Loading ...

Play interactive tourEdit tour

Analysis Report Orders.exe

Overview

General Information

Sample Name:Orders.exe
Analysis ID:346555
MD5:e85daf3a43f107b213310a53bfd35aa9
SHA1:042208c7a232b806c6382e34417f9c8e2a955747
SHA256:0b1fbc81d9d9e685307e80d20afe4b01c6538b903b77136b0d1db2486fe8c6e8
Tags:exeYahoo

Most interesting Screenshot:

Detection

HawkEye AgentTesla MailPassView Matiex
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Detected HawkEye Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Yara detected AgentTesla
Yara detected AntiVM_3
Yara detected HawkEye Keylogger
Yara detected MailPassView
Yara detected Matiex Keylogger
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Binary contains a suspicious time stamp
Bypasses PowerShell execution policy
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Drops PE files to the startup folder
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Opens the same file many times (likely Sandbox evasion)
Powershell drops PE file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses process hollowing technique
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Adds / modifies Windows certificates
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains strange resources
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Tries to load missing DLLs
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

Startup

  • System is w10x64
  • Orders.exe (PID: 6824 cmdline: 'C:\Users\user\Desktop\Orders.exe' MD5: E85DAF3A43F107B213310A53BFD35AA9)
    • powershell.exe (PID: 6896 cmdline: 'Powershell.exe' -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\Orders.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegAsm.exe (PID: 7000 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
      • hawkgoods.exe (PID: 7064 cmdline: 'C:\Users\user~1\AppData\Local\Temp\hawkgoods.exe' 0 MD5: FFDB58533D5D1362E896E96FB6F02A95)
        • dw20.exe (PID: 6008 cmdline: dw20.exe -x -s 2132 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
        • vbc.exe (PID: 6288 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
        • vbc.exe (PID: 976 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
          • WerFault.exe (PID: 6308 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 976 -s 176 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
        • WerFault.exe (PID: 2324 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7064 -s 2132 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
      • origigoods40.exe (PID: 7116 cmdline: 'C:\Users\user~1\AppData\Local\Temp\origigoods40.exe' 0 MD5: AE36F0D16230B9F41FFECBD3C5B1D660)
      • Matiexgoods.exe (PID: 7148 cmdline: 'C:\Users\user~1\AppData\Local\Temp\Matiexgoods.exe' 0 MD5: 80C61B903400B534858D047DD0919F0E)
        • netsh.exe (PID: 6780 cmdline: 'netsh' wlan show profile MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
          • conhost.exe (PID: 1404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • origigoods20.exe (PID: 5580 cmdline: 'C:\Users\user~1\AppData\Local\Temp\origigoods20.exe' 0 MD5: 61DC57C6575E1F3F2AE14C1B332AD2FB)
    • WerFault.exe (PID: 2116 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6824 -s 1104 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • I$s#$lT3ssl.exe (PID: 5184 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe' MD5: E85DAF3A43F107B213310A53BFD35AA9)
    • powershell.exe (PID: 5296 cmdline: 'Powershell.exe' -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegAsm.exe (PID: 5468 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
      • hawkgoods.exe (PID: 4388 cmdline: 'C:\Users\user~1\AppData\Local\Temp\hawkgoods.exe' 0 MD5: FFDB58533D5D1362E896E96FB6F02A95)
      • origigoods40.exe (PID: 5692 cmdline: 'C:\Users\user~1\AppData\Local\Temp\origigoods40.exe' 0 MD5: AE36F0D16230B9F41FFECBD3C5B1D660)
      • Matiexgoods.exe (PID: 6724 cmdline: 'C:\Users\user~1\AppData\Local\Temp\Matiexgoods.exe' 0 MD5: 80C61B903400B534858D047DD0919F0E)
      • origigoods20.exe (PID: 5612 cmdline: 'C:\Users\user~1\AppData\Local\Temp\origigoods20.exe' 0 MD5: 61DC57C6575E1F3F2AE14C1B332AD2FB)
    • WerFault.exe (PID: 2160 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5184 -s 1096 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}

Threatname: Agenttesla

{"Username: ": "", "URL: ": "", "To: ": "sales1@midombo.com", "ByHost: ": "smtp.privateemail.com:587", "Password: ": "", "From: ": "sales1@midombo.com"}

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\origigoods20.exeJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    C:\Users\user\AppData\Local\Temp\origigoods40.exeJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      C:\Users\user\AppData\Local\Temp\Matiexgoods.exeJoeSecurity_MatiexYara detected Matiex KeyloggerJoe Security
        C:\Users\user\AppData\Local\Temp\hawkgoods.exeHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
        • 0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
        C:\Users\user\AppData\Local\Temp\hawkgoods.exeRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
        • 0x7b8c7:$key: HawkEyeKeylogger
        • 0x7db0b:$salt: 099u787978786
        • 0x7bf08:$string1: HawkEye_Keylogger
        • 0x7cd5b:$string1: HawkEye_Keylogger
        • 0x7da6b:$string1: HawkEye_Keylogger
        • 0x7c2f1:$string2: holdermail.txt
        • 0x7c311:$string2: holdermail.txt
        • 0x7c233:$string3: wallet.dat
        • 0x7c24b:$string3: wallet.dat
        • 0x7c261:$string3: wallet.dat
        • 0x7d62f:$string4: Keylog Records
        • 0x7d947:$string4: Keylog Records
        • 0x7db63:$string5: do not script -->
        • 0x7b8af:$string6: \pidloc.txt
        • 0x7b93d:$string7: BSPLIT
        • 0x7b94d:$string7: BSPLIT
        Click to see the 4 entries

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000025.00000000.399012238.0000000000E72000.00000002.00020000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000017.00000002.450940492.0000000005360000.00000004.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
          • 0x12df7:$key: HawkEyeKeylogger
          • 0x1503b:$salt: 099u787978786
          • 0x13438:$string1: HawkEye_Keylogger
          • 0x1428b:$string1: HawkEye_Keylogger
          • 0x14f9b:$string1: HawkEye_Keylogger
          • 0x13821:$string2: holdermail.txt
          • 0x13841:$string2: holdermail.txt
          • 0x13763:$string3: wallet.dat
          • 0x1377b:$string3: wallet.dat
          • 0x13791:$string3: wallet.dat
          • 0x14b5f:$string4: Keylog Records
          • 0x14e77:$string4: Keylog Records
          • 0x15093:$string5: do not script -->
          • 0x12ddf:$string6: \pidloc.txt
          • 0x12e6d:$string7: BSPLIT
          • 0x12e7d:$string7: BSPLIT
          00000017.00000002.450940492.0000000005360000.00000004.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
            00000017.00000002.450940492.0000000005360000.00000004.00000001.sdmpHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
            • 0x13490:$hawkstr1: HawkEye Keylogger
            • 0x142d1:$hawkstr1: HawkEye Keylogger
            • 0x14600:$hawkstr1: HawkEye Keylogger
            • 0x1475b:$hawkstr1: HawkEye Keylogger
            • 0x148be:$hawkstr1: HawkEye Keylogger
            • 0x14b37:$hawkstr1: HawkEye Keylogger
            • 0x1301e:$hawkstr2: Dear HawkEye Customers!
            • 0x14653:$hawkstr2: Dear HawkEye Customers!
            • 0x147aa:$hawkstr2: Dear HawkEye Customers!
            • 0x14911:$hawkstr2: Dear HawkEye Customers!
            • 0x1313f:$hawkstr3: HawkEye Logger Details:
            00000027.00000000.408264262.0000000000532000.00000002.00020000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              Click to see the 106 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              10.0.origigoods20.exe.680000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                6.0.hawkgoods.exe.670000.0.unpackHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
                • 0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
                6.0.hawkgoods.exe.670000.0.unpackRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
                • 0x7b8c7:$key: HawkEyeKeylogger
                • 0x7db0b:$salt: 099u787978786
                • 0x7bf08:$string1: HawkEye_Keylogger
                • 0x7cd5b:$string1: HawkEye_Keylogger
                • 0x7da6b:$string1: HawkEye_Keylogger
                • 0x7c2f1:$string2: holdermail.txt
                • 0x7c311:$string2: holdermail.txt
                • 0x7c233:$string3: wallet.dat
                • 0x7c24b:$string3: wallet.dat
                • 0x7c261:$string3: wallet.dat
                • 0x7d62f:$string4: Keylog Records
                • 0x7d947:$string4: Keylog Records
                • 0x7db63:$string5: do not script -->
                • 0x7b8af:$string6: \pidloc.txt
                • 0x7b93d:$string7: BSPLIT
                • 0x7b94d:$string7: BSPLIT
                6.0.hawkgoods.exe.670000.0.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
                  6.0.hawkgoods.exe.670000.0.unpackJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
                    Click to see the 43 entries

                    Sigma Overview

                    System Summary:

                    barindex
                    Sigma detected: Capture Wi-Fi passwordShow sources
                    Source: Process startedAuthor: Joe Security: Data: Command: 'netsh' wlan show profile, CommandLine: 'netsh' wlan show profile, CommandLine|base64offset|contains: V, Image: C:\Windows\SysWOW64\netsh.exe, NewProcessName: C:\Windows\SysWOW64\netsh.exe, OriginalFileName: C:\Windows\SysWOW64\netsh.exe, ParentCommandLine: 'C:\Users\user~1\AppData\Local\Temp\Matiexgoods.exe' 0, ParentImage: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe, ParentProcessId: 7148, ProcessCommandLine: 'netsh' wlan show profile, ProcessId: 6780

                    Signature Overview

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection:

                    barindex
                    Antivirus detection for dropped fileShow sources
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeAvira: detection malicious, Label: TR/AD.MExecute.lzrac
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeAvira: detection malicious, Label: SPR/Tool.MailPassView.473
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeAvira: detection malicious, Label: TR/Spy.Gen8
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeAvira: detection malicious, Label: TR/Redcap.jajcu
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeAvira: detection malicious, Label: TR/Spy.Gen8
                    Found malware configurationShow sources
                    Source: origigoods20.exe.5580.10.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "", "URL: ": "", "To: ": "sales1@midombo.com", "ByHost: ": "smtp.privateemail.com:587", "Password: ": "", "From: ": "sales1@midombo.com"}
                    Source: Orders.exe.6824.1.memstrMalware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}
                    Multi AV Scanner detection for dropped fileShow sources
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeMetadefender: Detection: 43%Perma Link
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeReversingLabs: Detection: 86%
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeReversingLabs: Detection: 95%
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeMetadefender: Detection: 40%Perma Link
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeReversingLabs: Detection: 86%
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeMetadefender: Detection: 37%Perma Link
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeReversingLabs: Detection: 82%
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exeReversingLabs: Detection: 22%
                    Multi AV Scanner detection for submitted fileShow sources
                    Source: Orders.exeReversingLabs: Detection: 22%
                    Machine Learning detection for dropped fileShow sources
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\Temp\origigoods40.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\Temp\origigoods20.exeJoe Sandbox ML: detected
                    Machine Learning detection for sampleShow sources
                    Source: Orders.exeJoe Sandbox ML: detected
                    Source: 6.0.hawkgoods.exe.670000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 6.0.hawkgoods.exe.670000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 36.0.hawkgoods.exe.3d0000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 36.0.hawkgoods.exe.3d0000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 38.0.Matiexgoods.exe.6e0000.0.unpackAvira: Label: TR/Redcap.jajcu
                    Source: 33.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 33.2.RegAsm.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 33.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Redcap.jajcu
                    Source: 33.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                    Source: 4.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 4.2.RegAsm.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 4.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Redcap.jajcu
                    Source: 4.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                    Source: 9.0.Matiexgoods.exe.320000.0.unpackAvira: Label: TR/Redcap.jajcu
                    Source: 6.2.hawkgoods.exe.670000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 6.2.hawkgoods.exe.670000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 36.2.hawkgoods.exe.3d0000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 36.2.hawkgoods.exe.3d0000.0.unpackAvira: Label: SPR/Tool.MailPassView.473

                    Compliance:

                    barindex
                    Uses 32bit PE filesShow sources
                    Source: Orders.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Uses insecure TLS / SSL version for HTTPS connectionShow sources
                    Source: unknownHTTPS traffic detected: 172.67.188.154:443 -> 192.168.2.7:49727 version: TLS 1.0
                    Source: unknownHTTPS traffic detected: 172.67.188.154:443 -> 192.168.2.7:49795 version: TLS 1.0
                    Uses new MSVCR DllsShow sources
                    Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
                    Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
                    Source: Orders.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Binary contains paths to debug symbolsShow sources
                    Source: Binary string: crypt32.pdbPq source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: System.Data.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: msvcrt.pdbk source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: System.ni.pdb% source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 0000000B.00000002.341129759.0000000005510000.00000004.00000001.sdmp
                    Source: Binary string: System.Runtime.Remoting.pdbmoting.pdbpdbing.pdbg\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.pdb source: hawkgoods.exe, 00000006.00000002.521259044.000000000850B000.00000004.00000010.sdmp
                    Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000B.00000003.261989055.0000000003001000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.304085639.0000000004D25000.00000004.00000001.sdmp
                    Source: Binary string: oleaut32.pdb~q source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000B.00000003.283061091.0000000005290000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: NapiNSP.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000B.00000003.282843528.00000000052C1000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\symbols\dll\System.Runtime.Remoting.pdb source: hawkgoods.exe, 00000006.00000002.495362549.0000000002ACC000.00000004.00000040.sdmp
                    Source: Binary string: iphlpapi.pdbYnL source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000B.00000003.264528925.0000000002FF5000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.304143187.0000000002D30000.00000004.00000001.sdmp
                    Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdb source: hawkgoods.exe, 00000006.00000002.519656085.0000000007A0A000.00000004.00000010.sdmp
                    Source: Binary string: winnsi.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: cryptsp.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: .pdb%H source: Orders.exe, 00000001.00000002.347167412.0000000000EF8000.00000004.00000010.sdmp
                    Source: Binary string: wwin32u.pdbdq source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000B.00000003.282843528.00000000052C1000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000B.00000003.282843528.00000000052C1000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: System.Configuration.pdbu source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 0000000B.00000003.282528294.00000000052A4000.00000004.00000001.sdmp
                    Source: Binary string: wimm32.pdbrq source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: Orders.exe, 00000001.00000002.361141701.0000000004154000.00000004.00000001.sdmp, RegAsm.exe, 00000004.00000003.246774488.0000000003670000.00000004.00000001.sdmp, hawkgoods.exe
                    Source: Binary string: @Cosymbols\dll\System.Runtime.Remoting.pdb source: hawkgoods.exe, 00000006.00000002.521259044.000000000850B000.00000004.00000010.sdmp
                    Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: Orders.exe, 00000001.00000002.361141701.0000000004154000.00000004.00000001.sdmp, RegAsm.exe, 00000004.00000003.246774488.0000000003670000.00000004.00000001.sdmp, hawkgoods.exe
                    Source: Binary string: System.Xml.pdbx source: WerFault.exe, 0000000B.00000002.341129759.0000000005510000.00000004.00000001.sdmp
                    Source: Binary string: i.pdb source: WerFault.exe, 0000000B.00000003.282528294.00000000052A4000.00000004.00000001.sdmp
                    Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: D:\Before FprmT\Document VB project\FireFox Stub\FireFox Stub\obj\Debug\VNXT.pdb source: Orders.exe, 00000001.00000002.361141701.0000000004154000.00000004.00000001.sdmp, RegAsm.exe, 00000004.00000002.256501427.0000000000403000.00000040.00000001.sdmp, Matiexgoods.exe, 00000009.00000000.253083713.0000000000322000.00000002.00020000.sdmp
                    Source: Binary string: ole32.pdb(q source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: C:\Users\user\Desktop\Orders.PDB source: Orders.exe, 00000001.00000002.347167412.0000000000EF8000.00000004.00000010.sdmp
                    Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: winhttp.pdb;nb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: shlwapi.pdbk source: WerFault.exe, 0000000B.00000003.282899730.0000000005294000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: f:\binaries.x86ret\bin\i386\bbt\opt\bin\i386\diasymreader.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: pnrpnsp.pdbCnJ source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: nsi.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: ws2_32.pdbo source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: ole32.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 0000000B.00000002.341129759.0000000005510000.00000004.00000001.sdmp
                    Source: Binary string: msasn1.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: mscorlib.pdb source: hawkgoods.exe, 00000006.00000002.495266198.0000000002AC7000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000002.341129759.0000000005510000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: combase.pdb source: WerFault.exe, 0000000B.00000003.282899730.0000000005294000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000000B.00000003.261989055.0000000003001000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.307051340.0000000002D3C000.00000004.00000001.sdmp
                    Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000B.00000003.282843528.00000000052C1000.00000004.00000001.sdmp
                    Source: Binary string: System.Runtime.Remoting.pdbcal\Temp\hawkgoods.exeAAX source: hawkgoods.exe, 00000006.00000002.495266198.0000000002AC7000.00000004.00000040.sdmp
                    Source: Binary string: rasadhlp.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: Orders.PDB source: Orders.exe, 00000001.00000002.347167412.0000000000EF8000.00000004.00000010.sdmp
                    Source: Binary string: advapi32.pdbk source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: System.Data.DataSetExtensions.pdbx source: WerFault.exe, 0000000B.00000002.341129759.0000000005510000.00000004.00000001.sdmp
                    Source: Binary string: RunPE.pdb source: Orders.exe, 00000001.00000002.357040071.0000000002FFB000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000002.341129759.0000000005510000.00000004.00000001.sdmp
                    Source: Binary string: cfgmgr32.pdb<q source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: System.Xml.pdb>> source: WerFault.exe, 0000000B.00000003.282528294.00000000052A4000.00000004.00000001.sdmp
                    Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: oC:\Windows\mscorlib.pdb source: hawkgoods.exe, 00000006.00000002.519656085.0000000007A0A000.00000004.00000010.sdmp
                    Source: Binary string: System.Core.ni.pdb" source: WerFault.exe, 0000000B.00000003.282528294.00000000052A4000.00000004.00000001.sdmp
                    Source: Binary string: mscorlib.pdb%o source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: shell32.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: msvcr80.i386.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: msvcp_win.pdb#o source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: f:\binaries.x86ret\bin\i386\bbt\opt\bin\i386\diasymreader.pdb_ source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: rasapi32.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 0000000B.00000002.341129759.0000000005510000.00000004.00000001.sdmp
                    Source: Binary string: diasymreader.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: i.pdb" source: WerFault.exe, 0000000B.00000003.282528294.00000000052A4000.00000004.00000001.sdmp
                    Source: Binary string: System.pdbu source: WerFault.exe, 0000000B.00000003.282528294.00000000052A4000.00000004.00000001.sdmp
                    Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: wmiutils.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: hawkgoods.exe, 00000006.00000002.492246484.0000000000D40000.00000004.00000020.sdmp
                    Source: Binary string: System.pdbx source: WerFault.exe, 0000000B.00000002.341129759.0000000005510000.00000004.00000001.sdmp
                    Source: Binary string: mscorlib.pdbHs source: hawkgoods.exe, 00000006.00000002.519656085.0000000007A0A000.00000004.00000010.sdmp
                    Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000B.00000003.283061091.0000000005290000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: mscorjit.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: sechost.pdb source: WerFault.exe, 0000000B.00000003.282843528.00000000052C1000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: fltLib.pdb.q source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: System.Runtime.Remoting.pdb0| source: hawkgoods.exe, 00000006.00000002.495362549.0000000002ACC000.00000004.00000040.sdmp
                    Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: fastprox.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: wbemsvc.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: winrnr.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: msctf.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: System.Xml.pdb source: WerFault.exe, 0000000B.00000003.282528294.00000000052A4000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: i0C:\Windows\mscorlib.pdb source: Orders.exe, 00000001.00000002.347167412.0000000000EF8000.00000004.00000010.sdmp
                    Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 0000000B.00000003.282528294.00000000052A4000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: System.Core.pdb"" source: WerFault.exe, 0000000B.00000003.282528294.00000000052A4000.00000004.00000001.sdmp
                    Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000B.00000003.282564070.0000000005291000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: combase.pdbk source: WerFault.exe, 0000000B.00000003.282899730.0000000005294000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: shcore.pdbVq source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 0000000B.00000002.341129759.0000000005510000.00000004.00000001.sdmp
                    Source: Binary string: bcryptprimitives.pdbk source: WerFault.exe, 0000000B.00000003.282564070.0000000005291000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: Microsoft.VisualBasic.pdb" source: WerFault.exe, 0000000B.00000003.282528294.00000000052A4000.00000004.00000001.sdmp
                    Source: Binary string: System.Xml.ni.pdb% source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: clrjit.pdbxq source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: System.Xml.ni.pdb" source: WerFault.exe, 0000000B.00000003.282528294.00000000052A4000.00000004.00000001.sdmp
                    Source: Binary string: System.ni.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: cryptbase.pdbk source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: rsaenh.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\System.Runtime.Remoting.pdb source: hawkgoods.exe, 00000006.00000002.495362549.0000000002ACC000.00000004.00000040.sdmp
                    Source: Binary string: dhcpcsvc.pdb=nh source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: wbemcomn.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000B.00000003.282843528.00000000052C1000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: clr.pdb source: WerFault.exe, 0000000B.00000003.283061091.0000000005290000.00000004.00000040.sdmp
                    Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: fltLib.pdb/o source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000B.00000003.262032380.0000000003007000.00000004.00000001.sdmp
                    Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000B.00000003.282899730.0000000005294000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: mscorjit.pdbs source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: profapi.pdb0q source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: shell32.pdbx source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: System.Windows.Forms.pdb7 source: WerFault.exe, 0000000B.00000003.282528294.00000000052A4000.00000004.00000001.sdmp
                    Source: Binary string: powrprof.pdb6q source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: wintrust.pdbq source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: mscoree.pdb source: WerFault.exe, 0000000B.00000003.282843528.00000000052C1000.00000004.00000001.sdmp
                    Source: Binary string: oC:\Windows\System.Runtime.Remoting.pdb source: hawkgoods.exe, 00000006.00000002.521259044.000000000850B000.00000004.00000010.sdmp
                    Source: Binary string: System.pdb7o source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: symbols\dll\mscorlib.pdb source: hawkgoods.exe, 00000006.00000002.519656085.0000000007A0A000.00000004.00000010.sdmp
                    Source: Binary string: WLDP.pdbjq source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: Kernel.Appcore.pdbW source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: wsspicli.pdbk source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: System.Configuration.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: D:\Before FprmT\Document VB project\FireFox Stub\FireFox Stub\obj\Debug\VNXT.pdbh} source: Orders.exe, 00000001.00000002.361141701.0000000004154000.00000004.00000001.sdmp, RegAsm.exe, 00000004.00000002.256501427.0000000000403000.00000040.00000001.sdmp, Matiexgoods.exe, 00000009.00000000.253083713.0000000000322000.00000002.00020000.sdmp
                    Source: Binary string: msvcr120_clr0400.i386.pdbP source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: cryptsp.pdbN source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: Windows.Storage.pdbP source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: sechost.pdbk source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: DWrite.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: System.Drawing.pdb source: WerFault.exe, 0000000B.00000002.341129759.0000000005510000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: msctf.pdbknR source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: System.Management.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: System.Data.DataSetExtensions.pdb source: WerFault.exe, 0000000B.00000002.341129759.0000000005510000.00000004.00000001.sdmp
                    Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.pdbd source: hawkgoods.exe, 00000006.00000002.495178056.0000000002AC0000.00000004.00000040.sdmp
                    Source: Binary string: bcrypt.pdbmnX source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: rawing.pdb source: WerFault.exe, 0000000B.00000003.282528294.00000000052A4000.00000004.00000001.sdmp
                    Source: Binary string: pnrpnsp.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: mscoreei.pdbk source: WerFault.exe, 0000000B.00000003.282899730.0000000005294000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: mscorlib.pdbx source: WerFault.exe, 0000000B.00000002.341129759.0000000005510000.00000004.00000001.sdmp
                    Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: shcore.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000B.00000003.283061091.0000000005290000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: fastprox.pdb)n source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: version.pdb"q source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: nlaapi.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: winhttp.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: mscorlib.ni.pdb% source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: gdiplus.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: oleaut32.pdbEnp source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: System.ni.pdbT3 source: WerFault.exe, 0000000B.00000002.341129759.0000000005510000.00000004.00000001.sdmp
                    Source: Binary string: rtutils.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: edputil.pdbOn~ source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000B.00000003.264528925.0000000002FF5000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.304143187.0000000002D30000.00000004.00000001.sdmp
                    Source: Binary string: mscorwks.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: profapi.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: f:\binaries.x86ret\bin\i386\Microsoft.VisualBasic.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: indows\System.Runtime.Remoting.pdbpdbing.pdbd source: hawkgoods.exe, 00000006.00000002.495362549.0000000002ACC000.00000004.00000040.sdmp
                    Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: cryptsp.pdbanT source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: WLDP.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\assembly\GA.pdbL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.d source: hawkgoods.exe, 00000006.00000002.521259044.000000000850B000.00000004.00000010.sdmp
                    Source: Binary string: wUxTheme.pdb9o source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: clrjit.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: shfolder.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: rasman.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\dll\System.Runtime.Remoting.pdb source: hawkgoods.exe, 00000006.00000002.495362549.0000000002ACC000.00000004.00000040.sdmp
                    Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: Orders.exe, 00000001.00000002.361141701.0000000004154000.00000004.00000001.sdmp, RegAsm.exe, 00000004.00000003.246774488.0000000003670000.00000004.00000001.sdmp, hawkgoods.exe
                    Source: Binary string: System.Runtime.Remoting.pdb source: hawkgoods.exe, 00000006.00000002.495362549.0000000002ACC000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: wmswsock.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: version.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: ole32.pdbMo source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: \??\C:\Windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.pdb source: hawkgoods.exe, 00000006.00000002.492246484.0000000000D40000.00000004.00000020.sdmp
                    Source: Binary string: ata.DataSetExtensions.pdb source: WerFault.exe, 0000000B.00000003.282528294.00000000052A4000.00000004.00000001.sdmp
                    Source: Binary string: psapi.pdb'n source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: wintrust.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: rasapi32.pdbWnF source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: System.pdb source: WerFault.exe, 0000000B.00000003.282528294.00000000052A4000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: mscorrc.pdb source: hawkgoods.exe, 00000006.00000002.506186983.0000000004FD0000.00000002.00000001.sdmp
                    Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000B.00000003.283061091.0000000005290000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: psapi.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: WMINet_Utils.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000B.00000003.282843528.00000000052C1000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: System.Core.pdbx source: WerFault.exe, 0000000B.00000002.341129759.0000000005510000.00000004.00000001.sdmp
                    Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000B.00000003.262032380.0000000003007000.00000004.00000001.sdmp
                    Source: Binary string: mscoreei.pdb source: WerFault.exe, 0000000B.00000003.282899730.0000000005294000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: System.Drawing.pdbx source: WerFault.exe, 0000000B.00000002.341129759.0000000005510000.00000004.00000001.sdmp
                    Source: Binary string: C:\Windows\assembly\GA.pdbmscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll source: hawkgoods.exe, 00000006.00000002.519656085.0000000007A0A000.00000004.00000010.sdmp
                    Source: Binary string: System.Core.pdb source: WerFault.exe, 0000000B.00000003.282528294.00000000052A4000.00000004.00000001.sdmp
                    Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: wbemcomn.pdb1nd source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: wbemprox.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Binary string: crypt32.pdb source: WerFault.exe, 0000000B.00000003.282657543.0000000005297000.00000004.00000040.sdmp
                    Source: Binary string: edputil.pdb source: WerFault.exe, 00000017.00000003.343965279.00000000051E8000.00000004.00000040.sdmp
                    Source: Orders.exe, 00000001.00000002.361141701.0000000004154000.00000004.00000001.sdmpBinary or memory string: autorun.inf
                    Source: Orders.exe, 00000001.00000002.361141701.0000000004154000.00000004.00000001.sdmpBinary or memory string: [autorun]
                    Source: RegAsm.exe, 00000004.00000003.246774488.0000000003670000.00000004.00000001.sdmpBinary or memory string: autorun.inf
                    Source: RegAsm.exe, 00000004.00000003.246774488.0000000003670000.00000004.00000001.sdmpBinary or memory string: [autorun]
                    Source: hawkgoods.exeBinary or memory string: autorun.inf
                    Source: hawkgoods.exeBinary or memory string: [autorun]
                    Source: WerFault.exe, 00000017.00000002.450940492.0000000005360000.00000004.00000001.sdmpBinary or memory string: autorun.inf
                    Source: WerFault.exe, 00000017.00000002.450940492.0000000005360000.00000004.00000001.sdmpBinary or memory string: [autorun]