032FE000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: company certificate.exe PID: 7048, type: MEMORY
              Source: Yara matchFile source: 13.2.company certificate.exe.400000.0.unpack, type: UNPACKEDPE
              Contains functionality to log keystrokes (.Net Source)Show sources
              Source: 13.2.company certificate.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
              Installs a global keyboard hookShow sources
              Source: C:\Users\user\Desktop\company certificate.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\company certificate.exeJump to behavior
              Source: C:\Users\user\Desktop\company certificate.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

              System Summary:

              barindex
              Malicious sample detected (through community Yara rule)Show sources
              Source: 0000000D.00000002.938528025.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0000000D.00000002.938528025.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 0000000D.00000002.940975830.00000000032DA000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 13.2.company certificate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 13.2.company certificate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: C:\Users\user\Desktop\company certificate.exeProcess Stats: CPU usage > 98%
              Source: C:\Users\user\Desktop\company certificate.exeCode function: 13_2_02E8B29C13_2_02E8B29C
              Source: C:\Users\user\Desktop\company certificate.exeCode function: 13_2_02E8C31013_2_02E8C310
              Source: C:\Users\user\Desktop\company certificate.exeCode function: 13_2_02E899D013_2_02E899D0
              Source: C:\Users\user\Desktop\company certificate.exeCode function: 13_2_02E8DFB013_2_02E8DFB0
              Source: C:\Users\user\Desktop\company certificate.exeCode function: 13_2_07AFB4E013_2_07AFB4E0
              Source: C:\Users\user\Desktop\company certificate.exeCode function: 13_2_07AFEEC813_2_07AFEEC8
              Source: C:\Users\user\Desktop\company certificate.exeCode function: 13_2_07AFBDB013_2_07AFBDB0
              Source: C:\Users\user\Desktop\company certificate.exeCode function: 13_2_07AFB19813_2_07AFB198
              Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1320 -s 1956
              Source: company certificate.exeStatic PE information: invalid certificate
              Source: company certificate.exeBinary or memory string: OriginalFilename vs company certificate.exe
              Source: company certificate.exe, 00000002.00000000.649675300.0000000000262000.00000002.00020000.sdmpBinary or memory string: OriginalFilename( vs company certificate.exe
              Source: company certificate.exe, 00000002.00000002.936444760.0000000000390000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs company certificate.exe
              Source: company certificate.exeBinary or memory string: OriginalFilename vs company certificate.exe
              Source: company certificate.exe, 0000000C.00000000.771138176.0000000000372000.00000002.00020000.sdmpBinary or memory string: OriginalFilename( vs company certificate.exe
              Source: company certificate.exeBinary or memory string: OriginalFilename vs company certificate.exe
              Source: company certificate.exe, 0000000D.00000002.938528025.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs company certificate.exe
              Source: company certificate.exe, 0000000D.00000002.938528025.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs company certificate.exe
              Source: company certificate.exe, 0000000D.00000002.938528025.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs company certificate.exe
              Source: company certificate.exe, 0000000D.00000002.938611453.0000000000482000.00000040.00000001.sdmpBinary or memory string: OriginalFilename( vs company certificate.exe
              Source: company certificate.exeBinary or memory string: OriginalFilename vs company certificate.exe
              Source: company certificate.exe, 00000014.00000002.923204600.00000000004F7000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs company certificate.exe
              Source: company certificate.exe, 00000014.00000002.959354599.000000000085A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs company certificate.exe
              Source: company certificate.exe, 00000014.00000000.791798137.0000000000102000.00000002.00020000.sdmpBinary or memory string: OriginalFilename( vs company certificate.exe
              Source: company certificate.exeBinary or memory string: OriginalFilename vs company certificate.exe
              Source: company certificate.exe, 00000017.00000002.982679340.000000000144A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs company certificate.exe
              Source: company certificate.exe, 00000017.00000002.939903604.00000000010F7000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs company certificate.exe
              Source: company certificate.exe, 00000017.00000002.923552925.0000000000D52000.00000002.00020000.sdmpBinary or memory string: OriginalFilename( vs company certificate.exe
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
              Source: 0000000D.00000002.938528025.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 0000000D.00000002.938528025.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 0000000D.00000002.940975830.00000000032DA000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000002.00000003.769725462.0000000003F8B000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
              Source: 13.2.company certificate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 13.2.company certificate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 13.2.company certificate.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 13.2.company certificate.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 13.2.company certificate.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 13.2.company certificate.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
              Source: 13.2.company certificate.exe.400000.0.unpack, Form1.csBase64 encoded string: 'ZI+vcKfLpvgdqethivgv1S67DATD79uEoorhYdY3AnC6ZOkSHd3V5SQxLQMMwbAoEe7mNme6sizcZJDvBvDTXQ==', 'Q42yOqJy+1qq0KLtaDZjGanaMY0/5S+uhGVK6ZCJZ7QCr+kPPK+x4KRFuhGgFHEB', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
              Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@30/8@8/3
              Source: C:\Users\user\Desktop\company certificate.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\company certificate.exeJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6196:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5316:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5704:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5844:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5780:120:WilError_01
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7048
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1320
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4420:120:WilError_01
              Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER1CF8.tmpJump to behavior
              Source: company certificate.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\company certificate.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\company certificate.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\company certificate.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\company certificate.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Users\user\Desktop\company certificate.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Users\user\Desktop\company certificate.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\company certificate.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Users\user\Desktop\company certificate.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Users\user\Desktop\company certificate.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\company certificate.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\company certificate.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\company certificate.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\company certificate.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\company certificate.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\company certificate.exeFile read: C:\Windows\System32\drivers\etc\hosts
              Source: C:\Users\user\Desktop\company certificate.exeFile read: C:\Windows\System32\drivers\etc\hosts
              Source: company certificate.exe, 0000000D.00000002.938528025.0000000000402000.00000040.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
              Source: company certificate.exe, 0000000D.00000002.938528025.0000000000402000.00000040.00000001.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
              Source: company certificate.exe, 0000000D.00000002.938528025.0000000000402000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
              Source: company certificate.exe, 0000000D.00000002.938528025.0000000000402000.00000040.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
              Source: company certificate.exe, 0000000D.00000002.938528025.0000000000402000.00000040.00000001.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
              Source: company certificate.exe, 0000000D.00000002.938528025.0000000000402000.00000040.00000001.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
              Source: company certificate.exe, 0000000D.00000002.938528025.0000000000402000.00000040.00000001.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
              Source: company certificate.exeVirustotal: Detection: 15%
              Source: company certificate.exeReversingLabs: Detection: 20%
              Source: C:\Users\user\Desktop\company certificate.exeFile read: C:\Users\user\Desktop\company certificate.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\company certificate.exe 'C:\Users\user\Desktop\company certificate.exe'
              Source: unknownProcess created: C:\Windows\SysWOW64\timeout.exe timeout 4
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Users\user\Desktop\company certificate.exe C:\Users\user\Desktop\company certificate.exe
              Source: unknownProcess created: C:\Users\user\Desktop\company certificate.exe C:\Users\user\Desktop\company certificate.exe
              Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1320 -s 1956
              Source: unknownProcess created: C:\Users\user\Desktop\company certificate.exe 'C:\Users\user\Desktop\company certificate.exe'
              Source: unknownProcess created: C:\Windows\SysWOW64\timeout.exe timeout 4
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Users\user\Desktop\company certificate.exe 'C:\Users\user\Desktop\company certificate.exe'
              Source: unknownProcess created: C:\Windows\SysWOW64\timeout.exe timeout 4
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Users\user\Desktop\company certificate.exe 'C:\Users\user\Desktop\company certificate.exe'
              Source: unknownProcess created: C:\Windows\SysWOW64\timeout.exe timeout 4
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Users\user\Desktop\company certificate.exe 'C:\Users\user\Desktop\company certificate.exe'
              Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7048 -s 2004
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\company certificate.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\company certificate.exe'
              Source: unknownProcess created: C:\Windows\SysWOW64\timeout.exe timeout 4
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\SysWOW64\timeout.exe timeout 4
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\company certificate.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 4Jump to behavior
              Source: C:\Users\user\Desktop\company certificate.exeProcess created: C:\Users\user\Desktop\company certificate.exe C:\Users\user\Desktop\company certificate.exeJump to behavior
              Source: C:\Users\user\Desktop\company certificate.exeProcess created: C:\Users\user\Desktop\company certificate.exe C:\Users\user\Desktop\company certificate.exeJump to behavior
              Source: C:\Users\user\Desktop\company certificate.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 4Jump to behavior
              Source: C:\Users\user\Desktop\company certificate.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 4
              Source: C:\Users\user\Desktop\company certificate.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 4
              Source: C:\Users\user\Desktop\company certificate.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 4
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\company certificate.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 4
              Source: C:\Users\user\Desktop\company certificate.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Users\user\Desktop\company certificate.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: company certificate.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: company certificate.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
              Source: Binary string: rsaenh.pdb source: WerFault.exe, 00000013.00000003.837201565.0000000004D1A000.00000004.00000040.sdmp
              Source: Binary string: anagement.pdb source: WerFault.exe, 00000013.00000003.836658013.0000000004BC2000.00000004.00000001.sdmp
              Source: Binary string: (P<o0C:\Windows\mscorlib.pdb source: company certificate.exe, 0000000D.00000002.953427804.0000000008B0A000.00000004.00000001.sdmp
              Source: Binary string: System.Management.pdb[9{-x source: WerFault.exe, 00000013.00000003.836503481.0000000004BC1000.00000004.00000001.sdmp
              Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 00000013.00000002.1034248565.0000000004E70000.00000004.00000001.sdmp
              Source: Binary string: System.ni.pdb" source: WerFault.exe, 00000013.00000003.836658013.0000000004BC2000.00000004.00000001.sdmp
              Source: Binary string: jttcompany certificate.PDB source: company certificate.exe, 00000002.00000002.943837268.00000000006F7000.00000004.00000001.sdmp
              Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000013.00000003.803203014.00000000047D0000.00000004.00000001.sdmp
              Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000013.00000003.837201565.0000000004D1A000.00000004.00000040.sdmp
              Source: Binary string: wbemcomn.pdb source: WerFault.exe, 00000013.00000003.836251402.0000000004D25000.00000004.00000040.sdmp
              Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000013.00000003.837326952.0000000004D10000.00000004.00000040.sdmp
              Source: Binary string: mskeyprotect.pdb source: WerFault.exe, 00000013.00000003.836251402.0000000004D25000.00000004.00000040.sdmp
              Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000013.00000003.836503481.0000000004BC1000.00000004.00000001.sdmp
              Source: Binary string: secur32.pdbe source: WerFault.exe, 00000013.00000003.836251402.0000000004D25000.00000004.00000040.sdmp
              Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000013.00000003.836503481.0000000004BC1000.00000004.00000001.sdmp
              Source: Binary string: wntdll.pdb source: WerFault.exe, 00000013.00000003.836503481.0000000004BC1000.00000004.00000001.sdmp
              Source: Binary string: winnsi.pdb source: WerFault.exe, 00000013.00000003.836251402.0000000004D25000.00000004.00000040.sdmp
              Source: Binary string: ml.pdb source: WerFault.exe, 00000013.00000003.836658013.0000000004BC2000.00000004.00000001.sdmp
              Source: Binary string: clr.pdb source: WerFault.exe, 00000013.00000003.837326952.0000000004D10000.00000004.00000040.sdmp
              Source: Binary string: .ni.pdb source: WerFault.exe, 00000013.00000003.836658013.0000000004BC2000.00000004.00000001.sdmp
              Source: Binary string: cryptsp.pdb source: WerFault.exe, 00000013.00000003.837201565.0000000004D1A000.00000004.00000040.sdmp
              Source: Binary string: advapi32.pdb source: WerFault.exe, 00000013.00000003.836503481.0000000004BC1000.00000004.00000001.sdmp
              Source: Binary string: ility.pdb source: WerFault.exe, 00000013.00000003.836658013.0000000004BC2000.00000004.00000001.sdmp
              Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000013.00000003.836503481.0000000004BC1000.00000004.00000001.sdmp
              Source: Binary string: System.Configuration.ni.pdb" source: WerFault.exe, 00000013.00000003.836658013.0000000004BC2000.00000004.00000001.sdmp
              Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 00000013.00000003.835991957.0000000004D1E000.00000004.00000040.sdmp
              Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 00000013.00000003.836951891.0000000004BDB000.00000004.00000001.sdmp
              Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 00000013.00000003.836251402.0000000004D25000.00000004.00000040.sdmp
              Source: Binary string: ntmarta.pdb source: WerFault.exe, 00000013.00000003.836251402.0000000004D25000.00000004.00000040.sdmp
              Source: Binary string: schannel.pdb source: WerFault.exe, 00000013.00000003.836251402.0000000004D25000.00000004.00000040.sdmp
              Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 00000013.00000002.1034248565.0000000004E70000.00000004.00000001.sdmp
              Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000013.00000003.836503481.0000000004BC1000.00000004.00000001.sdmp
              Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000013.00000003.836124117.0000000004D12000.00000004.00000040.sdmp
              Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000013.00000003.836503481.0000000004BC1000.00000004.00000001.sdmp
              Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: company certificate.exe, 0000000D.00000002.938528025.0000000000402000.00000040.00000001.sdmp
              Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: company certificate.exe, 0000000D.00000002.938528025.0000000000402000.00000040.00000001.sdmp
              Source: Binary string: System.Xml.pdbx source: WerFault.exe, 00000013.00000002.1034248565.0000000004E70000.00000004.00000001.sdmp
              Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000013.00000003.837201565.0000000004D1A000.00000004.00000040.sdmp
              Source: Binary string: o.pdb. source: company certificate.exe, 00000002.00000002.943837268.00000000006F7000.00000004.00000001.sdmp
              Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb+ source: company certificate.exe, 0000000D.00000002.953427804.0000000008B0A000.00000004.00000001.sdmp
              Source: Binary string: mscoree.pdb source: WerFault.exe, 00000013.00000003.836503481.0000000004BC1000.00000004.00000001.sdmp
              Source: Binary string: shcore.pdbk source: WerFault.exe, 00000013.00000003.837201565.0000000004D1A000.00000004.00000040.sdmp
              Source: Binary string: dwmapi.pdbs source: WerFault.exe, 00000013.00000003.837201565.0000000004D1A000.00000004.00000040.sdmp
              Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000013.00000003.836251402.0000000004D25000.00000004.00000040.sdmp
              Source: Binary string: Microsoft.VisualBasic.pdb18zGx source: WerFault.exe, 00000013.00000003.836435987.0000000004BDA000.00000004.00000001.sdmp
              Source: Binary string: symbols\dll\mscorlib.pdb source: company certificate.exe, 0000000D.00000002.953427804.0000000008B0A000.00000004.00000001.sdmp
              Source: Binary string: shlwapi.pdbk source: WerFault.exe, 00000013.00000003.836124117.0000000004D12000.00000004.00000040.sdmp
              Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000013.00000003.836251402.0000000004D25000.00000004.00000040.sdmp
              Source: Binary string: WLDP.pdbK source: WerFault.exe, 00000013.00000003.836251402.0000000004D25000.00000004.00000040.sdmp
              Source: Binary string: version.pdb= source: WerFault.exe, 00000013.00000003.837201565.0000000004D1A000.00000004.00000040.sdmp
              Source: Binary string: psapi.pdbu source: WerFault.exe, 00000013.00000003.837201565.0000000004D1A000.00000004.00000040.sdmp
              Source: Binary string: company certificate.PDB source: company certificate.exe, 0000000D.00000002.953427804.0000000008B0A000.00000004.00000001.sdmp
              Source: Binary string: nsi.pdb source: WerFault.exe, 00000013.00000003.836251402.0000000004D25000.00000004.00000040.sdmp
              Source: Binary string: onpGoVisualBasic.pdb source: company certificate.exe, 00000002.00000002.943837268.00000000006F7000.00000004.00000001.sdmp
              Source: Binary string: powrprof.pdb source: WerFault.exe, 00000013.00000003.837201565.0000000004D1A000.00000004.00000040.sdmp
              Source: Binary string: System.Configuration.pdb source: WerFault.exe, 00000013.00000003.836503481.0000000004BC1000.00000004.00000001.sdmp
              Source: Binary string: ole32.pdb source: WerFault.exe, 00000013.00000003.837201565.0000000004D1A000.00000004.00000040.sdmp
              Source: Binary string: mscorlib.ni.pdb18zGx source: WerFault.exe, 00000013.00000003.836503481.0000000004BC1000.00000004.00000001.sdmp
              Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 00000013.00000002.1034248565.0000000004E70000.00000004.00000001.sdmp
              Source: Binary string: msasn1.pdb source: WerFault.exe, 00000013.00000003.836251402.0000000004D25000.00000004.00000040.sdmp
              Source: Binary string: ncrypt.pdb_ source: WerFault.exe, 00000013.00000003.836251402.0000000004D25000.00000004.00000040.sdmp
              Source: Binary string: winhttp.pdby source: WerFault.exe, 00000013.00000003.836251402.0000000004D25000.00000004.00000040.sdmp
              Source: Binary string: mscorlib.pdb source: company certificate.exe, 0000000D.00000002.953427804.0000000008B0A000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.836503481.0000000004BC1000.00000004.00000001.sdmp
              Source: Binary string: anagement.pdbn source: WerFault.exe, 00000013.00000003.836658013.0000000004BC2000.00000004.00000001.sdmp
              Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000013.00000003.836251402.0000000004D25000.00000004.00000040.sdmp
              Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000013.00000003.837201565.0000000004D1A000.00000004.00000040.sdmp
              Source: Binary string: combase.pdb source: WerFault.exe, 00000013.00000003.836124117.0000000004D12000.00000004.00000040.sdmp
              Source: Binary string: System.Drawing.pdb source: WerFault.exe, 00000013.00000003.836503481.0000000004BC1000.00000004.00000001.sdmp
              Source: Binary string: System.Management.pdb source: WerFault.exe, 00000013.00000003.836503481.0000000004BC1000.00000004.00000001.sdmp
              Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000013.00000003.835991957.0000000004D1E000.00000004.00000040.sdmp
              Source: Binary string: cryptsp.pdb[ source: WerFault.exe, 00000013.00000003.837201565.0000000004D1A000.00000004.00000040.sdmp
              Source: Binary string: wuser32.pdb; source: WerFault.exe, 00000013.00000003.837201565.0000000004D1A000.00000004.00000040.sdmp
              Source: Binary string: ncrypt.pdb source: WerFault.exe, 00000013.00000003.836251402.0000000004D25000.00000004.00000040.sdmp
              Source: Binary string: Accessibility.pdbx source: WerFault.exe, 00000013.00000002.1034248565.0000000004E70000.00000004.00000001.sdmp
              Source: Binary string: secur32.pdb source: WerFault.exe, 00000013.00000003.836251402.0000000004D25000.00000004.00000040.sdmp
              Source: Binary string: apphelp.pdb source: WerFault.exe, 00000013.00000003.836503481.0000000004BC1000.00000004.00000001.sdmp
              Source: Binary string: rasadhlp.pdb source: WerFault.exe, 00000013.00000003.836251402.0000000004D25000.00000004.00000040.sdmp
              Source: Binary string: msvcp_win.pdb' source: WerFault.exe, 00000013.00000003.837201565.0000000004D1A000.00000004.00000040.sdmp
              Source: Binary string: ml.ni.pdb source: WerFault.exe, 00000013.00000003.836658013.0000000004BC2000.00000004.00000001.sdmp
              Source: Binary string: diasymreader.pdb_ source: WerFault.exe, 00000013.00000003.836333253.0000000004D2D000.00000004.00000040.sdmp
              Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000013.00000003.836251402.0000000004D25000.00000004.00000040.sdmp
              Source: Binary string: Accessibility.pdb source: WerFault.exe, 00000013.00000003.836503481.0000000004BC1000.00000004.00000001.sdmp
              Source: Binary string: System.Management.pdbx source: WerFault.exe, 00000013.00000002.1034248565.0000000004E70000.00000004.00000001.sdmp
              Source: Binary string: rawing.pdb source: WerFault.exe, 00000013.00000003.836658013.0000000004BC2000.00000004.00000001.sdmp
              Source: Binary string: mscoreei.pdbk source: WerFault.exe, 00000013.00000003.836124117.0000000004D12000.00000004.00000040.sdmp
              Source: Binary string: mscorlib.pdbx source: WerFault.exe, 00000013.00000002.1034248565.0000000004E70000.00000004.00000001.sdmp
              Source: Binary string: nsi.pdb40rB_ source: WerFault.exe, 00000013.00000003.836251402.0000000004D25000.00000004.00000040.sdmp
              Source: Binary string: shcore.pdb source: WerFault.exe, 00000013.00000003.837201565.0000000004D1A000.00000004.00000040.sdmp
              Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 00000013.00000003.835991957.0000000004D1E000.00000004.00000040.sdmp
              Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000013.00000003.837326952.0000000004D10000.00000004.00000040.sdmp
              Source: Binary string: fltLib.pdb source: WerFault.exe, 00000013.00000003.837201565.0000000004D1A000.00000004.00000040.sdmp
              Source: Binary string: System.Core.ni.pdb" source: WerFault.exe, 00000013.00000003.836658013.0000000004BC2000.00000004.00000001.sdmp
              Source: Binary string: C:\Users\user\Desktop\company certificate.PDB source: company certificate.exe, 00000002.00000002.943837268.00000000006F7000.00000004.00000001.sdmp
              Source: Binary string: shell32.pdb source: WerFault.exe, 00000013.00000003.837201565.0000000004D1A000.00000004.00000040.sdmp
              Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 00000013.00000003.836503481.0000000004BC1000.00000004.00000001.sdmp
              Source: Binary string: wwin32u.pdb1 source: WerFault.exe, 00000013.00000003.837201565.0000000004D1A000.00000004.00000040.sdmp
              Source: Binary string: rsaenh.pdb] source: WerFault.exe, 00000013.00000003.837201565.0000000004D1A000.00000004.00000040.sdmp
              Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000013.00000003.837201565.0000000004D1A000.00000004.00000040.sdmp
              Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000013.00000003.836251402.0000000004D25000.00000004.00000040.sdmp
              Source: Binary string: (P<oLC:\Windows\Microsoft.VisualBasic.pdb source: company certificate.exe, 00000002.00000002.943837268.00000000006F7000.00000004.00000001.sdmp
              Source: Binary string: rasapi32.pdb source: WerFault.exe, 00000013.00000003.836251402.0000000004D25000.00000004.00000040.sdmp
              Source: Binary string: wimm32.pdb source: WerFault.exe, 00000013.00000003.837201565.0000000004D1A000.00000004.00000040.sdmp
              Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000013.00000003.837201565.0000000004D1A000.00000004.00000040.sdmp
              Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 00000013.00000002.1034248565.0000000004E70000.00000004.00000001.sdmp
              Source: Binary string: diasymreader.pdb source: WerFault.exe, 00000013.00000003.836333253.0000000004D2D000.00000004.00000040.sdmp
              Source: Binary string: winhttp.pdb source: WerFault.exe, 00000013.00000003.836251402.0000000004D25000.00000004.00000040.sdmp
              Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000013.00000003.837201565.0000000004D1A000.00000004.00000040.sdmp
              Source: Binary string: ntasn1.pdb source: WerFault.exe, 00000013.00000003.836251402.0000000004D25000.00000004.00000040.sdmp
              Source: Binary string: mscorlib.ni.pdb% source: WerFault.exe, 00000013.00000003.835991957.0000000004D1E000.00000004.00000040.sdmp
              Source: Binary string: wmiutils.pdb source: WerFault.exe, 00000013.00000003.836251402.0000000004D25000.00000004.00000040.sdmp
              Source: Binary string: System.ni.pdbT3 source: WerFault.exe, 00000013.00000002.1034248565.0000000004E70000.00000004.00000001.sdmp
              Source: Binary string: rtutils.pdb source: WerFault.exe, 00000013.00000003.836251402.0000000004D25000.00000004.00000040.sdmp
              Source: Binary string: System.pdbx source: WerFault.exe, 00000013.00000002.1034248565.0000000004E70000.00000004.00000001.sdmp
              Source: Binary string: ~C:\Users\user\Desktop\company certificate.PDB source: company certificate.exe, 00000002.00000002.943837268.00000000006F7000.00000004.00000001.sdmp
              Source: Binary string: Windows.Storage.pdb% source: WerFault.exe, 00000013.00000003.835991957.0000000004D1E000.00000004.00000040.sdmp
              Source: Binary string: comctl32v582.pdb49rK source: WerFault.exe, 00000013.00000003.836251402.0000000004D25000.00000004.00000040.sdmp
              Source: Binary string: profapi.pdb source: WerFault.exe, 00000013.00000003.837201565.0000000004D1A000.00000004.00000040.sdmp
              Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000013.00000003.836251402.0000000004D25000.00000004.00000040.sdmp
              Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 00000013.00000003.836503481.0000000004BC1000.00000004.00000001.sdmp
              Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000013.00000003.837326952.0000000004D10000.00000004.00000040.sdmp
              Source: Binary string: WLDP.pdb source: WerFault.exe, 00000013.00000003.836251402.0000000004D25000.00000004.00000040.sdmp
              Source: Binary string: sechost.pdb source: WerFault.exe, 00000013.00000003.836503481.0000000004BC1000.00000004.00000001.sdmp
              Source: Binary string: clrjit.pdb source: WerFault.exe, 00000013.00000003.837201565.0000000004D1A000.00000004.00000040.sdmp
              Source: Binary string: ws2_32.pdbU source: WerFault.exe, 00000013.00000003.836251402.0000000004D25000.00000004.00000040.sdmp
              Source: Binary string: wUxTheme.pdbI source: WerFault.exe, 00000013.00000003.837201565.0000000004D1A000.00000004.00000040.sdmp
              Source: Binary string: rasman.pdb source: WerFault.exe, 00000013.00000003.836251402.0000000004D25000.00000004.00000040.sdmp
              Source: Binary string: rasman.pdb/ source: WerFault.exe, 00000013.00000003.836251402.0000000004D25000.00000004.00000040.sdmp
              Source: Binary string: ntasn1.pdbA source: WerFault.exe, 00000013.00000003.836251402.0000000004D25000.00000004.00000040.sdmp
              Source: Binary string: WMINet_Utils.pdb40rBT source: WerFault.exe, 00000013.00000003.836251402.0000000004D25000.00000004.00000040.sdmp
              Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 00000013.00000003.837201565.0000000004D1A000.00000004.00000040.sdmp
              Source: Binary string: fastprox.pdb source: WerFault.exe, 00000013.00000003.836251402.0000000004D25000.00000004.00000040.sdmp
              Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 00000013.00000003.836503481.0000000004BC1000.00000004.00000001.sdmp
              Source: Binary string: wbemsvc.pdb source: WerFault.exe, 00000013.00000003.836251402.0000000004D25000.00000004.00000040.sdmp
              Source: Binary string: ncryptsslp.pdb source: WerFault.exe, 00000013.00000003.836251402.0000000004D25000.00000004.00000040.sdmp
              Source: Binary string: fltLib.pdba source: WerFault.exe, 00000013.00000003.837201565.0000000004D1A000.00000004.00000040.sdmp
              Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: company certificate.exe, 0000000D.00000002.938528025.0000000000402000.00000040.00000001.sdmp
              Source: Binary string: wmswsock.pdb source: WerFault.exe, 00000013.00000003.836251402.0000000004D25000.00000004.00000040.sdmp
              Source: Binary string: version.pdb source: WerFault.exe, 00000013.00000003.837201565.0000000004D1A000.00000004.00000040.sdmp
              Source: Binary string: wintrust.pdb source: WerFault.exe, 00000013.00000003.836251402.0000000004D25000.00000004.00000040.sdmp
              Source: Binary string: Accessibility.pdb18zGx source: WerFault.exe, 00000013.00000003.836503481.0000000004BC1000.00000004.00000001.sdmp
              Source: Binary string: System.Xml.pdb source: WerFault.exe, 00000013.00000003.836503481.0000000004BC1000.00000004.00000001.sdmp
              Source: Binary string: System.pdb source: WerFault.exe, 00000013.00000003.836503481.0000000004BC1000.00000004.00000001.sdmp
              Source: Binary string: System.Windows.Forms.pdb18zGx source: WerFault.exe, 00000013.00000003.836333253.0000000004D2D000.00000004.00000040.sdmp
              Source: Binary string: bcrypt.pdbm source: WerFault.exe, 00000013.00000003.837201565.0000000004D1A000.00000004.00000040.sdmp
              Source: Binary string: msasn1.pdbS source: WerFault.exe, 00000013.00000003.836251402.0000000004D25000.00000004.00000040.sdmp
              Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000013.00000003.836333253.0000000004D2D000.00000004.00000040.sdmp
              Source: Binary string: cfgmgr32.pdbG source: WerFault.exe, 00000013.00000003.837201565.0000000004D1A000.00000004.00000040.sdmp
              Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000013.00000003.837326952.0000000004D10000.00000004.00000040.sdmp
              Source: Binary string: psapi.pdb source: WerFault.exe, 00000013.00000003.837201565.0000000004D1A000.00000004.00000040.sdmp
              Source: Binary string: WMINet_Utils.pdb source: WerFault.exe, 00000013.00000003.836251402.0000000004D25000.00000004.00000040.sdmp
              Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 00000013.00000003.836251402.0000000004D25000.00000004.00000040.sdmp
              Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000013.00000003.836503481.0000000004BC1000.00000004.00000001.sdmp
              Source: Binary string: System.Core.pdbx source: WerFault.exe, 00000013.00000002.1034248565.0000000004E70000.00000004.00000001.sdmp
              Source: Binary string: rawing.pdb" source: WerFault.exe, 00000013.00000003.836658013.0000000004BC2000.00000004.00000001.sdmp
              Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000013.00000003.836124117.0000000004D12000.00000004.00000040.sdmp
              Source: Binary string: mscoreei.pdb source: WerFault.exe, 00000013.00000003.836124117.0000000004D12000.00000004.00000040.sdmp
              Source: Binary string: cryptbase.pdb{ source: WerFault.exe, 00000013.00000003.836503481.0000000004BC1000.00000004.00000001.sdmp
              Source: Binary string: System.Drawing.pdbx source: WerFault.exe, 00000013.00000002.1034248565.0000000004E70000.00000004.00000001.sdmp
              Source: Binary string: combase.pdbk source: WerFault.exe, 00000013.00000003.836124117.0000000004D12000.00000004.00000040.sdmp
              Source: Binary string: System.Core.pdb source: WerFault.exe, 00000013.00000003.836503481.0000000004BC1000.00000004.00000001.sdmp
              Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000013.00000003.837201565.0000000004D1A000.00000004.00000040.sdmp
              Source: Binary string: System.Xml.ni.pdb18zGx source: WerFault.exe, 00000013.00000003.836503481.0000000004BC1000.00000004.00000001.sdmp
              Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 00000013.00000002.1034248565.0000000004E70000.00000004.00000001.sdmp
              Source: Binary string: wbemcomn.pdbM source: WerFault.exe, 00000013.00000003.836251402.0000000004D25000.00000004.00000040.sdmp
              Source: Binary string: bcryptprimitives.pdbk source: WerFault.exe, 00000013.00000003.836124117.0000000004D12000.00000004.00000040.sdmp
              Source: Binary string: wuser32.pdb source: WerFault.exe, 00000013.00000003.837201565.0000000004D1A000.00000004.00000040.sdmp
              Source: Binary string: .pdb source: company certificate.exe, 0000000D.00000002.953427804.0000000008B0A000.00000004.00000001.sdmp
              Source: Binary string: System.Xml.pdb18zGx source: WerFault.exe, 00000013.00000003.836503481.0000000004BC1000.00000004.00000001.sdmp
              Source: Binary string: wbemprox.pdb source: WerFault.exe, 00000013.00000003.836251402.0000000004D25000.00000004.00000040.sdmp
              Source: Binary string: System.ni.pdb source: WerFault.exe, 00000013.00000003.836503481.0000000004BC1000.00000004.00000001.sdmp
              Source: Binary string: crypt32.pdb source: WerFault.exe, 00000013.00000003.836251402.0000000004D25000.00000004.00000040.sdmp

              Data Obfuscation:

              barindex
              .NET source code contains potential unpackerShow sources
              Source: 13.2.company certificate.exe.400000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 13.2.company certificate.exe.400000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 13.2.company certificate.exe.400000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 13.2.company certificate.exe.400000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: company certificate.exeStatic PE information: real checksum: 0x1404c should be: 0x221e1
              Source: company certificate.exe.2.drStatic PE information: real checksum: 0x1404c should be: 0x221e1
              Source: C:\Users\user\Desktop\company certificate.exeCode function: 13_2_02E8E672 push esp; ret 13_2_02E8E679