Loading ...

Play interactive tourEdit tour

Windows Analysis Report 201021.exe

Overview

General Information

Sample Name:201021.exe
Analysis ID:506137
MD5:ff59b59d6fb138bd3a588d89ea0fa1d7
SHA1:fad22ded5983e8d5a9bffa398c3281670e496f46
SHA256:8e1c67e8ed76591ed779773be365b2b66440d958f1bf3556d4512f71836c3d2f
Tags:exehawkeye
Infos:

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected MailPassView
Multi AV Scanner detection for submitted file
Yara detected HawkEye Keylogger
Malicious sample detected (through community Yara rule)
Detected HawkEye Rat
Sample uses process hollowing technique
Installs a global keyboard hook
Writes to foreign memory regions
.NET source code references suspicious native API functions
Contains functionality to log keystrokes (.Net Source)
Tries to steal Mail credentials (via file registry)
Changes the view of files in windows explorer (hidden files and folders)
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Yara detected WebBrowserPassView password recovery tool
.NET source code contains very large array initializations
Hides that the sample has been downloaded from the Internet (zone.identifier)
Tries to steal Mail credentials (via file access)
Tries to steal Instant Messenger accounts or passwords
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
May infect USB drives
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Uses insecure TLS / SSL version for HTTPS connection
Contains long sleeps (>= 3 min)
Enables debug privileges
AV process strings found (often used to terminate AV products)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Checks if the current process is being debugged
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • 201021.exe (PID: 2168 cmdline: 'C:\Users\user\Desktop\201021.exe' MD5: FF59B59D6FB138BD3A588D89EA0FA1D7)
    • InstallUtil.exe (PID: 6672 cmdline: C:\Users\user~1\AppData\Local\Temp\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)
      • vbc.exe (PID: 7120 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 7128 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • WerFault.exe (PID: 2212 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6672 -s 1932 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.406134139.0000000007D10000.00000004.00020000.sdmpHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
  • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
0000000A.00000000.334047730.0000000002DCA000.00000004.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
    0000000A.00000000.334047730.0000000002DCA000.00000004.00000001.sdmpHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
    • 0x25d0:$hawkstr1: HawkEye Keylogger
    • 0x2088:$hawkstr2: Dear HawkEye Customers!
    • 0x21b6:$hawkstr3: HawkEye Logger Details:
    0000000A.00000002.398718518.0000000000402000.00000040.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
    • 0x7b6ba:$key: HawkEyeKeylogger
    • 0x7d8c8:$salt: 099u787978786
    • 0x7bce3:$string1: HawkEye_Keylogger
    • 0x7cb36:$string1: HawkEye_Keylogger
    • 0x7d828:$string1: HawkEye_Keylogger
    • 0x7c0cc:$string2: holdermail.txt
    • 0x7c0ec:$string2: holdermail.txt
    • 0x7c00e:$string3: wallet.dat
    • 0x7c026:$string3: wallet.dat
    • 0x7c03c:$string3: wallet.dat
    • 0x7d40a:$string4: Keylog Records
    • 0x7d722:$string4: Keylog Records
    • 0x7d920:$string5: do not script -->
    • 0x7b6a2:$string6: \pidloc.txt
    • 0x7b718:$string7: BSPLIT
    • 0x7b728:$string7: BSPLIT
    0000000A.00000002.398718518.0000000000402000.00000040.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
      Click to see the 53 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      10.0.InstallUtil.exe.3b39930.8.raw.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
        10.0.InstallUtil.exe.3b39930.8.raw.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
          10.2.InstallUtil.exe.409c0d.2.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
            10.0.InstallUtil.exe.7ca0000.19.raw.unpackHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
            • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
            10.2.InstallUtil.exe.7ca0000.9.raw.unpackHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
            • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
            Click to see the 140 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: Possible Applocker BypassShow sources
            Source: Process startedAuthor: juju4: Data: Command: C:\Users\user~1\AppData\Local\Temp\InstallUtil.exe, CommandLine: C:\Users\user~1\AppData\Local\Temp\InstallUtil.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, ParentCommandLine: 'C:\Users\user\Desktop\201021.exe' , ParentImage: C:\Users\user\Desktop\201021.exe, ParentProcessId: 2168, ProcessCommandLine: C:\Users\user~1\AppData\Local\Temp\InstallUtil.exe, ProcessId: 6672

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Multi AV Scanner detection for submitted fileShow sources
            Source: 201021.exeReversingLabs: Detection: 40%
            Machine Learning detection for sampleShow sources
            Source: 201021.exeJoe Sandbox ML: detected
            Source: 10.2.InstallUtil.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
            Source: 10.2.InstallUtil.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
            Source: 10.0.InstallUtil.exe.400000.11.unpackAvira: Label: TR/AD.MExecute.lzrac
            Source: 10.0.InstallUtil.exe.400000.11.unpackAvira: Label: SPR/Tool.MailPassView.473
            Source: 10.0.InstallUtil.exe.400000.1.unpackAvira: Label: TR/AD.MExecute.lzrac
            Source: 10.0.InstallUtil.exe.400000.1.unpackAvira: Label: SPR/Tool.MailPassView.473
            Source: 1.2.201021.exe.39bac82.3.unpackAvira: Label: TR/Inject.vcoldi
            Source: 201021.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: unknownHTTPS traffic detected: 142.250.203.100:443 -> 192.168.2.7:49746 version: TLS 1.0
            Source: 201021.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
            Source: Binary string: rsaenh.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
            Source: Binary string: anagement.pdb source: WerFault.exe, 00000012.00000003.372347216.0000000005617000.00000004.00000001.sdmp
            Source: Binary string: System.ni.pdb% source: WerFault.exe, 00000012.00000003.372162520.00000000055DD000.00000004.00000040.sdmp
            Source: Binary string: System.ni.pdb" source: WerFault.exe, 00000012.00000003.372285167.00000000055EA000.00000004.00000001.sdmp
            Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp
            Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000012.00000003.354853328.0000000003143000.00000004.00000001.sdmp
            Source: Binary string: System.Runtime.Remoting.pdbqk source: WERC408.tmp.dmp.18.dr
            Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
            Source: Binary string: nsi.pdb{q6 source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000012.00000003.372439909.00000000055D6000.00000004.00000040.sdmp
            Source: Binary string: wbemcomn.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: NapiNSP.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000012.00000003.372300822.0000000005601000.00000004.00000001.sdmp
            Source: Binary string: System.Windows.Forms.pdbXy>" source: WerFault.exe, 00000012.00000003.372162520.00000000055DD000.00000004.00000040.sdmp
            Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000012.00000003.372300822.0000000005601000.00000004.00000001.sdmp
            Source: Binary string: wntdll.pdb source: WerFault.exe, 00000012.00000003.353326488.0000000003137000.00000004.00000001.sdmp
            Source: Binary string: System.pdbXy>" source: WerFault.exe, 00000012.00000003.372162520.00000000055DD000.00000004.00000040.sdmp
            Source: Binary string: nlaapi.pdbUl source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: cryptsp.pdb[y>!- source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
            Source: Binary string: ml.pdb source: WerFault.exe, 00000012.00000003.372285167.00000000055EA000.00000004.00000001.sdmp
            Source: Binary string: winnsi.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: clr.pdb source: WerFault.exe, 00000012.00000003.372500112.00000000055D0000.00000004.00000040.sdmp
            Source: Binary string: cryptsp.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
            Source: Binary string: System.Windows.Forms.pdb" source: WerFault.exe, 00000012.00000003.372285167.00000000055EA000.00000004.00000001.sdmp
            Source: Binary string: ility.pdb source: WerFault.exe, 00000012.00000003.372285167.00000000055EA000.00000004.00000001.sdmp
            Source: Binary string: advapi32.pdb source: WerFault.exe, 00000012.00000003.372300822.0000000005601000.00000004.00000001.sdmp
            Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000012.00000003.372300822.0000000005601000.00000004.00000001.sdmp
            Source: Binary string: System.Configuration.ni.pdb" source: WerFault.exe, 00000012.00000003.372285167.00000000055EA000.00000004.00000001.sdmp
            Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 00000012.00000003.372162520.00000000055DD000.00000004.00000040.sdmp
            Source: Binary string: mscorlib.pdbyq7 source: WerFault.exe, 00000012.00000003.372422684.0000000005618000.00000004.00000001.sdmp
            Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 00000012.00000003.372285167.00000000055EA000.00000004.00000001.sdmp, WERC408.tmp.dmp.18.dr
            Source: Binary string: System.Configuration.pdbXy>" source: WerFault.exe, 00000012.00000003.372162520.00000000055DD000.00000004.00000040.sdmp
            Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp
            Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000012.00000003.353950302.0000000003149000.00000004.00000001.sdmp
            Source: Binary string: anagement.pdb" source: WerFault.exe, 00000012.00000003.372347216.0000000005617000.00000004.00000001.sdmp
            Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000012.00000003.372191782.00000000055D1000.00000004.00000040.sdmp
            Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000012.00000003.372422684.0000000005618000.00000004.00000001.sdmp, WERC408.tmp.dmp.18.dr
            Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: 201021.exe, 00000001.00000002.306231571.0000000003B80000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000002.406134139.0000000007D10000.00000004.00020000.sdmp
            Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: 201021.exe, 00000001.00000002.307784889.00000000063D0000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000000.338774279.0000000000882000.00000002.00020000.sdmp, InstallUtil.exe.1.dr
            Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: 201021.exe, 00000001.00000002.306231571.0000000003B80000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000002.398718518.0000000000402000.00000040.00000001.sdmp, vbc.exe
            Source: Binary string: mscorlib.pdbdb source: InstallUtil.exe, 0000000A.00000002.408810400.00000000084AA000.00000004.00000010.sdmp
            Source: Binary string: System.Configuration.pdbHH source: WerFault.exe, 00000012.00000003.372285167.00000000055EA000.00000004.00000001.sdmp
            Source: Binary string: System.Xml.pdbx source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp
            Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
            Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb+ source: InstallUtil.exe, 0000000A.00000002.408810400.00000000084AA000.00000004.00000010.sdmp
            Source: Binary string: mscoree.pdb source: WerFault.exe, 00000012.00000003.372300822.0000000005601000.00000004.00000001.sdmp
            Source: Binary string: DWrite.pdbml source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
            Source: Binary string: Accessibility.pdb~y> source: WerFault.exe, 00000012.00000003.372162520.00000000055DD000.00000004.00000040.sdmp
            Source: Binary string: k0C:\Windows\mscorlib.pdb source: InstallUtil.exe, 0000000A.00000002.408810400.00000000084AA000.00000004.00000010.sdmp
            Source: Binary string: System.Core.ni.pdb~y> source: WerFault.exe, 00000012.00000003.372162520.00000000055DD000.00000004.00000040.sdmp
            Source: Binary string: wintrust.pdbkl source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: System.Runtime.Remoting.pdbx source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp
            Source: Binary string: symbols\dll\mscorlib.pdb source: InstallUtil.exe, 0000000A.00000002.408810400.00000000084AA000.00000004.00000010.sdmp
            Source: Binary string: shlwapi.pdbk source: WerFault.exe, 00000012.00000003.372191782.00000000055D1000.00000004.00000040.sdmp
            Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: System.Configuration.ni.pdbXy>" source: WerFault.exe, 00000012.00000003.372162520.00000000055DD000.00000004.00000040.sdmp
            Source: Binary string: dnsapi.pdbl source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: nsi.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: comctl32v582.pdb{x6 source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: Microsoft.VisualBasic.pdbXy>" source: WerFault.exe, 00000012.00000003.372162520.00000000055DD000.00000004.00000040.sdmp
            Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000012.00000003.372439909.00000000055D6000.00000004.00000040.sdmp
            Source: Binary string: CMemoryExecute.pdb" source: WerFault.exe, 00000012.00000003.372422684.0000000005618000.00000004.00000001.sdmp
            Source: Binary string: rasadhlp.pdbYl source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: powrprof.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
            Source: Binary string: msvcr120_clr0400.i386.pdb% source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
            Source: Binary string: mscorlib.ni.pdbRSDS source: WERC408.tmp.dmp.18.dr
            Source: Binary string: System.Configuration.pdb source: WerFault.exe, 00000012.00000003.372285167.00000000055EA000.00000004.00000001.sdmp, WERC408.tmp.dmp.18.dr
            Source: Binary string: ole32.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
            Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp
            Source: Binary string: msasn1.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: mscorlib.pdb source: InstallUtil.exe, 0000000A.00000002.405748695.00000000073BB000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.372422684.0000000005618000.00000004.00000001.sdmp, WERC408.tmp.dmp.18.dr
            Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: DWrite.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
            Source: Binary string: combase.pdb source: WerFault.exe, 00000012.00000003.372439909.00000000055D6000.00000004.00000040.sdmp
            Source: Binary string: System.Drawing.pdb source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp, WERC408.tmp.dmp.18.dr
            Source: Binary string: System.Management.pdb source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp, WERC408.tmp.dmp.18.dr
            Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000012.00000003.372162520.00000000055DD000.00000004.00000040.sdmp
            Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000012.00000003.354853328.0000000003143000.00000004.00000001.sdmp
            Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WERC408.tmp.dmp.18.dr
            Source: Binary string: Accessibility.pdbx source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp
            Source: Binary string: System.Xml.ni.pdbRSDS source: WERC408.tmp.dmp.18.dr
            Source: Binary string: InstallUtil.PDB source: InstallUtil.exe, 0000000A.00000002.408810400.00000000084AA000.00000004.00000010.sdmp
            Source: Binary string: rasadhlp.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: ml.ni.pdb source: WerFault.exe, 00000012.00000003.372285167.00000000055EA000.00000004.00000001.sdmp
            Source: Binary string: System.Core.ni.pdbRSDSD source: WERC408.tmp.dmp.18.dr
            Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: Accessibility.pdb source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp, WERC408.tmp.dmp.18.dr
            Source: Binary string: rawing.pdb source: WerFault.exe, 00000012.00000003.372285167.00000000055EA000.00000004.00000001.sdmp
            Source: Binary string: System.Management.pdbx source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp
            Source: Binary string: pnrpnsp.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: mscoreei.pdbk source: WerFault.exe, 00000012.00000003.372191782.00000000055D1000.00000004.00000040.sdmp
            Source: Binary string: mscorlib.pdbx source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp
            Source: Binary string: System.Xml.ni.pdb~y> source: WerFault.exe, 00000012.00000003.372162520.00000000055DD000.00000004.00000040.sdmp
            Source: Binary string: shcore.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
            Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 00000012.00000003.372162520.00000000055DD000.00000004.00000040.sdmp
            Source: Binary string: InstallUtil.pdb source: 201021.exe, 00000001.00000002.307784889.00000000063D0000.00000004.00000001.sdmp, InstallUtil.exe, InstallUtil.exe.1.dr
            Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000012.00000003.372500112.00000000055D0000.00000004.00000040.sdmp
            Source: Binary string: fltLib.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
            Source: Binary string: CMemoryExecute.pdb source: WerFault.exe, 00000012.00000003.372422684.0000000005618000.00000004.00000001.sdmp, WERC408.tmp.dmp.18.dr
            Source: Binary string: shell32.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
            Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp, WERC408.tmp.dmp.18.dr
            Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000012.00000003.372500112.00000000055D0000.00000004.00000040.sdmp
            Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: wimm32.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
            Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
            Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp
            Source: Binary string: nlaapi.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: diasymreader.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: iphlpapi.pdb9lf source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
            Source: Binary string: wmiutils.pdb3ll source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: wmiutils.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: gdiplus.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: System.ni.pdbXy>" source: WerFault.exe, 00000012.00000003.372162520.00000000055DD000.00000004.00000040.sdmp
            Source: Binary string: wbemprox.pdbgl source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: System.ni.pdbT3 source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp
            Source: Binary string: System.pdbx source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp
            Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000012.00000003.353326488.0000000003137000.00000004.00000001.sdmp
            Source: Binary string: profapi.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
            Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp, WERC408.tmp.dmp.18.dr
            Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000012.00000003.372500112.00000000055D0000.00000004.00000040.sdmp
            Source: Binary string: WLDP.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: sechost.pdb source: WerFault.exe, 00000012.00000003.372300822.0000000005601000.00000004.00000001.sdmp
            Source: Binary string: System.ni.pdbRSDS source: WERC408.tmp.dmp.18.dr
            Source: Binary string: clrjit.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
            Source: Binary string: System.Core.pdb~y> source: WerFault.exe, 00000012.00000003.372162520.00000000055DD000.00000004.00000040.sdmp
            Source: Binary string: System.Runtime.Remoting.pdb~y> source: WerFault.exe, 00000012.00000003.372162520.00000000055DD000.00000004.00000040.sdmp
            Source: Binary string: dhcpcsvc6.pdbOl source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: System.Drawing.pdbXy>" source: WerFault.exe, 00000012.00000003.372162520.00000000055DD000.00000004.00000040.sdmp
            Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
            Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 00000012.00000003.372285167.00000000055EA000.00000004.00000001.sdmp, WERC408.tmp.dmp.18.dr
            Source: Binary string: fastprox.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: wbemsvc.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: winrnr.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: msctf.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: 201021.exe, 00000001.00000002.306231571.0000000003B80000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000002.398718518.0000000000402000.00000040.00000001.sdmp, vbc.exe
            Source: Binary string: System.Runtime.Remoting.pdb source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp, WERC408.tmp.dmp.18.dr
            Source: Binary string: wmswsock.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
            Source: Binary string: version.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
            Source: Binary string: wintrust.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: System.Xml.pdb source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp, WERC408.tmp.dmp.18.dr
            Source: Binary string: System.pdb source: WerFault.exe, 00000012.00000003.372285167.00000000055EA000.00000004.00000001.sdmp, WERC408.tmp.dmp.18.dr
            Source: Binary string: ore.ni.pdb source: WerFault.exe, 00000012.00000003.372285167.00000000055EA000.00000004.00000001.sdmp
            Source: Binary string: ore.pdb source: WerFault.exe, 00000012.00000003.372285167.00000000055EA000.00000004.00000001.sdmp
            Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000012.00000003.372285167.00000000055EA000.00000004.00000001.sdmp, WERC408.tmp.dmp.18.dr
            Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000012.00000003.372500112.00000000055D0000.00000004.00000040.sdmp
            Source: Binary string: psapi.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: WMINet_Utils.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: CMemoryExecute.pdbMZ source: WERC408.tmp.dmp.18.dr
            Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000012.00000003.372300822.0000000005601000.00000004.00000001.sdmp
            Source: Binary string: dhcpcsvc.pdbSl source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: rawing.pdb" source: WerFault.exe, 00000012.00000003.372285167.00000000055EA000.00000004.00000001.sdmp
            Source: Binary string: System.Core.pdbx source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp
            Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000012.00000003.353950302.0000000003149000.00000004.00000001.sdmp
            Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000012.00000003.372300822.0000000005601000.00000004.00000001.sdmp
            Source: Binary string: mscoreei.pdb source: WerFault.exe, 00000012.00000003.372191782.00000000055D1000.00000004.00000040.sdmp
            Source: Binary string: System.Drawing.pdbx source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp
            Source: Binary string: combase.pdbk source: WerFault.exe, 00000012.00000003.372439909.00000000055D6000.00000004.00000040.sdmp
            Source: Binary string: System.Core.pdb source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp, WERC408.tmp.dmp.18.dr
            Source: Binary string: System.pdb4: source: WERC408.tmp.dmp.18.dr
            Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
            Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp
            Source: Binary string: b.pdb00CE6}IgQ source: InstallUtil.exe, 0000000A.00000000.339327398.0000000000FA0000.00000004.00000020.sdmp
            Source: Binary string: winnsi.pdbAl source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
            Source: Binary string: wuser32.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
            Source: Binary string: Microsoft.VisualBasic.pdb" source: WerFault.exe, 00000012.00000003.372285167.00000000055EA000.00000004.00000001.sdmp
            Source: Binary string: .pdb source: InstallUtil.exe, 0000000A.00000002.408810400.00000000084AA000.00000004.00000010.sdmp
            Source: Binary string: untime.Remoting.pdb source: WerFault.exe, 00000012.00000003.372285167.00000000055EA000.00