Loading ...

Play interactive tourEdit tour

Analysis Report POinv00393.exe

Overview

General Information

Sample Name:POinv00393.exe
Analysis ID:346695
MD5:e0db9d12220a5099bd1ebfefc0ccdcfe
SHA1:b0af96f187273082687f2c58faca71b837876429
SHA256:09969e8d7af6e0c3ef34c344fe378dd23b6f93abcda793c052e36d1777c35ce7
Tags:exeHawkEye

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected HawkEye Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell adding suspicious path to exclusion list
Yara detected AntiVM_3
Yara detected HawkEye Keylogger
Yara detected MailPassView
Adds a directory exclusion to Windows Defender
Changes the view of files in windows explorer (hidden files and folders)
Connects to a pastebin service (likely for C&C)
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops PE files to the startup folder
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Yara detected WebBrowserPassView password recovery tool
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara signature match

Classification

Startup

  • System is w10x64
  • POinv00393.exe (PID: 6708 cmdline: 'C:\Users\user\Desktop\POinv00393.exe' MD5: E0DB9D12220A5099BD1EBFEFC0CCDCFE)
    • powershell.exe (PID: 6892 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6916 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6980 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 7072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 7080 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\POinv00393.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 7128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • POinv00393.exe (PID: 2100 cmdline: C:\Users\user\Desktop\POinv00393.exe MD5: E0DB9D12220A5099BD1EBFEFC0CCDCFE)
      • WerFault.exe (PID: 5556 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 1940 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • POinv00393.exe (PID: 6464 cmdline: 'C:\Users\user\Desktop\POinv00393.exe' MD5: E0DB9D12220A5099BD1EBFEFC0CCDCFE)
  • POinv00393.exe (PID: 5436 cmdline: 'C:\Users\user\Desktop\POinv00393.exe' MD5: E0DB9D12220A5099BD1EBFEFC0CCDCFE)
  • POinv00393.exe (PID: 2296 cmdline: 'C:\Users\user\Desktop\POinv00393.exe' MD5: E0DB9D12220A5099BD1EBFEFC0CCDCFE)
  • POinv00393.exe (PID: 1784 cmdline: 'C:\Users\user\Desktop\POinv00393.exe' MD5: E0DB9D12220A5099BD1EBFEFC0CCDCFE)
  • POinv00393.exe (PID: 5404 cmdline: 'C:\Users\user\Desktop\POinv00393.exe' MD5: E0DB9D12220A5099BD1EBFEFC0CCDCFE)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["mailpv", "WebBrowserPassView"], "Version": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000022.00000003.446565112.00000000051F0000.00000004.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
  • 0x12ce0:$key: HawkEyeKeylogger
  • 0x14f2c:$salt: 099u787978786
  • 0x13347:$string1: HawkEye_Keylogger
  • 0x1419a:$string1: HawkEye_Keylogger
  • 0x14e8c:$string1: HawkEye_Keylogger
  • 0x13730:$string2: holdermail.txt
  • 0x13750:$string2: holdermail.txt
  • 0x13672:$string3: wallet.dat
  • 0x1368a:$string3: wallet.dat
  • 0x136a0:$string3: wallet.dat
  • 0x14a6e:$string4: Keylog Records
  • 0x14d86:$string4: Keylog Records
  • 0x14f84:$string5: do not script -->
  • 0x12cc8:$string6: \pidloc.txt
  • 0x12d3e:$string7: BSPLIT
  • 0x12d4e:$string7: BSPLIT
00000022.00000003.446565112.00000000051F0000.00000004.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
    00000022.00000003.446565112.00000000051F0000.00000004.00000001.sdmpHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
    • 0x1339f:$hawkstr1: HawkEye Keylogger
    • 0x141e0:$hawkstr1: HawkEye Keylogger
    • 0x1450f:$hawkstr1: HawkEye Keylogger
    • 0x1466a:$hawkstr1: HawkEye Keylogger
    • 0x147cd:$hawkstr1: HawkEye Keylogger
    • 0x14a46:$hawkstr1: HawkEye Keylogger
    • 0x12f11:$hawkstr2: Dear HawkEye Customers!
    • 0x14562:$hawkstr2: Dear HawkEye Customers!
    • 0x146b9:$hawkstr2: Dear HawkEye Customers!
    • 0x14820:$hawkstr2: Dear HawkEye Customers!
    • 0x13032:$hawkstr3: HawkEye Logger Details:
    00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
    • 0x7be38:$key: HawkEyeKeylogger
    • 0xfe258:$key: HawkEyeKeylogger
    • 0x180478:$key: HawkEyeKeylogger
    • 0x7e084:$salt: 099u787978786
    • 0x1004a4:$salt: 099u787978786
    • 0x1826c4:$salt: 099u787978786
    • 0x7c49f:$string1: HawkEye_Keylogger
    • 0x7d2f2:$string1: HawkEye_Keylogger
    • 0x7dfe4:$string1: HawkEye_Keylogger
    • 0xfe8bf:$string1: HawkEye_Keylogger
    • 0xff712:$string1: HawkEye_Keylogger
    • 0x100404:$string1: HawkEye_Keylogger
    • 0x180adf:$string1: HawkEye_Keylogger
    • 0x181932:$string1: HawkEye_Keylogger
    • 0x182624:$string1: HawkEye_Keylogger
    • 0x7c888:$string2: holdermail.txt
    • 0x7c8a8:$string2: holdermail.txt
    • 0xfeca8:$string2: holdermail.txt
    • 0xfecc8:$string2: holdermail.txt
    • 0x180ec8:$string2: holdermail.txt
    • 0x180ee8:$string2: holdermail.txt
    00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
      Click to see the 8 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: Powershell adding suspicious path to exclusion listShow sources
      Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe' -Force, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\POinv00393.exe' , ParentImage: C:\Users\user\Desktop\POinv00393.exe, ParentProcessId: 6708, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe' -Force, ProcessId: 6892

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: WerFault.exe.5556.34.memstrMalware Configuration Extractor: HawkEye {"Modules": ["mailpv", "WebBrowserPassView"], "Version": ""}
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exeReversingLabs: Detection: 17%
      Multi AV Scanner detection for submitted fileShow sources
      Source: POinv00393.exeVirustotal: Detection: 34%Perma Link
      Source: POinv00393.exeReversingLabs: Detection: 17%
      Machine Learning detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exeJoe Sandbox ML: detected
      Machine Learning detection for sampleShow sources
      Source: POinv00393.exeJoe Sandbox ML: detected

      Compliance:

      barindex
      Uses insecure TLS / SSL version for HTTPS connectionShow sources
      Source: unknownHTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.3:49713 version: TLS 1.0
      Source: unknownHTTPS traffic detected: 104.23.99.190:443 -> 192.168.2.3:49742 version: TLS 1.0
      Source: unknownHTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.3:49746 version: TLS 1.0
      Source: unknownHTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.3:49748 version: TLS 1.0
      Source: unknownHTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.3:49749 version: TLS 1.0
      Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
      Source: POinv00393.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Binary contains paths to debug symbolsShow sources
      Source: Binary string: anagement.pdb source: WerFault.exe, 00000022.00000003.465155833.0000000004EFF000.00000004.00000001.sdmp
      Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000022.00000003.388800534.0000000004A7F000.00000004.00000001.sdmp
      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
      Source: Binary string: wbemcomn.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: NapiNSP.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
      Source: Binary string: pnrpnsp.pdbj source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: winnsi.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: .ni.pdb source: WerFault.exe, 00000022.00000003.465155833.0000000004EFF000.00000004.00000001.sdmp
      Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
      Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 00000022.00000003.462512914.000000000508C000.00000004.00000001.sdmp
      Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: gdiplus.pdb8 source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
      Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp
      Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp
      Source: Binary string: System.Xml.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: indows.Forms.pdb source: WerFault.exe, 00000022.00000003.464462813.000000000508D000.00000004.00000001.sdmp
      Source: Binary string: System.Runtime.Remoting.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: nsi.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: NapiNSP.pdbl source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: wgdi32.pdb{ source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
      Source: Binary string: System.Configuration.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
      Source: Binary string: rasadhlp.pdb\ source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: msasn1.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: mscorlib.pdb source: WerFault.exe, 00000022.00000003.465155833.0000000004EFF000.00000004.00000001.sdmp
      Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: DWrite.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: comctl32.pdbD source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: combase.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
      Source: Binary string: System.Drawing.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
      Source: Binary string: System.Management.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: dhcpcsvc6.pdb~ source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: winrnr.pdbV source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: Accessibility.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: mscorlib.ni.pdbd source: WerFault.exe, 00000022.00000003.461500702.0000000004EFB000.00000004.00000001.sdmp
      Source: Binary string: rasadhlp.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: xecute.pdb source: WerFault.exe, 00000022.00000003.465155833.0000000004EFF000.00000004.00000001.sdmp
      Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: Accessibility.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: System.Management.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: psapi.pdb4 source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: pnrpnsp.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: mscorlib.pdbz source: WerFault.exe, 00000022.00000003.465155833.0000000004EFF000.00000004.00000001.sdmp
      Source: Binary string: mscorlib.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: t.VisualBasic.pdb source: WerFault.exe, 00000022.00000003.464462813.000000000508D000.00000004.00000001.sdmp
      Source: Binary string: winnsi.pdbf source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: iphlpapi.pdbH source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: nlaapi.pdb. source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
      Source: Binary string: CMemoryExecute.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: fastprox.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: nlaapi.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: diasymreader.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: wmiutils.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: gdiplus.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: System.ni.pdbT3 source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: System.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: wmiutils.pdbZ source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: WLDP.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: sechost.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
      Source: Binary string: CLBCatQ.pdbp source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
      Source: Binary string: fastprox.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: wbemsvc.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: winrnr.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: .ni.pdbd source: WerFault.exe, 00000022.00000003.465155833.0000000004EFF000.00000004.00000001.sdmp
      Source: Binary string: msctf.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: msctf.pdb2 source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp
      Source: Binary string: System.Runtime.Remoting.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: wintrust.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: System.Xml.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: System.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000022.00000003.462512914.000000000508C000.00000004.00000001.sdmp
      Source: Binary string: psapi.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: WMINet_Utils.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
      Source: Binary string: System.Core.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
      Source: Binary string: mscoreei.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
      Source: Binary string: System.Drawing.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: System.Core.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: comctl32.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: wbemcomn.pdbB source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: wbemprox.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: System.ni.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: crypt32.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmpBinary or memory string: autorun.inf
      Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmpBinary or memory string: [autorun]
      Source: WerFault.exe, 00000022.00000003.446565112.00000000051F0000.00000004.00000001.sdmpBinary or memory string: autorun.inf
      Source: WerFault.exe, 00000022.00000003.446565112.00000000051F0000.00000004.00000001.sdmpBinary or memory string: [autorun]

      Networking:

      barindex
      Connects to a pastebin service (likely for C&C)Show sources
      Source: unknownDNS query: name: pastebin.com
      Source: unknownDNS query: name: pastebin.com
      Source: unknownDNS query: name: pastebin.com
      Source: unknownDNS query: name: pastebin.com
      Source: unknownDNS query: name: pastebin.com
      Source: global trafficTCP traffic: 192.168.2.3:49733 -> 198.54.122.60:587
      Source: Joe Sandbox ViewIP Address: 104.23.99.190 104.23.99.190
      Source: Joe Sandbox ViewIP Address: 104.23.99.190 104.23.99.190
      Source: Joe Sandbox ViewIP Address: 104.23.98.190 104.23.98.190
      Source: Joe Sandbox ViewIP Address: 104.23.98.190 104.23.98.190
      Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
      Source: global trafficTCP traffic: 192.168.2.3:49733 -> 198.54.122.60:587
      Source: unknownHTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.3:49713 version: TLS 1.0
      Source: unknownHTTPS traffic detected: 104.23.99.190:443 -> 192.168.2.3:49742 version: TLS 1.0
      Source: unknownHTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.3:49746 version: TLS 1.0
      Source: unknownHTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.3:49748 version: TLS 1.0
      Source: unknownHTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.3:49749 version: TLS 1.0
      Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
      Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
      Source: unknownDNS traffic detected: queries for: pastebin.com
      Source: POinv00393.exe, 00000000.00000002.256248196.00000000018D4000.00000004.00000020.sdmp, POinv00393.exe, 0000001F.00000002.612579992.00000000012E2000.00000004.00000020.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudflareIncRSACA-2.crt0
      Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
      Source: powershell.exe, 00000001.00000002.498956817.00000000031E6000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
      Source: POinv00393.exe, 00000000.00000002.256248196.00000000018D4000.00000004.00000020.sdmp, POinv00393.exe, 0000001F.00000002.612579992.00000000012E2000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/CloudflareIncRSACA-2.crl07
      Source: POinv00393.exe, 00000000.00000002.256248196.00000000018D4000.00000004.00000020.sdmp, POinv00393.exe, 0000001F.00000002.612579992.00000000012E2000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
      Source: POinv00393.exe, 00000000.00000002.256248196.00000000018D4000.00000004.00000020.sdmp, POinv00393.exe, 0000001F.00000002.612579992.00000000012E2000.00000004.00000020.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncRSACA-2.crl0L
      Source: POinv00393.exe, 00000009.00000003.264750218.00000000060AE000.00000004.00000001.sdmpString found in binary or memory: http://en.wikip
      Source: POinv00393.exe, 00000009.00000003.261997834.00000000060AE000.00000004.00000001.sdmpString found in binary or memory: http://en.wikipedia
      Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
      Source: POinv00393.exe, 00000000.00000002.256248196.00000000018D4000.00000004.00000020.sdmp, POinv00393.exe, 0000001F.00000002.612579992.00000000012E2000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0
      Source: POinv00393.exe, 00000000.00000002.256248196.00000000018D4000.00000004.00000020.sdmp, POinv00393.exe, 0000001F.00000002.612579992.00000000012E2000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0:
      Source: powershell.exe, 00000001.00000002.522372632.0000000004ED2000.00000004.00000001.sdmp, powershell.exe, 00000005.00000003.416731741.00000000076A0000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.595455706.0000000004680000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
      Source: powershell.exe, 00000003.00000002.598548034.0000000003377000.00000004.00000020.sdmpString found in binary or memory: http://schemas.micr
      Source: powershell.exe, 00000001.00000002.522372632.0000000004ED2000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.595455706.0000000004680000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
      Source: WerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
      Source: WerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
      Source: WerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
      Source: WerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
      Source: WerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
      Source: WerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
      Source: WerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
      Source: powershell.exe, 00000001.00000002.515543086.0000000004D91000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.575272180.0000000004541000.00000004.00000001.sdmp, WerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: WerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
      Source: WerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
      Source: WerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
      Source: WerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
      Source: WerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
      Source: WerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
      Source: WerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
      Source: powershell.exe, 00000001.00000002.522372632.0000000004ED2000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.595455706.0000000004680000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
      Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp, WerFault.exe, 00000022.00000003.446565112.00000000051F0000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/-
      Source: powershell.exe, 00000001.00000002.522372632.0000000004ED2000.00000004.00000001.sdmp, powershell.exe, 00000005.00000003.416731741.00000000076A0000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.595455706.0000000004680000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
      Source: POinv00393.exe, 00000009.00000003.266388252.00000000060A8000.00000004.00000001.sdmp, POinv00393.exe, 00000009.00000003.266225699.00000000060A8000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
      Source: POinv00393.exe, 00000009.00000003.266098249.00000000060A8000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: POinv00393.exe, 00000009.00000003.266388252.00000000060A8000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comnxa
      Source: POinv00393.exe, 00000009.00000003.332270630.00000000060AA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: POinv00393.exe, 00000009.00000003.295228473.00000000060AA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com(
      Source: POinv00393.exe, 00000009.00000003.285473287.00000000060AA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com.TTF
      Source: POinv00393.exe, 00000009.00000003.295228473.00000000060AA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com.TTF:
      Source: POinv00393.exe, 00000009.00000003.285625737.00000000060AA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/
      Source: POinv00393.exe, 00000009.00000003.287512906.00000000060AA000.00000004.00000001.sdmp, POinv00393.exe, 00000009.00000003.292180727.00000000060AA000.00000004.00000001.sdmp, POinv00393.exe, 00000009.00000003.289173192.00000000060AA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: POinv00393.exe, 00000009.00000003.285473287.00000000060AA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
      Source: POinv00393.exe, 00000009.00000003.291476719.00000000060AA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
      Source: POinv00393.exe, 00000009.00000003.291895161.00000000060AA000.00000004.00000001.sdmp, POinv00393.exe, 00000009.00000003.289917470.00000000060AA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
      Source: POinv00393.exe, 00000009.00000003.285473287.00000000060AA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/o
      Source: POinv00393.exe, 00000009.00000003.285625737.00000000060AA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers0
      Source: POinv00393.exe, 00000009.00000003.287216804.00000000060AA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: POinv00393.exe, 00000009.00000003.286463158.00000000060AA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers=
      Source: POinv00393.exe, 00000009.00000003.293691579.00000000060AA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersr
      Source: POinv00393.exe, 00000009.00000003.293691579.00000000060AA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designerss
      Source: POinv00393.exe, 00000009.00000003.287512906.00000000060AA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
      Source: POinv00393.exe, 00000009.00000003.287512906.00000000060AA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comI.TTF
      Source: POinv00393.exe, 00000009.00000003.295228473.00000000060AA000.00000004.00000001.sdmp, POinv00393.exe, 00000009.00000003.332270630.00000000060AA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
      Source: POinv00393.exe, 00000009.00000003.295228473.00000000060AA000.00000004.00000001.sdmp, POinv00393.exe, 00000009.00000003.289917470.00000000060AA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
      Source: POinv00393.exe, 00000009.00000003.289917470.00000000060AA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comednxn
      Source: POinv00393.exe, 00000009.00000003.295228473.00000000060AA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comessed
      Source: POinv00393.exe, 00000009.00000003.332270630.00000000060AA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comgritaU
      Source: POinv00393.exe, 00000009.00000003.332270630.00000000060AA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comion
      Source: POinv00393.exe, 00000009.00000003.295228473.00000000060AA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comitud
      Source: POinv00393.exe, 00000009.00000003.289917470.00000000060AA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comoitu:
      Source: POinv00393.exe, 00000009.00000003.287512906.00000000060AA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comueed
      Source: POinv00393.exe, 00000009.00000003.285473287.00000000060AA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comy
      Source: POinv00393.exe, 00000009.00000003.264142006.00000000060AE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.c
      Source: POinv00393.exe, 00000009.00000003.264396432.00000000060A5000.00000004.00000001.sdmp, POinv00393.exe, 00000009.00000003.263964185.00000000060AE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: POinv00393.exe, 00000009.00000003.264516630.00000000060A5000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
      Source: POinv00393.exe, 00000009.00000003.263686147.00000000060AE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnOx
      Source: POinv00393.exe, 00000009.00000003.263964185.00000000060AE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnl-nO
      Source: POinv00393.exe, 00000009.00000003.304428786.00000000060AA000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
      Source: POinv00393.exe, 00000009.00000003.301758986.00000000060AA000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/2
      Source: POinv00393.exe, 00000009.00000003.301758986.00000000060AA000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/:
      Source: POinv00393.exe, 00000009.00000003.314035977.00000000060AA000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmWQ
      Source: POinv00393.exe, 00000009.00000003.262560956.00000000060AE000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: POinv00393.exe, 00000009.00000003.262560956.00000000060AE000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.krF4
      Source: POinv00393.exe, 00000009.00000003.262560956.00000000060AE000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.krK
      Source: POinv00393.exe, 00000009.00000003.279036621.00000000060A8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: POinv00393.exe, 00000009.00000003.279036621.00000000060A8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/U
      Source: POinv00393.exe, 00000009.00000003.276537694.00000000060A5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/h
      Source: POinv00393.exe, 00000009.00000003.279036621.00000000060A8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
      Source: POinv00393.exe, 00000009.00000003.279036621.00000000060A8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/sl-s
      Source: POinv00393.exe, 00000009.00000003.279036621.00000000060A8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/y
      Source: POinv00393.exe, 00000009.00000003.304428786.00000000060AA000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
      Source: POinv00393.exe, 00000009.00000003.300240186.00000000060AA000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.X
      Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
      Source: POinv00393.exe, 00000009.00000003.281094175.00000000060A9000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: POinv00393.exe, 00000009.00000003.263201663.00000000060AE000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.cQ
      Source: POinv00393.exe, 00000009.00000003.262220149.00000000060AE000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: POinv00393.exe, 00000009.00000003.262560956.00000000060AE000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krW
      Source: POinv00393.exe, 00000009.00000003.262560956.00000000060AE000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krim
      Source: POinv00393.exe, 00000009.00000003.269856466.00000000060A9000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: POinv00393.exe, 00000009.00000003.295228473.00000000060AA000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
      Source: POinv00393.exe, 00000009.00000003.284582010.00000000060AA000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.del
      Source: POinv00393.exe, 00000009.00000003.265749682.00000000060A7000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: powershell.exe, 00000001.00000002.522372632.0000000004ED2000.00000004.00000001.sdmp, powershell.exe, 00000005.00000003.416731741.00000000076A0000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.595455706.0000000004680000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
      Source: POinv00393.exe, 00000000.00000002.256248196.00000000018D4000.00000004.00000020.sdmp, POinv00393.exe, 0000001F.00000002.612579992.00000000012E2000.00000004.00000020.sdmpString found in binary or memory: https://www.digicert.com/CPS0
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
      Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746

      Key, Mouse, Clipboard, Microphone and Screen Capturing:

      barindex
      Yara detected HawkEye KeyloggerShow sources
      Source: Yara matchFile source: 00000022.00000003.446565112.00000000051F0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: POinv00393.exe PID: 6708, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: WerFault.exe PID: 5556, type: MEMORY
      Installs a global keyboard hookShow sources
      Source: C:\Users\user\Desktop\POinv00393.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\POinv00393.exe

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000022.00000003.446565112.00000000051F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000022.00000003.446565112.00000000051F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
      Source: 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
      Source: C:\Users\user\Desktop\POinv00393.exeCode function: 0_2_01C882510_2_01C88251
      Source: C:\Users\user\Desktop\POinv00393.exeCode function: 0_2_01C87AEB0_2_01C87AEB
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_02DAA3D81_2_02DAA3D8
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_02DAF3D71_2_02DAF3D7
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_02DAE66B1_2_02DAE66B
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_02DAA9601_2_02DAA960
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_02DA7FE01_2_02DA7FE0
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_02DA6C301_2_02DA6C30
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_02DA51C81_2_02DA51C8
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_02DA51B71_2_02DA51B7
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_02DAA3D81_2_02DAA3D8
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_02DAF3D71_2_02DAF3D7
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_02DAC5601_2_02DAC560
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_02DA88101_2_02DA8810
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_02DC00401_2_02DC0040
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_032D2B481_2_032D2B48
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_032DDEB81_2_032DDEB8
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_032D5ED01_2_032D5ED0
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_032DA3201_2_032DA320
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_032D1A501_2_032D1A50
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_032D98181_2_032D9818
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_032D00401_2_032D0040
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_032D67E81_2_032D67E8
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_032DA6181_2_032DA618
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_032DD4201_2_032DD420
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_02DC865B1_2_02DC865B
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_03111B783_2_03111B78
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_03113AD03_2_03113AD0
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_0316A3583_2_0316A358
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_0316B7503_2_0316B750
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_03160EB83_2_03160EB8
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_03167EB83_2_03167EB8
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_031600403_2_03160040
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_03167EB83_2_03167EB8
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_03167EB83_2_03167EB8
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_0316AE203_2_0316AE20
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_03160EB83_2_03160EB8
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_03166C683_2_03166C68
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0095A0485_2_0095A048
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0095AD895_2_0095AD89
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_009505D85_2_009505D8
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00956E285_2_00956E28
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00959A585_2_00959A58
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_009505D85_2_009505D8
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00956E285_2_00956E28
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00956E285_2_00956E28
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0095A7405_2_0095A740
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_009567485_2_00956748
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_009619E85_2_009619E8
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_009639385_2_00963938
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_009883E05_2_009883E0
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0098F5285_2_0098F528
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0098C6105_2_0098C610
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0098A7D85_2_0098A7D8
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_009867385_2_00986738
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0098E8105_2_0098E810
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0098AD605_2_0098AD60
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_009870A05_2_009870A0
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_009851C85_2_009851C8
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_009851C75_2_009851C7
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0098F5285_2_0098F528
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0098A7D85_2_0098A7D8
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00988C105_2_00988C10
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00986C305_2_00986C30
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_009E00405_2_009E0040
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0438CE385_2_0438CE38
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_043825D55_2_043825D5
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_043840085_2_04384008
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_009E8ADB5_2_009E8ADB
      Source: C:\Users\user\Desktop\POinv00393.exeCode function: 11_2_0351810811_2_03518108
      Source: C:\Users\user\Desktop\POinv00393.exeCode function: 11_2_03517AE811_2_03517AE8
      Source: C:\Users\user\Desktop\POinv00393.exeCode function: 14_2_0159810814_2_01598108
      Source: C:\Users\user\Desktop\POinv00393.exeCode function: 14_2_01597AE814_2_01597AE8
      Source: C:\Users\user\Desktop\POinv00393.exeCode function: 21_2_00F2810821_2_00F28108
      Source: C:\Users\user\Desktop\POinv00393.exeCode function: 21_2_00F27AF021_2_00F27AF0
      Source: C:\Users\user\Desktop\POinv00393.exeCode function: 31_2_0151810831_2_01518108
      Source: C:\Users\user\Desktop\POinv00393.exeCode function: 31_2_01517AF031_2_01517AF0
      Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 1940
      Source: POinv00393.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: POinv00393.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: POinv00393.exeBinary or memory string: OriginalFilename vs POinv00393.exe
      Source: POinv00393.exe, 00000000.00000002.335186152.0000000006D20000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs POinv00393.exe
      Source: POinv00393.exe, 00000000.00000000.206073920.0000000000E72000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameRunFirst.exe8 vs POinv00393.exe
      Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs POinv00393.exe
      Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs POinv00393.exe
      Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs POinv00393.exe
      Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamedbdc ddb.exe2 vs POinv00393.exe
      Source: POinv00393.exe, 00000009.00000000.243465863.0000000000802000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameRunFirst.exe8 vs POinv00393.exe
      Source: POinv00393.exeBinary or memory string: OriginalFilename vs POinv00393.exe
      Source: POinv00393.exe, 0000000B.00000000.251187170.0000000000E12000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameRunFirst.exe8 vs POinv00393.exe
      Source: POinv00393.exeBinary or memory string: OriginalFilename vs POinv00393.exe
      Source: POinv00393.exe, 0000000E.00000000.268933713.0000000000782000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameRunFirst.exe8 vs POinv00393.exe
      Source: POinv00393.exeBinary or memory string: OriginalFilename vs POinv00393.exe
      Source: POinv00393.exe, 00000015.00000002.560738791.0000000000112000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameRunFirst.exe8 vs POinv00393.exe
      Source: POinv00393.exeBinary or memory string: OriginalFilename vs POinv00393.exe
      Source: POinv00393.exe, 0000001A.00000002.409137032.00000000053A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs POinv00393.exe
      Source: POinv00393.exe, 0000001A.00000002.343340975.000000000186A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs POinv00393.exe
      Source: POinv00393.exe, 0000001A.00000000.306230207.0000000000CC2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameRunFirst.exe8 vs POinv00393.exe
      Source: POinv00393.exeBinary or memory string: OriginalFilename vs POinv00393.exe
      Source: POinv00393.exe, 0000001F.00000000.325285879.0000000000742000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameRunFirst.exe8 vs POinv00393.exe
      Source: POinv00393.exe, 0000001F.00000002.611727506.00000000012BA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs POinv00393.exe
      Source: 00000022.00000003.446565112.00000000051F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
      Source: 00000022.00000003.446565112.00000000051F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
      Source: 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
      Source: 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
      Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@30/27@7/5
      Source: C:\Users\user\Desktop\POinv00393.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exeJump to behavior
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6964:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7072:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7128:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6900:120:WilError_01
      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2100
      Source: C:\Users\user\Desktop\POinv00393.exeFile created: C:\Users\user\AppData\Local\Temp\16654f11-3a02-4cab-b1ad-a4500300c0c5Jump to behavior
      Source: POinv00393.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\POinv00393.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\POinv00393.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\POinv00393.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\POinv00393.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\POinv00393.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\POinv00393.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\POinv00393.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\POinv00393.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
      Source: C:\Users\user\Desktop\POinv00393.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\POinv00393.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\Desktop\POinv00393.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\POinv00393.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\POinv00393.exeFile read: C:\Windows\System32\drivers\etc\hosts
      Source: C:\Users\user\Desktop\POinv00393.exeFile read: C:\Windows\System32\drivers\etc\hosts
      Source: C:\Users\user\Desktop\POinv00393.exeFile read: C:\Windows\System32\drivers\etc\hosts
      Source: C:\Users\user\Desktop\POinv00393.exeFile read: C:\Windows\System32\drivers\etc\hosts
      Source: C:\Users\user\Desktop\POinv00393.exeFile read: C:\Windows\System32\drivers\etc\hosts
      Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
      Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
      Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
      Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
      Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
      Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
      Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
      Source: POinv00393.exeVirustotal: Detection: 34%
      Source: POinv00393.exeReversingLabs: Detection: 17%
      Source: C:\Users\user\Desktop\POinv00393.exeFile read: C:\Users\user\Desktop\POinv00393.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\POinv00393.exe 'C:\Users\user\Desktop\POinv00393.exe'
      Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe' -Force
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe' -Force
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe' -Force
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\POinv00393.exe' -Force
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Users\user\Desktop\POinv00393.exe C:\Users\user\Desktop\POinv00393.exe
      Source: unknownProcess created: C:\Users\user\Desktop\POinv00393.exe 'C:\Users\user\Desktop\POinv00393.exe'
      Source: unknownProcess created: C:\Users\user\Desktop\POinv00393.exe 'C:\Users\user\Desktop\POinv00393.exe'
      Source: unknownProcess created: C:\Users\user\Desktop\POinv00393.exe 'C:\Users\user\Desktop\POinv00393.exe'
      Source: unknownProcess created: C:\Users\user\Desktop\POinv00393.exe 'C:\Users\user\Desktop\POinv00393.exe'
      Source: unknownProcess created: C:\Users\user\Desktop\POinv00393.exe 'C:\Users\user\Desktop\POinv00393.exe'
      Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 1940
      Source: C:\Users\user\Desktop\POinv00393.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe' -ForceJump to behavior
      Source: C:\Users\user\Desktop\POinv00393.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe' -ForceJump to behavior
      Source: C:\Users\user\Desktop\POinv00393.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe' -ForceJump to behavior
      Source: C:\Users\user\Desktop\POinv00393.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\POinv00393.exe' -ForceJump to behavior
      Source: C:\Users\user\Desktop\POinv00393.exeProcess created: C:\Users\user\Desktop\POinv00393.exe C:\Users\user\Desktop\POinv00393.exeJump to behavior
      Source: C:\Users\user\Desktop\POinv00393.exeProcess created: unknown unknown
      Source: C:\Users\user\Desktop\POinv00393.exeProcess created: unknown unknown
      Source: C:\Users\user\Desktop\POinv00393.exeProcess created: unknown unknown
      Source: C:\Users\user\Desktop\POinv00393.exeProcess created: unknown unknown
      Source: C:\Users\user\Desktop\POinv00393.exeProcess created: unknown unknown
      Source: C:\Users\user\Desktop\POinv00393.exeProcess created: unknown unknown
      Source: C:\Users\user\Desktop\POinv00393.exeProcess created: unknown unknown
      Source: C:\Users\user\Desktop\POinv00393.exeProcess created: unknown unknown
      Source: C:\Users\user\Desktop\POinv00393.exeProcess created: unknown unknown
      Source: C:\Users\user\Desktop\POinv00393.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Users\user\Desktop\POinv00393.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
      Source: POinv00393.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: POinv00393.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
      Source: POinv00393.exeStatic file information: File size 4552704 > 1048576
      Source: POinv00393.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x43dc00
      Source: POinv00393.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: anagement.pdb source: WerFault.exe, 00000022.00000003.465155833.0000000004EFF000.00000004.00000001.sdmp
      Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000022.00000003.388800534.0000000004A7F000.00000004.00000001.sdmp
      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
      Source: Binary string: wbemcomn.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: NapiNSP.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
      Source: Binary string: pnrpnsp.pdbj source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: winnsi.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: .ni.pdb source: WerFault.exe, 00000022.00000003.465155833.0000000004EFF000.00000004.00000001.sdmp
      Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
      Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 00000022.00000003.462512914.000000000508C000.00000004.00000001.sdmp
      Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: gdiplus.pdb8 source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
      Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp
      Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp
      Source: Binary string: System.Xml.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: indows.Forms.pdb source: WerFault.exe, 00000022.00000003.464462813.000000000508D000.00000004.00000001.sdmp
      Source: Binary string: System.Runtime.Remoting.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: nsi.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: NapiNSP.pdbl source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: wgdi32.pdb{ source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
      Source: Binary string: System.Configuration.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
      Source: Binary string: rasadhlp.pdb\ source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: msasn1.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: mscorlib.pdb source: WerFault.exe, 00000022.00000003.465155833.0000000004EFF000.00000004.00000001.sdmp
      Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: DWrite.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: comctl32.pdbD source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: combase.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
      Source: Binary string: System.Drawing.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
      Source: Binary string: System.Management.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: dhcpcsvc6.pdb~ source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: winrnr.pdbV source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: Accessibility.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: mscorlib.ni.pdbd source: WerFault.exe, 00000022.00000003.461500702.0000000004EFB000.00000004.00000001.sdmp
      Source: Binary string: rasadhlp.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: xecute.pdb source: WerFault.exe, 00000022.00000003.465155833.0000000004EFF000.00000004.00000001.sdmp
      Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: Accessibility.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: System.Management.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: psapi.pdb4 source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: pnrpnsp.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: mscorlib.pdbz source: WerFault.exe, 00000022.00000003.465155833.0000000004EFF000.00000004.00000001.sdmp
      Source: Binary string: mscorlib.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: t.VisualBasic.pdb source: WerFault.exe, 00000022.00000003.464462813.000000000508D000.00000004.00000001.sdmp
      Source: Binary string: winnsi.pdbf source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: iphlpapi.pdbH source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: nlaapi.pdb. source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
      Source: Binary string: CMemoryExecute.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: fastprox.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: nlaapi.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: diasymreader.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: wmiutils.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: gdiplus.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: System.ni.pdbT3 source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: System.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: wmiutils.pdbZ source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: WLDP.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: sechost.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
      Source: Binary string: CLBCatQ.pdbp source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
      Source: Binary string: fastprox.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: wbemsvc.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: winrnr.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: .ni.pdbd source: WerFault.exe, 00000022.00000003.465155833.0000000004EFF000.00000004.00000001.sdmp
      Source: Binary string: msctf.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: msctf.pdb2 source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp
      Source: Binary string: System.Runtime.Remoting.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: wintrust.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: System.Xml.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: System.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000022.00000003.462512914.000000000508C000.00000004.00000001.sdmp
      Source: Binary string: psapi.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: WMINet_Utils.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
      Source: Binary string: System.Core.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
      Source: Binary string: mscoreei.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
      Source: Binary string: System.Drawing.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: System.Core.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: comctl32.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: wbemcomn.pdbB source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: wbemprox.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
      Source: Binary string: System.ni.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
      Source: Binary string: crypt32.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp