Process crash dumps can lead to the exposure of passwords and other sensitive information especially if they were saved before a process was trying to send entered user data over a secure protocol. Here's an incident that happened to us. We were trying to login to an online banking system to check our balances and when we entered our user id and password in IE and clicked Continue button the system experienced a small delay and then a WER dialog box appeared asking us to either check online for a solution, debug or close the program. We chose Close the program and a full process memory dump was saved because we have already set up LocalDumps (Volume 1, page 606) on my old Vista system (the problem was also reproducible).
I opened the crash dump and found heap corruption (Volume 1, page 257):
0:004> kL 100
ChildEBP RetAddr
02c9cb18 77815620 ntdll!KiFastSystemCallRet
02c9cb1c 77843c62 ntdll!NtWaitForSingleObject+0xc
02c9cba0 77843d4b ntdll!RtlReportExceptionEx+0x14b
02c9cbe0 7785fa87 ntdll!RtlReportException+0x3c
02c9cbf4 7785fb0d ntdll!RtlpTerminateFailureFilter+0x14
02c9cc00 777b9bdc ntdll!RtlReportCriticalFailure+0x6b
02c9cc14 777b4067 ntdll!_EH4_CallFilterFunc+0x12
02c9cc3c 77815f79 ntdll!_except_handler4+0x8e
02c9cc60 77815f4b ntdll!ExecuteHandler2+0x26
02c9cd10 77815dd7 ntdll!ExecuteHandler+0x24
02c9cd10 7785faf8 ntdll!KiUserExceptionDispatcher+0xf
02c9d084 77860704 ntdll!RtlReportCriticalFailure+0x5b
02c9d094 778607f2 ntdll!RtlpReportHeapFailure+0×21
02c9d0c8 7782b1a5 ntdll!RtlpLogHeapFailure+0xa1
02c9d110 7781730a ntdll!RtlpCoalesceFreeBlocks+0×4b9
02c9d208 77817545 ntdll!RtlpFreeHeap+0×1e2
02c9d224 76277e4b ntdll!RtlFreeHeap+0×14e
02c9d26c 760f7277 kernel32!GlobalFree+0×47
02c9d280 76594a1f ole32!ReleaseStgMedium+0×124
02c9d294 765f7feb urlmon!ReleaseBindInfo+0×4c
02c9d2a4 765b9a87 urlmon!CINet::ReleaseCNetObjects+0×3d
02c9d2bc 765b93f0 urlmon!CINetHttp::OnWininetRequestHandleClosing+0×60
02c9d2d0 77582078 urlmon!CINet::CINetCallback+0×2de
02c9d418 77588f5d wininet!InternetIndicateStatus+0xfc
02c9d448 7758937a wininet!HANDLE_OBJECT::~HANDLE_OBJECT+0xc9
02c9d464 7758916b
wininet!INTERNET_CONNECT_HANDLE_OBJECT::~INTERNET_CONNECT_HANDLE_OBJECT+0×
209
02c9d470 77588d5e wininet!HTTP_REQUEST_HANDLE_OBJECT::`vector deleting
destructor'+0xd 02c9d480 77584e72 wininet!HANDLE_OBJECT::Dereference+0×22 02c9d48c 77589419 wininet!DereferenceObject+0×21 02c9d4b4 77589114 wininet!_InternetCloseHandle+0×9d 02c9d4d4 0004aaaf wininet!InternetCloseHandle+0×11e WARNING: Frame IP not in any known module. Following frames may be wrong. 02c9d4e0 765a5d25 0×4aaaf 02c9d4fc 765a5c1b urlmon!CINet::TerminateRequest+0×82 02c9d50c 765a5a3c urlmon!CINet::MyTerminate+0×7b 02c9d51c 765a5998 urlmon!CINetProtImpl::Terminate+0×13 02c9d538 765a5b92 urlmon!CINetEmbdFilter::Terminate+0×17 02c9d548 765b9bc1 urlmon!CINet::Terminate+0×23 02c9d55c 765979f2 urlmon!CINetHttp::Terminate+0×48 02c9d574 7659766b urlmon!COInetProt::Terminate+0×1d 02c9d598 765979c0 urlmon!CTransaction::Terminate+0×12d 02c9d5b8 76597a2d urlmon!CBinding::ReportResult+0×92 02c9d5d0 76596609 urlmon!COInetProt::ReportResult+0×1a 02c9d5f8 76596322 urlmon!CTransaction::DispatchReport+0×1d9 02c9d624 7659653e urlmon!CTransaction::DispatchPacket+0×31 02c9d644 765a504b urlmon!CTransaction::OnINetCallback+0×92 02c9d65c 7741fd72 urlmon!TransactionWndProc+0×28 02c9d688 7741fe4a user32!InternalCallWinProc+0×23 02c9d700 7742018d user32!UserCallWinProcCheckWow+0×14b 02c9d764 7742022b user32!DispatchMessageWorker+0×322 02c9d774 7094c1d5 user32!DispatchMessageW+0xf 02c9f87c 708f337e ieframe!CTabWindow::_TabWindowThreadProc+0×54c 02c9f934 7647426d ieframe!LCIETab_ThreadProc+0×2c1 02c9f944 7627d0e9 iertutil!CIsoScope::RegisterThread+0xab 02c9f950 777f19bb kernel32!BaseThreadInitThunk+0xe 02c9f990 777f198e ntdll!__RtlUserThreadStart+0×23 02c9f9a8 00000000 ntdll!_RtlUserThreadStart+0×1b
We quicky enabled full page heap for iexpolore.exe and tried to login again. The crash happened after the same GUI sequence and the new dump was saved again with the following stack trace:
0:004> kL 100 ChildEBP RetAddr 04c590cc 77815610 ntdll!KiFastSystemCallRet 04c590d0 7627a5d7 ntdll!NtWaitForMultipleObjects+0xc 04c5916c 7627a6f0 kernel32!WaitForMultipleObjectsEx+0x11d 04c59188 762ee2a5 kernel32!WaitForMultipleObjects+0x18 04c591f4 762ee4d1 kernel32!WerpReportFaultInternal+0x16d 04c59208 762cff4d kernel32!WerpReportFault+0x70 04c59294 77827fc1 kernel32!UnhandledExceptionFilter+0x1b5 04c5929c 777b9bdc ntdll!__RtlUserThreadStart+0x6f 04c592b0 777b4067 ntdll!_EH4_CallFilterFunc+0x12 04c592d8 77815f79 ntdll!_except_handler4+0x8e 04c592fc 77815f4b ntdll!ExecuteHandler2+0x26 04c593ac 77815dd7 ntdll!ExecuteHandler+0x24 04c593ac 0004a058 ntdll!KiUserExceptionDispatcher+0xf
WARNING: Frame IP not in any known module. Following frames may be wrong.
04c596b4 0004a12e 0x4a058
04c596d4 765bb7b1
0×4a12e
04c59714 765bb32b urlmon!CINetHttp::INetAsyncSendRequest+0×347
04c59f34 765bb4c8 urlmon!CINetHttp::INetAsyncOpenRequest+0×2cf
04c59f48 765bac97 urlmon!CINet::INetAsyncConnect+0×24b
04c59f60 765a6af9 urlmon!CINet::INetAsyncOpen+0×11b
04c59f70 765a6aaa urlmon!CINet::INetAsyncStart+0×1a
04c59f8c 765a693f urlmon!CINet::StartCommon+0×198
04c59fa8 765a6b5e urlmon!CINet::StartEx+0×1c
04c59fdc 76598e84 urlmon!COInetProt::StartEx+0xc2
04c5a02c 76599411 urlmon!CTransaction::StartEx+0×3e1
04c5a0b4 76599022 urlmon!CBinding::StartBinding+0×602
04c5a0f8 76599fc0 urlmon!CUrlMon::StartBinding+0×169
04c5a120 6ca4eac6 urlmon!CUrlMon::BindToStorage+0×90
04c5a14c 6ca4e9cb mshtml!CStreamProxy::Bind+0xce
04c5a3ec 6ca4b277 mshtml!CDwnBindData::Bind+0×74b
04c5a414 6ca4b118 mshtml!NewDwnBindData+0×15f
04c5a464 6c9cf0aa mshtml!CDwnLoad::Init+0×121
04c5a4b8 6ca4aa61 mshtml!CHtmLoad::Init+0×1fe
04c5a4dc 6ca4a967 mshtml!CDwnInfo::SetLoad+0×119
04c5a4fc 6c9ce021 mshtml!CDwnCtx::SetLoad+0×7a
04c5a514 6c9cec7b mshtml!CHtmCtx::SetLoad+0×13
04c5a534 6c9c25c9 mshtml!CMarkup::Load+0×167
04c5a738 6cb6f395 mshtml!CMarkup::LoadFromInfo+0xb5a
04c5a910 6cb6f532 mshtml!CDoc::DoNavigate+0×1508
04c5aa30 6cde557e mshtml!CDoc::FollowHyperlink2+0xda7
04c5aaf8 6cde5170 mshtml!CFormElement::DoSubmit+0×405
04c5ab0c 6ca01bc5 mshtml!CFormElement::submit+0×11
04c5ab28 6ca8adc3 mshtml!Method_void_void+0×75
04c5ab9c 6ca96e11 mshtml!CBase::ContextInvokeEx+0×5d1
04c5abec 6cb89057 mshtml!CElement::ContextInvokeEx+0×9d
04c5ac28 6ca8a7c1 mshtml!CFormElement::VersionedInvokeEx+0xf0
04c5ac78 6d1f392a mshtml!PlainInvokeEx+0xea
04c5acb8 6d1f3876 jscript!IDispatchExInvokeEx2+0xf8
04c5acf4 6d1f4db6 jscript!IDispatchExInvokeEx+0×6a
04c5adb4 6d1f4d10 jscript!InvokeDispatchEx+0×98
04c5ade8 6d1f2bfd jscript!VAR::InvokeByName+0×135
04c5ae34 6d1f40c5 jscript!VAR::InvokeDispName+0×7a
04c5ae64 6d1f4e23 jscript!VAR::InvokeByDispID+0xce
04c5b000 6d1f123b jscript!CScriptRuntime::Run+0×2abe
04c5b0e8 6d1f1175 jscript!ScrFncObj::CallWithFrameOnStack+0xff
04c5b134 6d1f493c jscript!ScrFncObj::Call+0×8f
04c5b1b8 6d1f2755 jscript!NameTbl::InvokeInternal+0×137
04c5b1ec 6d1f2fa4 jscript!VAR::InvokeByDispID+0×17c
04c5b388 6d1f123b jscript!CScriptRuntime::Run+0×29e0
04c5b470 6d1f1175 jscript!ScrFncObj::CallWithFrameOnStack+0xff
04c5b4bc 6d1f0fa3 jscript!ScrFncObj::Call+0×8f
04c5b538 6d1d3ea3 jscript!CSession::Execute+0×175
04c5b584 6d1d552f jscript!COleScript::ExecutePendingScripts+0×1c0
04c5b5e8 6d1d5345 jscript!COleScript::ParseScriptTextCore+0×29a
04c5b610 6c9ca304 jscript!COleScript::ParseScriptText+0×30
04c5b668 6cb954c2 mshtml!CScriptCollection::ParseScriptText+0×219
04c5d700 6cb7a568 mshtml!CWindow::ExecuteScriptUri+0×19f
04c5d748 6cb95810 mshtml!CWindow::NavigateEx+0×5a 04c5d7b4 6cb956b5 mshtml!CDoc::ExecuteScriptUri+0×262 04c5d7f0 6cc66b68 mshtml!CDoc::ExecuteScriptURL+0×4e 04c5d844 6cad41a7 mshtml!CHyperlink::ClickAction+0×269 04c5d854 6cad416e mshtml!CAnchorElement::ClickAction+0×10 04c5d888 6cb296c5 mshtml!CElement::DoClick+0×155 04c5d8b8 6cad01ff mshtml!CAnchorElement::DoClick+0×6d 04c5d954 6cbae941 mshtml!CDoc::PumpMessage+0xf63 04c5dacc 6cad4408 mshtml!CDoc::OnMouseMessage+0×55d 04c5dbf8 6caa9241 mshtml!CDoc::OnWindowMessage+0×9d9 04c5dc24 7741fd72 mshtml!CServer::WndProc+0×78 04c5dc50 7741fe4a user32!InternalCallWinProc+0×23 04c5dcc8 7742018d user32!UserCallWinProcCheckWow+0×14b 04c5dd2c 7742022b user32!DispatchMessageWorker+0×322 04c5dd3c 7094c1d5 user32!DispatchMessageW+0xf 04c5fe44 708f337e ieframe!CTabWindow::_TabWindowThreadProc+0×54c 04c5fefc 7647426d ieframe!LCIETab_ThreadProc+0×2c1 04c5ff0c 7627d0e9 iertutil!CIsoScope::RegisterThread+0xab 04c5ff18 777f19bb kernel32!BaseThreadInitThunk+0xe 04c5ff58 777f198e ntdll!__RtlUserThreadStart+0×23 04c5ff70 00000000 ntdll!_RtlUserThreadStart+0×1b
We see that IE was trying to send an HTTP request:
0:004> ub 765bb7b1 urlmon!CINetHttp::INetAsyncSendRequest+0x31f: 765bb799 8bce mov ecx,esi 765bb79b e8ef000000 call urlmon!CINetHttp::SetOptionUserAgent (765bb88f) 765bb7a0 ff75f0 push dword ptr [ebp-10h] 765bb7a3 ff75ec push dword ptr [ebp-14h] 765bb7a6 53 push ebx 765bb7a7 53 push ebx 765bb7a8 ff767c push dword ptr [esi+7Ch] 765bb7ab ff1544a06576 call dword ptr [urlmon!_imp__HttpSendRequestW (7665a044)]
From MSDN we get the following function prototype:
BOOL HttpSendRequest( __in HINTERNET hRequest, __in LPCTSTR lpszHeaders, __in DWORD dwHeadersLength, __in LPVOID lpOptional, __in DWORD dwOptionalLength );
Now we check the raw stack for parameters:
0:004> dps 04c596d4
04c596d4 04c59714
04c596d8 765bb7b1 urlmon!CINetHttp::INetAsyncSendRequest+0x347
04c596dc 00cc000c ; hRequest
04c596e0 1122cd58 ; lpszHeaders
04c596e4 ffffffff ; dwHeadersLength (-1)
04c596e8 11152e88 ; lpOptional
04c596ec 00000179 ; dwOptionalLength
04c596f0 00000001
04c596f4 77583302 wininet!InternetSetOptionA
04c596f8 110f6d68
04c596fc 0000000b
04c59700 11152e88
04c59704 00000178
04c59708 00000000
04c5970c 11230fe8
04c59710 00000000
04c59714 04c59f34
04c59718 765bb32b urlmon!CINetHttp::INetAsyncOpenRequest+0×2cf
04c5971c 00cc0008
04c59720 110f6d68
04c59724 00000000
04c59728 112d2fe8
04c5972c 112d4fe8
04c59730 112d6fe0
lpszHeaders parameter points to this string:
0:004> du 1122cd58 1122cd58 "Referer: https://www.[...XXX...].ie/o" 1122cd98 "nline/login.aspx..Accept-Languag" 1122cdd8 "e: en-ie..User-Agent: Mozilla/4." 1122ce18 "0 (compatible; MSIE 8.0; Windows" 1122ce58 " NT 6.0; Trident/4.0; MathPlayer" 1122ce98 " 2.10d; SLCC1; .NET CLR 2.0.5072" 1122ced8 "7; Media Center PC 5.0; .NET CLR" 1122cf18 " 3.5.30729; .NET CLR 3.0.30729)." 1122cf58 ".Content-Type: application/x-www" 1122cf98 "-form-urlencoded..Accept-Encodin" 1122cfd8 "g: gzip, deflate"
lpOptional parameter points to a string that contains the login id and password:
0:004> da 11152e88 11152e88 "__EVENTTARGET=lbtnContinue&__EVE" 11152ea8 "NTARGUMENT=&__VIEWSTATE=%2FwEPDw" [...] 11152fc8 "u7j7pXFuOFg1%2B&txtLogin=0123456"
11152fe8 "789&txtPassword=password
???????"
One of our computers got infected. We paid attention to the possible infection when IE started crashing when we were pushing a login button on one of online banking web-sites. However we didn't pay enough attention because it was a heap corruption (page 401) and simply switched to another non-crashing browser vendor such as Apple Safari. Since then IE was crashing periodically when we were pushing various admin buttons in WordPress but we didn't pay much attention too because it was still heap corruption and we were thinking it was a script processing defect. We were waiting for a new IE update. Until, one day explorer.exe crashed as well when we were entering a password for an ftp account. Here's the stack trace that we get after opening a crash dump in WinDbg:
0:030> kL 100 ChildEBP0663e9c4 76f05610 ntdll!KiFastSystemCallRet 0663e9c8 7706a5d7 ntdll!NtWaitForMultipleObjects+0xc 0663ea64 7706a6f0 kernel32!WaitForMultipleObjectsEx+0×11d 0663ea80 770de2a5 kernel32!WaitForMultipleObjects+0×18 0663eaec 770de4d1 kernel32!WerpReportFaultInternal+0×16d 0663eb00 770bff4d kernel32!WerpReportFault+0×70 0663eb8c 76f17fc1 kernel32!UnhandledExceptionFilter+0×1b5 0663eb94 76ea9bdc ntdll!__RtlUserThreadStart+0×6f 0663eba8 76ea4067 ntdll!_EH4_CallFilterFunc+0×12 0663ebd0 76f05f79 ntdll!_except_handler4+0×8e 0663ebf4 76f05f4b ntdll!ExecuteHandler2+0×26 0663eca4 76f05dd7 ntdll!ExecuteHandler+0×24 0663eca4 93181a08 ntdll!KiUserExceptionDispatcher+0xf WARNING: Frame IP not in any known module. Following frames may be wrong. 0663efa0 0321aaaf 0×93181a08 0663efac
RetAddr
6b887974
0663efbc 6b8973ad msieftp!InternetCloseHandleWrap+0×10 0663f810 6b897fbf msieftp!CFtpSite::_QueryServerFeatures+0×57 0663fa50 6b8981ae msieftp!CFtpSite::_LoginToTheServer+0×235 0663fa94 6b88b39e msieftp!CFtpSite::GetHint+0xe8 0663fab4 6b88b412 msieftp!CFtpDir::GetHint+0×1f 0663fae4 6b88ed38 msieftp!CFtpDir::WithHint+0×49 0663fb10 6b88eda4 msieftp!CFtpEidl::_Init+0×6e 0663fb2c 7584ecb4 msieftp!CFtpEidl::Next+0×41 0663fb64 7584f63b shell32!CEnumThread::_EnumFolder+0×65 0663fb80 7584f5ba shell32!CEnumThread::_RunEnum+0×6f 0663fb8c 7645c2c9 shell32!CEnumThread::s_EnumThreadProc+0×14 0663fc10 7706d0e9 shlwapi!WrapperThreadProc+0×11c 0663fc1c 76ee19bb kernel32!BaseThreadInitThunk+0xe 0663fc5c 76ee198e ntdll!__RtlUserThreadStart+0×23 0663fc74 00000000 ntdll!_RtlUserThreadStart+0×1b
0×321aaaf
Notice 0×321aaaf address. We see that wininet function is hooked (Volume 1, page 469) by a code running in 0×0321XXXX range:
0:030> ubmsieftp!InternetOpenWrap+0×46: 6b887963 cc int 3 msieftp!InternetCloseHandleWrap: 6b887964 8bff mov edi,edi 6b887966 55 push ebp 6b887967 8bec mov ebp,esp 6b887969 56 push esi 6b88796a ff7508 push dword ptr [ebp+8] 6b88796d 33f6 xor esi,esi 6b88796f e82e610100 call msieftp!InternetCloseHandle (
6b887974
) 0:030> u
6b89daa2
msieftp!InternetCloseHandle: 6b89daa2 ff2500278a6b jmp dword ptr [msieftp!_imp__InternetCloseHandle (
6b89daa2
)] msieftp!_imp_load__InternetConnectW: 6b89daa8 b834278a6b mov eax,offset msieftp!_imp__InternetConnectW (6b8a2734) 6b89daad e9b4feffff jmp msieftp!_tailMerge_WININET_dll (6b89d966) 6b89dab2 cc int 3 6b89dab3 cc int 3 6b89dab4 cc int 3 6b89dab5 cc int 3 6b89dab6 cc int 3 0:030> dp
6b8a2700
l1 6b8a2700
6b8a2700
0:030> u
76dc9088
wininet!InternetCloseHandle: 76dc9088 e9031a458c jmp
76dc9088
76dc908d 51 push ecx 76dc908e 51 push ecx 76dc908f 53 push ebx 76dc9090 56 push esi 76dc9091 57 push edi 76dc9092 33db xor ebx,ebx 76dc9094 33ff xor edi,edi 0:030> u
0321aa90
0321aa90 55 push ebp 0321aa91 8bec mov ebp,esp 0321aa93 837d0800 cmp dword ptr [ebp+8],0 0321aa97 740c je 0321aaa5 0321aa99 8b4508 mov eax,dword ptr [ebp+8] 0321aa9c 50 push eax 0321aa9d e82eedffff call 032197d0 0321aaa2 83c404 add esp,4
0321aa90
This address range is not on a loaded module list so we use image scanning command to detect Hidden Module (Volume 2, page 339):
0:030> .imgscan
MZ at 00080000, prot 00000002, type 01000000 - size 2cd000
Name: explorer.exe
MZ at 003d0000, prot 00000002, type 00040000 - size 2000
MZ at 018a0000, prot 00000008, type 00040000 - size 7000
MZ at 031c0000, prot 00000008, type 00040000 - size 3000
MZ at 031d0000, prot 00000002, type 01000000 - size c000
Name: DLAAPI_W.DLL
MZ at 03210000, prot 00000040, type 00020000 - size 1d000
[...]
!dh command is not showing any useful hints so we dump the whole address range of that Unknown Component (Volume 1, page 367) and find strange strings inside:
0:030> db 03210000 03210000+1d000 [...] 032246d0 2a 00 00 00 2a 00 00 00-42 6c 61 63 6b 77 6f 6f *...*...Blackwoo 032246e0 64 50 52 4f 00 00 00 00-46 69 6e 61 6d 44 69 72 dPRO....FinamDir 032246f0 65 63 74 00 47 72 61 79-42 6f 78 00 4d 62 74 50 ect.GrayBox.MbtP 03224700 52 4f 00 00 4c 61 73 65-72 00 00 00 4c 69 67 68 RO..Laser...Ligh 03224710 74 53 70 65 65 64 00 00-4c 54 47 72 6f 75 70 00 tSpeed..LTGroup. 03224720 4d 62 74 00 53 63 6f 74-54 72 61 64 65 72 00 00 Mbt.ScotTrader.. 03224730 53 61 78 6f 54 72 61 64-65 72 00 00 00 00 00 00 SaxoTrader...... 03224740 50 72 6f 67 72 61 6d 3a-20 20 20 25 73 0d 0a 55 Program: %s..U 03224750 73 65 72 6e 61 6d 65 3a-20 20 25 73 0d 0a 50 61 sername: %s..Pa 03224760 73 73 77 6f 72 64 3a 20-20 25 73 0d 0a 41 63 63 ssword: %s..Acc 03224770 6f 75 6e 74 4e 4f 3a 20-25 73 0d 0a 53 65 72 76 ountNO: %s..Serv 03224780 65 72 3a 20 20 20 20 25-73 0d 0a 00 5c 00 00 00 er: %s...... 03224790 25 73 20 25 73 00 00 00-25 73 00 00 50 52 4f 43 %s %s...%s..PROC 032247a0 45 53 53 4f 52 5f 49 44-45 4e 54 49 46 49 45 52 ESSOR_IDENTIFIER 032247b0 00 00 00 00 25 64 00 00-25 30 32 58 00 00 00 00 ....%d..%02X.... 032247c0 30 00 00 00 2c 00 00 00-25 30 32 58 00 00 00 00 0...,...%02X.... [...] 03225000 01 01 00 00 5c 00 63 00-68 00 6b 00 6e 00 74 00 .....c.h.k.n.t. 03225010 66 00 73 00 2e 00 65 00-78 00 65 00 00 00 00 00 f.s...e.x.e..... 03225020 5c 00 63 00 68 00 6b 00-6e 00 74 00 66 00 73 00 .c.h.k.n.t.f.s. 03225030 2e 00 64 00 61 00 74 00-00 00 00 00 a6 b7 04 5e ..d.a.t........^ [...]
We didn't pay attention to chkntfs.exe but did a search for SaxoTrader string in all files using findstr command and found chkntfs.exe as a system file in Start Menu Programs Startup folder in roaming user AppData. We couldn't remove it so we had to boot in command line mode to do that. The crashes were gone since that. We double checked various iexplore.exe crash dumps saved previously and found the same module loaded, for example:
0:005> .imgscan
MZ at 00040000, prot 00000040, type 00020000 - size 1d000
MZ at 00340000, prot 00000002, type 01000000 - size 9c000
Name: iexplore.exe
[...]
Here we consider IE and Explorer as victimware of malware.
18.117.76.135